51 replies to this topic

[Lianabanana7]

Hi guys!

For the past few days, I’ve been hearing commercials at random intervals on my laptop, and have also been experiencing redirection when clicking on search engine results. Nothing appears in task manager, so I’m not missing a pop up window or something. I’m using the latest version of Firefox, which has become periodically slow. My operating system is Windows 7.

Scans with Norton and Malwarebytes have both come up empty handed—so I’m at a loss! I saw a similar topic, but the solution was taylor fit to that person’s unique situation, so I figured I’d ask for help myself.

I tried to run Rootkit Unhooker and got this error:
Exception code : 0xC0000005
Instruction address : 0x00402EAA
Attempt to read at address : 0xFFFFFFFF


Here is my dds scan:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Liana at 18:47:35 on 2012-09-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.6043 [GMT -4:00]
.
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\ShadowExplorer\sesvc.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
c:\program files (x86)\dell datasafe local backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
c:\program files (x86)\dell datasafe local backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\windows\system32\conhost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\notepad.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\REGSVR32.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Wondershare YouTube Downloader: {133232d2-dae3-4b6f-aac2-17cd87495682} - C:\Program Files\AllMyTube\SVRIEPlugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 167.206.245.129 167.206.245.130
TCP: Interfaces\{89D89B70-CA6A-485E-A5E9-291BED65C9C8} : DhcpNameServer = 167.206.245.129 167.206.245.130
TCP: Interfaces\{89D89B70-CA6A-485E-A5E9-291BED65C9C8}\84F4D454D254837383 : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Wondershare YouTube Downloader: {133232D2-DAE3-4B6F-AAC2-17CD87495682} - C:\Program Files\AllMyTube\SVRIEPlugin.dll
BHO-X64: WsSVRIEHelper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Liana\AppData\Roaming\Mozilla\Firefox\Profiles\dlrx3ic8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-9-6 1160824]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys --> C:\windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\IPSDefs\20120202.002\IDSviA64.sys [2012-9-6 488568]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\drivers\NAVx64\1307010.005\SYMNETS.SYS --> C:\windows\system32\drivers\NAVx64\1307010.005\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-7-21 89600]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-3 897088]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-21 13336]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe [2012-9-6 138232]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 sesvc;ShadowExplorer Service;C:\Program Files (x86)\ShadowExplorer\sesvc.exe [2012-9-4 9216]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-7-21 1688384]
R2 TurboB;Turbo Boost UI Monitor driver;C:\windows\system32\DRIVERS\TurboB.sys --> C:\windows\system32\DRIVERS\TurboB.sys [?]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-21 2655768]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-3 1298496]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\windows\system32\DRIVERS\btmaux.sys --> C:\windows\system32\DRIVERS\btmaux.sys [?]
R3 btmhsf;btmhsf;C:\windows\system32\DRIVERS\btmhsf.sys --> C:\windows\system32\DRIVERS\btmhsf.sys [?]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\system32\DRIVERS\CtClsFlt.sys --> C:\windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-9-6 138912]
R3 iBtFltCoex;iBtFltCoex;C:\windows\system32\DRIVERS\iBtFltCoex.sys --> C:\windows\system32\DRIVERS\iBtFltCoex.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 iwdbus;IWD Bus Enumerator;C:\windows\system32\DRIVERS\iwdbus.sys --> C:\windows\system32\DRIVERS\iwdbus.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETwNs64.sys --> C:\windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 0077361346964773mcinstcleanup;McAfee Application Installer Cleanup (0077361346964773);C:\Users\Liana\AppData\Local\Temp\007736~1.EXE -cleanup -nolog --> C:\Users\Liana\AppData\Local\Temp\007736~1.EXE -cleanup -nolog [?]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-30 655944]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-5 250056]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\windows\system32\DRIVERS\ssudbus.sys --> C:\windows\system32\DRIVERS\ssudbus.sys [?]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\system32\drivers\intelaud.sys --> C:\windows\system32\drivers\intelaud.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-9-5 114144]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-09-06 22:23:31 -------- d-----w- C:\$RECYCLE.BIN
2012-09-06 21:09:18 98816 ----a-w- C:\windows\sed.exe
2012-09-06 21:09:18 518144 ----a-w- C:\windows\SWREG.exe
2012-09-06 21:09:18 256000 ----a-w- C:\windows\PEV.exe
2012-09-06 21:09:18 208896 ----a-w- C:\windows\MBR.exe
2012-09-06 21:09:16 35712 ----a-w- C:\windows\SysWow64\drivers\BlackBox.sys
2012-09-06 21:08:16 -------- d-----w- C:\ComboFix
2012-09-06 21:00:04 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-09-06 20:58:03 175736 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2012-09-06 20:58:03 -------- d-----w- C:\Program Files\Symantec
2012-09-06 20:58:03 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-09-06 20:57:51 737912 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\srtsp64.sys
2012-09-06 20:57:51 451192 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\SymDS64.sys
2012-09-06 20:57:51 405624 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\symnets.sys
2012-09-06 20:57:51 37496 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\srtspx64.sys
2012-09-06 20:57:51 190072 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\Ironx64.sys
2012-09-06 20:57:51 1092728 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\SymEFA64.sys
2012-09-06 20:57:50 167048 ----a-r- C:\windows\System32\drivers\NAVx64\1307010.005\ccSetx64.sys
2012-09-06 20:57:47 -------- d-----w- C:\windows\System32\drivers\NAVx64\1307010.005
2012-09-06 20:57:47 -------- d-----w- C:\windows\System32\drivers\NAVx64
2012-09-06 20:57:47 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2012-09-06 20:57:32 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2012-09-06 18:43:04 -------- d-----w- C:\Program Files\CCleaner
2012-09-05 01:35:09 -------- d-----w- C:\Program Files (x86)\ShadowExplorer
2012-09-05 01:29:11 -------- d-----w- C:\Users\Liana\AppData\Roaming\www.shadowexplorer.com
2012-08-30 22:39:33 -------- d-----w- C:\Temp
2012-08-30 21:31:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-30 20:51:16 -------- d-----w- C:\Users\Liana\AppData\Local\{765E1A92-F2E4-11E1-8270-B8AC6F996F26}
2012-08-28 19:42:44 -------- d-----w- C:\Program Files (x86)\McAfee.com
2012-08-28 19:42:30 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
2012-08-28 19:42:11 -------- d-----w- C:\Program Files\McAfee.com
2012-08-28 19:42:11 -------- d-----w- C:\Program Files\McAfee
2012-08-28 19:42:11 -------- d-----w- C:\Program Files\Common Files\McAfee
2012-08-28 19:42:09 -------- d-----w- C:\Program Files (x86)\McAfee
2012-08-28 18:50:28 16200 ----a-w- C:\windows\stinger.sys
2012-08-28 18:50:04 -------- d-----w- C:\Program Files (x86)\stinger
2012-08-23 17:03:55 -------- d-----w- C:\ProgramData\PC-Doctor for Windows
2012-08-15 11:53:04 503808 ----a-w- C:\windows\System32\srcore.dll
2012-08-15 11:53:04 43008 ----a-w- C:\windows\SysWow64\srclient.dll
2012-08-15 11:53:01 751104 ----a-w- C:\windows\System32\win32spl.dll
2012-08-15 11:53:00 67072 ----a-w- C:\windows\splwow64.exe
2012-08-15 11:53:00 559104 ----a-w- C:\windows\System32\spoolsv.exe
2012-08-15 11:53:00 492032 ----a-w- C:\windows\SysWow64\win32spl.dll
2012-08-15 11:52:58 59392 ----a-w- C:\windows\System32\browcli.dll
2012-08-15 11:52:58 41984 ----a-w- C:\windows\SysWow64\browcli.dll
2012-08-15 11:52:58 136704 ----a-w- C:\windows\System32\browser.dll
2012-08-15 11:52:56 3148800 ----a-w- C:\windows\System32\win32k.sys
2012-08-15 11:52:55 956928 ----a-w- C:\windows\System32\localspl.dll
2012-08-09 14:31:13 -------- d--h--w- C:\ProgramData\NortonInstaller
.
==================== Find3M ====================
.
2012-08-15 15:43:20 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 15:43:20 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-06 20:07:42 552960 ----a-w- C:\windows\System32\drivers\bthport.sys
2012-06-29 03:56:34 2312704 ----a-w- C:\windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
.
============= FINISH: 18:55:40.22 ===============





