zia16sun

Removal of Trojan.Agent, Trojan.Agent.BRVGen, Trojan.Dos/Alureon.A & Yontoo

39 posts in this topic

Greetings experts!

I've got a system now that was brought to me to cure an incessant rebooting/blue screen issue. Based on the owner's description of known activities prior to the time that this issue started, I suspected trojans and confirmed that preliminary diagnosis via MBAM. I see that the malware is preventing installation of SP3 (Error FFFFFFE), and MSE has discovered Trojan:Dos/Alureon.A (not found by MBAM). So, with no further ado, here we go!

DDS Log

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Jean at 14:26:36 on 2012-09-24

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.1959 [GMT -6:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe

C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe

C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Windows\PLFSetI.exe

C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe

C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe

C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Launch Manager\LManager.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe

C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe

C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53&r=27361209i6b6l0300z165a4861x268

mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53&r=27361209i6b6l0300z165a4861x268

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53&r=27361209i6b6l0300z165a4861x268

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Qwiklinx: {3e7c8b5a-96ab-438f-bf9b-782400655440} - C:\Users\Jean\AppData\Roaming\Qwiklinx\Qwiklinx.dll

BHO: SpecialSavings: {74f475fa-6c75-43bd-aab9-ecda6184f600} - C:\Program Files (x86)\SpecialSavings\SpecialSavingsSinged.dll

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED

mRun: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [VideoWebCamera] "C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe" -a

mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"

mRun: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [eBook Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

mRun: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [Microsoft Works Update Detection] C:\Program Files (x86)\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

mRun: [EPSON_UD_START] "C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UD.exe" -UDCONNECT

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [speetItUpFree] "C:\Program Files (x86)\SpeedItup Free\speeditupfree.exe"

StartupFolder: C:\Users\Jean\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DING!.lnk - C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

IE: {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - C:\Program Files (x86)\SpecialSavings\SpecialSavingsSinged.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll

DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 8.8.8.8 208.67.222.222

TCP: Interfaces\{E7511BEB-F2E6-46F2-8544-FDB0A48E973C} : DhcpNameServer = 8.8.8.8 208.67.222.222

TCP: Interfaces\{E7511BEB-F2E6-46F2-8544-FDB0A48E973C}\157756374775966496 : DhcpNameServer = 192.168.9.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{E7511BEB-F2E6-46F2-8544-FDB0A48E973C}\353627160737 : DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{E7511BEB-F2E6-46F2-8544-FDB0A48E973C}\361627D696E656 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{E7511BEB-F2E6-46F2-8544-FDB0A48E973C}\46C696E6B6 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{E7511BEB-F2E6-46F2-8544-FDB0A48E973C}\E4544574541425 : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Qwiklinx: {3E7C8B5A-96AB-438F-BF9B-782400655440} - C:\Users\Jean\AppData\Roaming\Qwiklinx\Qwiklinx.dll

BHO-X64: Qwiklinx - No File

BHO-X64: SpecialSavings: {74F475FA-6C75-43BD-AAB9-ECDA6184F600} - C:\Program Files (x86)\SpecialSavings\SpecialSavingsSinged.dll

BHO-X64: SpecialSavings - No File

BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll

BHO-X64: Yontoo Layers - No File

TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED

mRun-x64: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [VideoWebCamera] "C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe" -a

mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun-x64: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"

mRun-x64: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [eBook Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

mRun-x64: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun-x64: [Microsoft Works Update Detection] C:\Program Files (x86)\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

mRun-x64: [EPSON_UD_START] "C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UD.exe" -UDCONNECT

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [speetItUpFree] "C:\Program Files (x86)\SpeedItup Free\speeditupfree.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Jean\AppData\Roaming\Mozilla\Firefox\Profiles\bqy638yc.default\

FF - plugin: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Sony\Reader\Data\bin\npebldetectmoz.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Jean\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 EMP_UDSA;EMP_UDSA;C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [2011-6-2 104424]

R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-11-3 844320]

R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-6-4 1150496]

R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-23 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-23 676936]

R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-20 62720]

R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-15 240160]

R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]

R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-27 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-21 250288]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-27 136176]

S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-9-24 114144]

S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-11-3 225280]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-09-24 20:15:16 -------- d-----w- C:\Users\Jean\AppData\Local\Mozilla

2012-09-24 17:13:15 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{62B69180-6710-4CB7-B56E-B9CA8A91D06E}\offreg.dll

2012-09-24 17:10:40 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{62B69180-6710-4CB7-B56E-B9CA8A91D06E}\mpengine.dll

2012-09-24 01:31:51 20480 ----a-w- C:\Windows\svchost.exe

2012-09-24 00:43:53 -------- d-----w- C:\Program Files (x86)\VS Revo Group

2012-09-23 22:01:43 -------- d-----w- C:\Users\Jean\AppData\Roaming\Malwarebytes

2012-09-23 22:01:05 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-23 21:57:31 503808 ----a-w- C:\Windows\System32\srcore.dll

2012-09-23 21:57:31 43008 ----a-w- C:\Windows\SysWow64\srclient.dll

2012-09-23 21:57:17 751104 ----a-w- C:\Windows\System32\win32spl.dll

2012-09-23 21:57:17 67584 ----a-w- C:\Windows\splwow64.exe

2012-09-23 21:57:17 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2012-09-23 21:57:17 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2012-09-23 21:57:07 574464 ----a-w- C:\Windows\System32\d3d10level9.dll

2012-09-23 21:57:07 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2012-09-23 21:56:53 58880 ----a-w- C:\Windows\System32\browcli.dll

2012-09-23 21:56:53 41472 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-09-23 21:56:53 136704 ----a-w- C:\Windows\System32\browser.dll

2012-09-23 21:56:49 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-09-23 21:56:40 956416 ----a-w- C:\Windows\System32\localspl.dll

2012-09-23 18:28:13 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-23 18:28:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-23 18:27:29 -------- d-----w- C:\886402493004868d5e

2012-09-23 18:19:03 -------- d-----w- C:\Windows\pss

2012-09-22 21:12:55 -------- d-----w- C:\Windows\System32\drivers\N360x64

2012-09-22 21:12:54 -------- d-----w- C:\Program Files (x86)\Norton Security Suite

2012-09-22 19:16:06 754824 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe

2012-09-21 20:33:57 4096000 ----a-w- C:\Program Files (x86)\GUTC783.tmp

2012-09-14 20:46:22 -------- d--h--w- C:\Users\Jean\AppData\Roaming\578EEF29

.

==================== Find3M ====================

.

2012-09-21 21:33:17 73136 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-21 21:33:17 696240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-07-22 04:07:30 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

.

============= FINISH: 14:27:55.75 ===============

Attach Log (not attached per note in forum opening pinned topic).

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 12/25/2009 10:02:11 AM

System Uptime: 9/24/2012 8:37:03 AM (6 hours ago)

.

Motherboard: Gateway | | SJV50TR

Processor: AMD Athlon™ II Dual-Core M300 | Socket S1G3 | 2000/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 286 GiB total, 194.027 GiB free.

D: is CDROM (UDF)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP336: 9/22/2012 1:13:38 PM - Windows Update

RP337: 9/23/2012 12:26:01 PM - Windows Update

RP338: 9/23/2012 6:44:55 PM - Revo Uninstaller's restore point - AVG Security Toolbar

RP339: 9/23/2012 6:48:26 PM - Revo Uninstaller's restore point - Google Toolbar for Internet Explorer

RP340: 9/23/2012 7:25:06 PM - Revo Uninstaller's restore point - Smart PC Cleaner v3.0

RP341: 9/23/2012 9:05:49 PM - Windows Update

RP342: 9/24/2012 11:35:11 AM - Revo Uninstaller's restore point - DefaultTab Chrome