I’d appreciate any help! Thank you for your time!

--Liana

[CatByte]

Please run the following:


Please download TDSSKiller.zip

• Extract it to your desktop
  
• Double click TDSSKiller.exe
  
• when the window opens, click on Change Parameters
  
• under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  
• click OK
  
• Press Start Scan
  
  • If Malicious objects are found then ensure Cure is selected
    
  • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    
  • Then click Continue > Reboot now
• Copy and paste the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

[Lianabanana7]

I've extracted TDSS Killer to my desktop, but it won't run. I tried renaming it, but it still won't open. Any thoughts?

[CatByte]

try it from the MBAM chameleon folder:


Move tdsskiller.exe to this folder:

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do so.

Now see if tdsskiller.exe will run from the Chameleon folder.

you will have to navigate to it's new location to run it. Let me know if you have trouble.


If it still will not run,

then please do the following:


download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to the disclaimer.
  
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
  
• Press Scan button.
  
• FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
  services.exe
  
• now press the search button
  
• when the search is complete, search.txt will also be written to your USB
  
• type exit and reboot the computer normally
  
• please copy and paste both logs in your reply.(FRST.txt and Search.txt)

[Lianabanana7]

The program would still not run in the chameleon folder after following the directions, so I'm attempting to open repair computer from the F8 startup screen. Is it normal for it to take forever to load files before you're able to move to the next step of choosing a language, choose the operating system and so on? I'm sorry to be so much trouble--I didn't anticipate this! Thank you for all your help so far.

[CatByte]

it shouldn't take too long

what are you seeing? Are you getting any progression at all

[Lianabanana7]

Once I choose the option to 'Repair Computer', it says 'Windows is Loading Files...' and nothing changes. I've been giving it about ten minutes, but the screen hasn't changed. Maybe I'll try again...

[CatByte]

yes, try it again

if it still wont load, then run the following:

• Download RogueKiller and save it to your desktop.
  
• Quit all other programs
  
• Start RogueKiller.exe
  
• Wait until the Prescan has finished ...
  
• Click on Scan
  
  
• Wait for the end of the scan
  
• A report will be created on your desktop.
  
• Click on the Delete button
  
  
• Next click on the ShortcutsFix
  
  
• another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

[Lianabanana7]

I was able to run Farbar Tool without entering the startup 'repair computer' option. Here's the log:

Scan result of Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by Liana at 06-09-2012 20:38:08
Running from C:\Users\Liana\Desktop
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ======================

2012-09-06 19:33 - 2012-09-06 20:38 - 00000000 ____D C:\FRST
2012-09-06 19:32 - 2012-09-06 19:32 - 01453069 ____A (Farbar) C:\Users\Liana\Desktop\FRST64.exe
2012-09-06 19:09 - 2012-09-06 19:11 - 00000000 ____D C:\Users\Liana\Desktop\tdsskiller
2012-09-06 19:01 - 2012-09-06 19:01 - 00014079 ____A C:\Users\Liana\Desktop\Attach.txt
2012-09-06 19:00 - 2012-09-06 19:00 - 00026237 ____A C:\Users\Liana\Desktop\DDS.txt
2012-09-06 18:45 - 2012-09-06 18:45 - 00027047 ____A C:\ComboFix.txt
2012-09-06 18:25 - 2012-09-06 20:30 - 00031011 ____A C:\Windows\WindowsUpdate.log
2012-09-06 18:21 - 2012-09-06 18:21 - 00002982 ____A C:\Windows\PFRO.log
2012-09-06 18:17 - 2012-09-06 18:17 - 00007602 ____A C:\Users\Liana\AppData\Local\Resmon.ResmonCfg
2012-09-06 17:09 - 2012-09-06 17:29 - 00035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys
2012-09-06 17:09 - 2012-09-06 17:09 - 00139264 ____A () C:\Users\Liana\Desktop\RKUnhookerLE.EXE
2012-09-06 17:09 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-09-06 17:09 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-09-06 17:09 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-09-06 17:09 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-09-06 17:09 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-09-06 17:09 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-09-06 17:09 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-09-06 17:09 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-09-06 17:08 - 2012-09-06 18:46 - 00000000 ____D C:\ComboFix
2012-09-06 17:07 - 2012-09-06 17:07 - 00607260 ____R (Swearware) C:\Users\Liana\Desktop\dds.scr
2012-09-06 17:05 - 2012-09-06 17:05 - 00187464 ____A (Webroot) C:\Users\Liana\Downloads\antizeroaccess.exe
2012-09-06 16:59 - 2012-09-06 16:59 - 00000000 ____D C:\Users\Liana\Documents\Symantec
2012-09-06 16:58 - 2012-09-06 16:58 - 00175736 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-09-06 16:58 - 2012-09-06 16:58 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-09-06 16:58 - 2012-09-06 16:58 - 00002466 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk
2012-09-06 16:58 - 2012-09-06 16:58 - 00000000 ____D C:\Program Files\Symantec
2012-09-06 16:58 - 2012-09-06 16:58 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-09-06 16:57 - 2012-09-06 16:57 - 00000000 ____D C:\Windows\System32\Drivers\NAVx64
2012-09-06 16:57 - 2012-09-06 16:57 - 00000000 ____D C:\Program Files (x86)\Norton AntiVirus
2012-09-06 16:40 - 2012-09-06 18:46 - 00000000 ____D C:\Qoobox
2012-09-06 16:39 - 2012-09-06 18:29 - 00000000 ____D C:\Windows\erdnt
2012-09-06 16:38 - 2012-09-06 16:38 - 04745369 ____R (Swearware) C:\Users\Liana\Downloads\ComboFix.exe
2012-09-06 16:30 - 2012-09-06 16:31 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Liana\Downloads\tdsskiller.exe
2012-09-06 15:09 - 2012-09-06 20:35 - 00000336 ____A C:\Windows\setupact.log
2012-09-06 15:09 - 2012-09-06 15:09 - 00000000 ____A C:\Windows\setuperr.log
2012-09-06 14:43 - 2012-09-06 14:43 - 00000000 ____D C:\Program Files\CCleaner
2012-09-06 14:41 - 2012-09-06 14:41 - 03927560 ____A (Piriform Ltd) C:\Users\Liana\Downloads\ccsetup322.exe
2012-09-06 13:42 - 2012-09-06 13:42 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-09-06 09:10 - 2012-09-06 09:10 - 00003288 ____N C:\bootsqm.dat
2012-09-05 08:30 - 2012-09-05 08:30 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-09-05 08:30 - 2012-09-05 08:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-09-05 08:29 - 2012-09-05 08:29 - 17789456 ____A (Mozilla) C:\Users\Liana\Downloads\Firefox Setup 15.0.exe
2012-09-04 21:35 - 2012-09-04 21:42 - 00000000 ____D C:\Program Files (x86)\ShadowExplorer
2012-09-04 21:29 - 2012-09-04 21:29 - 00000000 ____D C:\Users\Liana\AppData\Roaming\www.shadowexplorer.com
2012-09-04 21:28 - 2012-09-04 21:28 - 00937024 ____A (ShadowExplorer.com ) C:\Users\Liana\Downloads\ShadowExplorer-0.8-setup.exe
2012-09-04 20:49 - 2012-09-04 20:49 - 00000184 ___AH C:\Users\All Users\-IRUPS7cECpP8k3r
2012-09-04 20:49 - 2012-09-04 20:49 - 00000160 ___AH C:\Users\All Users\-IRUPS7cECpP8k3
2012-08-30 17:31 - 2012-08-30 17:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Liana\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-30 17:31 - 2012-08-30 17:31 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-30 17:31 - 2012-08-30 17:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-30 16:51 - 2012-09-06 17:47 - 00000000 ___AH C:\Users\Liana\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞÿ
2012-08-30 16:51 - 2012-09-04 21:05 - 00000000 ____D C:\Users\Liana\AppData\Local\{765E1A92-F2E4-11E1-8270-B8AC6F996F26}
2012-08-28 15:42 - 2012-09-06 18:21 - 00000000 ____D C:\Program Files\Common Files\McAfee
2012-08-28 15:42 - 2012-09-05 18:45 - 00000000 ____D C:\Program Files (x86)\McAfee
2012-08-28 15:42 - 2012-08-28 15:42 - 00000000 ____D C:\Program Files\McAfee.com
2012-08-28 15:42 - 2012-08-28 15:42 - 00000000 ____D C:\Program Files\McAfee
2012-08-28 15:42 - 2012-08-28 15:42 - 00000000 ____D C:\Program Files (x86)\McAfee.com
2012-08-28 15:28 - 2012-09-04 21:04 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-28 15:28 - 2012-08-28 15:28 - 04840424 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\McAfeeSetup.exe
2012-08-28 15:11 - 2012-08-28 15:11 - 00000041 ___RH C:\Users\Liana\Downloads\stinger.opt
2012-08-28 15:10 - 2012-08-28 15:10 - 03178400 ____A (McAfee, Inc.) C:\Users\Liana\Desktop\MCPR.exe
2012-08-28 15:02 - 2012-08-28 15:02 - 00475752 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\rootkitremover.exe
2012-08-28 14:50 - 2012-08-28 15:11 - 00000000 ____D C:\Program Files (x86)\stinger
2012-08-28 14:50 - 2012-08-28 14:50 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-08-28 14:49 - 2012-08-28 14:49 - 09925224 ____A (McAfee Inc.) C:\Users\Liana\Downloads\stinger.exe
2012-08-24 18:33 - 2012-08-24 18:33 - 00176940 ____A C:\Users\Liana\Downloads\BFE.reg
2012-08-24 18:33 - 2012-08-24 18:33 - 00006396 ____A C:\Users\Liana\Downloads\MpsSvc.reg
2012-08-24 17:25 - 2012-08-24 17:25 - 01010176 ____A C:\Users\Liana\Downloads\MicrosoftFixit50884.msi
2012-08-16 03:07 - 2012-07-06 16:07 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-08-16 03:07 - 2012-06-29 00:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-16 03:07 - 2012-06-29 00:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-16 03:07 - 2012-06-28 23:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-16 03:07 - 2012-06-28 23:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-16 03:07 - 2012-06-28 23:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-16 03:07 - 2012-06-28 23:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-16 03:07 - 2012-06-28 23:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-16 03:07 - 2012-06-28 23:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-16 03:07 - 2012-06-28 23:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-16 03:07 - 2012-06-28 23:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-16 03:07 - 2012-06-28 23:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-16 03:07 - 2012-06-28 23:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-16 03:07 - 2012-06-28 23:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-16 03:07 - 2012-06-28 23:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-16 03:07 - 2012-06-28 20:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-16 03:07 - 2012-06-28 20:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-16 03:07 - 2012-06-28 20:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-16 03:07 - 2012-06-28 20:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-16 03:07 - 2012-06-28 20:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-16 03:07 - 2012-06-28 20:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-16 03:07 - 2012-06-28 20:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-16 03:07 - 2012-06-28 20:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-16 03:07 - 2012-06-28 20:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-16 03:07 - 2012-06-28 20:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-16 03:07 - 2012-06-28 20:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-16 03:07 - 2012-06-28 20:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-16 03:07 - 2012-06-28 20:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-16 03:07 - 2012-06-28 19:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 07:53 - 2012-05-05 04:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 07:53 - 2012-05-05 03:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 07:53 - 2012-02-11 02:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 07:53 - 2012-02-11 02:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 07:53 - 2012-02-11 02:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 07:53 - 2012-02-11 01:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-15 07:52 - 2012-07-18 14:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 07:52 - 2012-07-04 18:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 07:52 - 2012-07-04 18:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 07:52 - 2012-07-04 18:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 07:52 - 2012-07-04 17:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 07:52 - 2012-07-04 17:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 07:52 - 2012-05-14 01:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-14 14:30 - 2012-08-24 20:45 - 00000000 ____D C:\Users\Liana\Desktop\Marketing
2012-08-09 08:13 - 2012-08-09 08:18 - 00829280 ____A (Symantec Corporation) C:\Users\Liana\Downloads\NAVDownloader(1).exe


==================== 3 Months Modified Files ================================

2012-09-06 20:36 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-06 20:35 - 2012-09-06 15:09 - 00000336 ____A C:\Windows\setupact.log
2012-09-06 20:30 - 2012-09-06 18:25 - 00031011 ____A C:\Windows\WindowsUpdate.log
2012-09-06 20:17 - 2009-07-14 00:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-06 20:17 - 2009-07-14 00:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-06 20:16 - 2009-07-14 01:13 - 00780046 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-06 19:43 - 2012-08-05 21:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-06 19:32 - 2012-09-06 19:32 - 01453069 ____A (Farbar) C:\Users\Liana\Desktop\FRST64.exe
2012-09-06 19:01 - 2012-09-06 19:01 - 00014079 ____A C:\Users\Liana\Desktop\Attach.txt
2012-09-06 19:00 - 2012-09-06 19:00 - 00026237 ____A C:\Users\Liana\Desktop\DDS.txt
2012-09-06 18:45 - 2012-09-06 18:45 - 00027047 ____A C:\ComboFix.txt
2012-09-06 18:24 - 2009-07-13 22:34 - 00000215 ____A C:\Windows\system.ini
2012-09-06 18:21 - 2012-09-06 18:21 - 00002982 ____A C:\Windows\PFRO.log
2012-09-06 18:17 - 2012-09-06 18:17 - 00007602 ____A C:\Users\Liana\AppData\Local\Resmon.ResmonCfg
2012-09-06 17:47 - 2012-08-30 16:51 - 00000000 ___AH C:\Users\Liana\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞÿ
2012-09-06 17:29 - 2012-09-06 17:09 - 00035712 ____A C:\Windows\SysWOW64\Drivers\BlackBox.sys
2012-09-06 17:09 - 2012-09-06 17:09 - 00139264 ____A () C:\Users\Liana\Desktop\RKUnhookerLE.EXE
2012-09-06 17:07 - 2012-09-06 17:07 - 00607260 ____R (Swearware) C:\Users\Liana\Desktop\dds.scr
2012-09-06 17:05 - 2012-09-06 17:05 - 00187464 ____A (Webroot) C:\Users\Liana\Downloads\antizeroaccess.exe
2012-09-06 16:58 - 2012-09-06 16:58 - 00175736 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-09-06 16:58 - 2012-09-06 16:58 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-09-06 16:58 - 2012-09-06 16:58 - 00002466 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk
2012-09-06 16:38 - 2012-09-06 16:38 - 04745369 ____R (Swearware) C:\Users\Liana\Downloads\ComboFix.exe
2012-09-06 16:31 - 2012-09-06 16:30 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Liana\Downloads\tdsskiller.exe
2012-09-06 15:09 - 2012-09-06 15:09 - 00000000 ____A C:\Windows\setuperr.log
2012-09-06 14:41 - 2012-09-06 14:41 - 03927560 ____A (Piriform Ltd) C:\Users\Liana\Downloads\ccsetup322.exe
2012-09-06 13:42 - 2012-09-06 13:42 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-09-06 09:10 - 2012-09-06 09:10 - 00003288 ____N C:\bootsqm.dat
2012-09-05 08:30 - 2012-09-05 08:30 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-09-05 08:29 - 2012-09-05 08:29 - 17789456 ____A (Mozilla) C:\Users\Liana\Downloads\Firefox Setup 15.0.exe
2012-09-04 21:28 - 2012-09-04 21:28 - 00937024 ____A (ShadowExplorer.com ) C:\Users\Liana\Downloads\ShadowExplorer-0.8-setup.exe
2012-09-04 20:49 - 2012-09-04 20:49 - 00000184 ___AH C:\Users\All Users\-IRUPS7cECpP8k3r
2012-09-04 20:49 - 2012-09-04 20:49 - 00000160 ___AH C:\Users\All Users\-IRUPS7cECpP8k3
2012-08-30 17:31 - 2012-08-30 17:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Liana\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-30 17:31 - 2012-08-30 17:31 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-28 15:28 - 2012-08-28 15:28 - 04840424 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\McAfeeSetup.exe
2012-08-28 15:11 - 2012-08-28 15:11 - 00000041 ___RH C:\Users\Liana\Downloads\stinger.opt
2012-08-28 15:10 - 2012-08-28 15:10 - 03178400 ____A (McAfee, Inc.) C:\Users\Liana\Desktop\MCPR.exe
2012-08-28 15:02 - 2012-08-28 15:02 - 00475752 ____A (McAfee, Inc.) C:\Users\Liana\Downloads\rootkitremover.exe
2012-08-28 14:50 - 2012-08-28 14:50 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-08-28 14:49 - 2012-08-28 14:49 - 09925224 ____A (McAfee Inc.) C:\Users\Liana\Downloads\stinger.exe
2012-08-24 18:33 - 2012-08-24 18:33 - 00176940 ____A C:\Users\Liana\Downloads\BFE.reg
2012-08-24 18:33 - 2012-08-24 18:33 - 00006396 ____A C:\Users\Liana\Downloads\MpsSvc.reg
2012-08-24 17:25 - 2012-08-24 17:25 - 01010176 ____A C:\Users\Liana\Downloads\MicrosoftFixit50884.msi
2012-08-16 03:25 - 2009-07-14 00:45 - 00319000 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 03:03 - 2012-06-12 17:21 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-15 11:43 - 2012-08-05 21:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-15 11:43 - 2011-07-21 02:11 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-09 08:18 - 2012-08-09 08:13 - 00829280 ____A (Symantec Corporation) C:\Users\Liana\Downloads\NAVDownloader(1).exe
2012-08-05 22:29 - 2012-08-05 22:29 - 00829280 ____A (Symantec Corporation) C:\Users\Liana\Downloads\NAVDownloader.exe
2012-07-18 14:15 - 2012-08-15 07:52 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-16 10:15 - 2012-07-16 10:15 - 00000790 ____A C:\Users\Public\Desktop\Wondershare AllMyTube.lnk
2012-07-16 10:13 - 2012-07-16 10:13 - 19419512 ____A (Wondershare Software Co.,Ltd. ) C:\Users\Liana\Downloads\youtube-downloader_full235.exe
2012-07-12 14:15 - 2012-07-12 14:15 - 00000154 ____A C:\Users\Liana\Documents\bronxzoo.txt
2012-07-09 18:38 - 2012-07-09 18:38 - 05850752 ___AH C:\Users\Liana\Downloads\CAMERA! 004.avi
2012-07-06 16:07 - 2012-08-16 03:07 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-07-04 18:16 - 2012-08-15 07:52 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 18:13 - 2012-08-15 07:52 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 18:13 - 2012-08-15 07:52 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 17:16 - 2012-08-15 07:52 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 17:14 - 2012-08-15 07:52 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-29 00:55 - 2012-08-16 03:07 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-29 00:09 - 2012-08-16 03:07 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 23:56 - 2012-08-16 03:07 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 23:49 - 2012-08-16 03:07 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 23:49 - 2012-08-16 03:07 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 23:48 - 2012-08-16 03:07 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 23:47 - 2012-08-16 03:07 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 23:45 - 2012-08-16 03:07 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 23:44 - 2012-08-16 03:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 23:43 - 2012-08-16 03:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 23:42 - 2012-08-16 03:07 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 23:40 - 2012-08-16 03:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 23:39 - 2012-08-16 03:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 23:35 - 2012-08-16 03:07 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 20:52 - 2012-08-16 03:07 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 20:27 - 2012-08-16 03:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 20:16 - 2012-08-16 03:07 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 20:09 - 2012-08-16 03:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 20:09 - 2012-08-16 03:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 20:08 - 2012-08-16 03:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 20:07 - 2012-08-16 03:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 20:06 - 2012-08-16 03:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 20:04 - 2012-08-16 03:07 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 20:04 - 2012-08-16 03:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 20:01 - 2012-08-16 03:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 20:01 - 2012-08-16 03:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 20:00 - 2012-08-16 03:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 19:57 - 2012-08-16 03:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-21 13:50 - 2012-06-21 13:50 - 00443089 ___AH C:\Users\Liana\Downloads\attachments(6).zip
2012-06-21 13:49 - 2012-06-21 13:49 - 00443089 ___AH C:\Users\Liana\Downloads\attachments(5).zip
2012-06-21 13:49 - 2012-06-21 13:49 - 00443089 ___AH C:\Users\Liana\Downloads\attachments(4).zip
2012-06-21 13:47 - 2012-06-21 13:47 - 00402572 ___AH C:\Users\Liana\Downloads\attachments(3).zip
2012-06-14 07:39 - 2012-06-14 07:39 - 00000219 ___AH C:\Users\Liana\Downloads\Bird_Watcher's_General_Store_(2).url
2012-06-12 17:21 - 2012-06-12 17:21 - 00000527 ____A C:\Users\Liana\Documents\wedding.txt
2012-06-09 01:43 - 2012-07-11 08:21 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-09 00:41 - 2012-07-11 08:21 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll


ZeroAccess:
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\00000004.@
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\201d3dde

ZeroAccess:
C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2012-08-16 03:02:31
Restore point made on: 2012-08-23 13:32:37
Restore point made on: 2012-08-24 17:26:16
Restore point made on: 2012-09-04 10:51:58
Restore point made on: 2012-09-04 21:09:37

==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 8099.18 MB
Available physical RAM: 6210.37 MB
Total Pagefile: 16196.54 MB
Available Pagefile: 14057.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:626.03 GB) NTFS
3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 683 GB 14 GB
Partition 4 Primary 10 MB 698 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 683 GB Healthy Boot

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 244 MB 49 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT Removable 244 MB Healthy

==================================================================================

Last Boot: 2012-08-30 10:59

==================== End Of Log =============================



I'm going to try Rouge Killer now!

[Lianabanana7]

Here's the first Rouge Killer log:

mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Liana [Admin rights]
Mode : Scan -- Date : 09/06/2012 20:50:25

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> FOUND
[ZeroAccess][FILE] @ : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7500BPVT-75HXZT1 +++++
--- User ---
[MBR] 53f0d6e6dfbe15f916b755cb47c4560e
[BSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] a72c6556107abb7a85fbc4c592fed7fa
[BSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] a72c6556107abb7a85fbc4c592fed7fa
[BSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo

+++++ PhysicalDrive1: SanDisk Cruzer Micro USB Device +++++
--- User ---
[MBR] 8a2877c45c9e97842276805a0759d0ba
[BSP] 7208b105e661849d4a48c279d3177d8d : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 99 | Size: 244 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt






And here's the second:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Liana [Admin rights]
Mode : Remove -- Date : 09/06/2012 20:53:35

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> REMOVED
[ZeroAccess][FILE] @ : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\Liana\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD7500BPVT-75HXZT1 +++++
--- User ---
[MBR] 53f0d6e6dfbe15f916b755cb47c4560e
[BSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] a72c6556107abb7a85fbc4c592fed7fa
[BSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] a72c6556107abb7a85fbc4c592fed7fa
[BSP] fe7d929022c0edef559987e58641404d : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 700288 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1465118720 | Size: 10 Mo

+++++ PhysicalDrive1: SanDisk Cruzer Micro USB Device +++++
--- User ---
[MBR] 8a2877c45c9e97842276805a0759d0ba
[BSP] 7208b105e661849d4a48c279d3177d8d : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 99 | Size: 244 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

[Lianabanana7]

After I clicked Fix Shortcuts, Rogue Killer gave me a third log:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Liana [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/06/2012 20:56:24

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 2 / Fail 0
Quick launch: Success 2 / Fail 0
Programs: Success 36 / Fail 0
Start menu: Success 2 / Fail 0
User folder: Success 1303 / Fail 0
My documents: Success 13 / Fail 13
My favorites: Success 13 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 1747 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 576 / Fail 12
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[CatByte]

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?



As well as being infected with a nasty rootkit called Zero Access, malware has created a hidden rogue partition on your computer
It does appear as though RogueKiller has removed the Zero Access rootkit successfully,

We need to remove the hidden partition (which is currently active)

Please do the following:

You will need a USB drive and a CD.
Download GETxPUD.exe to your desktop

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
  NEXT
  
  
• Download tdl_fix.sh and save it to your USB flash drive.
  
• Boot into xPUD using the xPud CD, then click the File tab.
  
• Press File
  
• Expand mnt
  
• Click on the folder under mnt that represents your USB drive (it's probably sdb1 ?)
  
• You should see the tdl_fix.sh file in the main window.
  
• Select Tool from the Menu
  
• Choose Open Terminal
  
• Type bash tdl_fix.sh then press Enter.
  
• Read the warning then type y and press Enter to continue.
  
• Type sda then press Enter when prompted.
  
• You will be shown a list of partitions to choose marking active.
  
• Type 3 then press Enter.
  
• If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
  
• When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter
  
• The script will complete and prompt you to reboot the computer.
  
• Close the Terminal window and restart back into Windows.
  
• Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.

This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.

This is a backup of the original mbr and will restore it to it's current state.

[Lianabanana7]

I've burned XPUD to a CD, and have downloaded tdl_fix.sh to a flash drive. When trying to boot into XPUD using the CD, I get an error saying: 'The file is invalid for use as the following: Security Catalog.' Figuring I clicked the wrong option, I clicked into the boot folder, then clicked on XPUD, but it can't find a program to run it. Am I doing something wrong here?

[CatByte]

no, not necessarily, there is the odd occasion that a machine just will not boot to xPud

fortunately, we have several options available to us to remove this malware partition

Let's try List Parts

we need to get a scan first

Please do the following:

• Download ListParts64 to a USB flash drive.
  
• Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

• Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  
• Select Repair your computer.
  
• Select Language and click Next
  
• Enter password (if necessary) and click OK, you should now see the screen below ...

• Select the Command Prompt option.
  
• A command window will open.
  
  • Type notepad then hit Enter.
    
  • Notepad will open.
    
    • Click File > Open then select Computer.
      
    • Note down the drive letter for your USB Drive.
      
    • Close Notepad.
• Back in the command window ....
  
  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    
  • ListParts will start to run.
    
    • Press the Scan button.
      
    • When finished scanning it will make a log Result.txt on the flash drive.
• Close the command window.
  
• Boot back into normal mode and post me the Result.txt log please.

[Lianabanana7]

Since my system seems to freeze while loading files when entering 'repair your computer' from the startup screen, I ran ListParts from Safe Mode with Command Prompt. I hope that's okay! Here's the result:

ListParts by Farbar Version: 10-08-2012
Ran by Liana (administrator) on 07-09-2012 at 20:19:37
Windows 7 (X64)
Running From: E:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 8099.18 MB
Available physical RAM: 6794.21 MB
Total Pagefile: 16196.54 MB
Available Pagefile: 14884.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:620.36 GB) NTFS
2 Drive d: (xPUD) (CDROM) (Total:0.06 GB) (Free:0 GB) CDFS
3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 683 GB 14 GB
Partition 4 Primary 10 MB 698 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 683 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 244 MB 49 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT Removable 244 MB Healthy

======================================================================================================

****** End Of Log ******

[CatByte]

we can try the fix in normal mode, but it may not be successful

First we need to make your boot partition active and then we will delete the malware partition (which is currently active)

Please try and enter the recovery environment, if you are unable to do so, try it in normal mode, if it is still unsuccessful, we do have another option.


Please run the following:

• Click Start and in the Search Programs and files box type Notepad.exe then hit Enter.
  
• An empty Notepad file will open.
  
• Copy and paste the contents of the quote box below into Notepad.

Quote

Disk=0 Partition=2 active
bcdedit
Disk=0 Partition=4 type=07

• Click Format and ensure Wordwrap is unchecked.
  
• Save as Fix.txt to the flash drive where ListParts is located.

Next

Boot your computer into Recovery Environment

• Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  
• Select Repair your computer.
  
• Select Language and click Next
  
• Enter password (if necessary) and click OK, you should now see the screen below ...

• Select the Command Prompt option.
  
• A command window will open.
  
  • Type notepad then hit Enter.
    
  • Notepad will open.
    
    • Click File > Open then select Computer.
      
    • Note down the drive letter for your USB Drive.
      
    • Close Notepad.
• Back in the command window ....
  
  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    
  • ListParts will start to run.
    
    • Press the Fix button.
      
    • ListParts will process the script in Fix.txt
      
    • When finished please press the Scan button.
      
    • A log Result.txt will be saved to the flash drive.
• Close the command window.
  
• Boot back into normal mode and post me the Result.txt log please.

[Lianabanana7]

Ran again in safe mode--could not open computer in recovery environment:

ListParts by Farbar Version: 10-08-2012
Ran by Liana (administrator) on 07-09-2012 at 20:50:24
Windows 7 (X64)
Running From: E:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 7%
Total physical RAM: 8099.18 MB
Available physical RAM: 7504.68 MB
Total Pagefile: 16196.54 MB
Available Pagefile: 15596.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:683.88 GB) (Free:620.36 GB) NTFS
2 Drive d: (xPUD) (CDROM) (Total:0.06 GB) (Free:0 GB) CDFS
3 Drive e: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 683 GB 14 GB
Partition 4 Primary 10 MB 698 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 683 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 244 MB 49 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT Removable 244 MB Healthy

======================================================================================================

****** End Of Log ******

[CatByte]

ok

it didn't work in normal mode, but it was worth a try

what exactly happens when you try to boot to the recovery environment?



We will try with gparted


please do the following:

Please download:
gparted-live.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD. (your computer needs to be set to boot from CD in the BIOS)

You should be here... Press ENTER



By default, "do not touch keymap" is highlighted.



Leave this setting alone and just press ENTER.



Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below



According to your logs, the partition that you want to delete is 10 MB (it should show partition #4, if you have any doubts at all, stop and report back with what you see)

Right click this partition and select delete .



The Partition has gone

Now select Apply

Now you should be here:



Select Apply after double checking that the right partition was deleted

Is "boot" next to your 14GB system drive?
If "boot" is not next to your 14GB System drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags


In the menu that pops up, place a checkmark in boot like the picture below, then close:




Under File select Quit


You will see this small Popup




Choose reboot and then press OK.

[Lianabanana7]

Hey there!

I've put the program on a CD, but I can't get it to boot from BIOS, even after changing the Bios settings to boot from CD first. When I choose the option to boot from CD, windows opens as normal. I don't think this is correct. Have I done something incorrectly?

[CatByte]

are you using a PS2 or USB keyboard?

see if you find/borrow a PS2 keyboard if you are not using one, as the machine may not recognize your keyboard strokes prior to windows loading?

that could be the reason you are not able to boot to the recovery environment also