RP343: 9/24/2012 11:57:08 AM - Revo Uninstaller's restore point - DefaultTab

RP344: 9/24/2012 12:01:46 PM - Revo Uninstaller's restore point - Google Chrome

RP345: 9/24/2012 12:09:58 PM - Revo Uninstaller's restore point - Qwiklinx

RP346: 9/24/2012 12:16:08 PM - Revo Uninstaller's restore point - Shop To Win

RP347: 9/24/2012 12:22:45 PM - Revo Uninstaller's restore point - Java™ 6 Update 31

RP348: 9/24/2012 12:23:17 PM - Removed Java™ 6 Update 31

RP349: 9/24/2012 12:28:11 PM - Revo Uninstaller's restore point - Yahoo! Toolbar

RP350: 9/24/2012 12:34:43 PM - Revo Uninstaller's restore point - Skype Toolbars

RP351: 9/24/2012 12:36:15 PM - Revo Uninstaller's restore point - McAfee Security Scan Plus

RP352: 9/24/2012 12:42:19 PM - Windows Update

RP353: 9/24/2012 1:09:48 PM - Windows Update

RP354: 9/24/2012 1:35:54 PM - Windows Update

.

==== Installed Programs ======================

.

.

Update for Microsoft Office 2007 (KB2508958)

Acrobat.com

Adobe AIR

Adobe Digital Editions

Adobe Flash Player 11 ActiveX

Adobe Photoshop Elements 8.0

Adobe Photoshop.com Inspiration Browser

Adobe Reader 9.3 MUI

Adobe Shockwave Player 11.6

Advertising Center

AMD USB Filter Driver

Any Video Converter 3.4.0

Apple Application Support

Apple Software Update

Audacity 1.3.12

Backup Manager Basic

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Compatibility Pack for the 2007 Office system

CricutSync

CyberLink Power2Go

CyberLink PowerDVD 8

D3DX10

DC Universe Online Live

DING!

DolbyFiles

eBay Worldwide

EPSON USB Display

Flixster Collections

Gateway Games

Gateway InfoCentre

Gateway MyBackup

Gateway Power Management

Gateway Recovery Management

Gateway Registration

Gateway ScreenSaver

Gateway Updater

Google Earth

Google Update Helper

HP Photo Creations

HPPhotoSmartDiscLabelContent1

HPPhotosmartEssential

Identity Card

ImagXpress

Junk Mail filter update

Launch Manager

LightScribe System Software

Malwarebytes Anti-Malware version 1.65.0.1400

Menu Templates - Starter Kit

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2007

Microsoft Picture It! Photo 2002

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Move Media Player

Movie Templates - Starter Kit

Mozilla Firefox 15.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 9 Essentials

Nero 9 Trial

Nero BurnRights

Nero BurnRights Help

Nero ControlCenter

Nero CoverDesigner

Nero CoverDesigner Help

Nero DiscSpeed

Nero DiscSpeed Help

Nero DriveSpeed

Nero DriveSpeed Help

Nero Express Help

Nero InfoTool

Nero InfoTool Help

Nero Installer

Nero Online Upgrade

Nero ShowTime

Nero StartSmart

Nero StartSmart Help

Nero Vision

Nero Vision Help

NeroExpress

neroxml

Norton Online Backup

Punch! Home Design - Platinum

QuickTime

Reader Library by Sony

Realtek USB 2.0 Card Reader

Revo Uninstaller 1.94

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Skype™ 5.1

SmartFTP Client Setup Files 4.0 (x64) (remove only)

SpecialSavings

TurboTax 2011

TurboTax 2011 WinPerFedFormset

TurboTax 2011 WinPerReleaseEngine

TurboTax 2011 WinPerTaxSupport

TurboTax 2011 wnmiper

TurboTax 2011 wrapper

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Video Web Camera

Welcome Center

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Yahoo! Install Manager

Yahoo! Software Update

.

==== Event Viewer Messages From Past Week ========

.

9/24/2012 8:38:47 AM, Error: Service Control Manager [7034] - The DefaultTabSearch service terminated unexpectedly. It has done this 1 time(s).

9/24/2012 1:36:49 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows 7 Service Pack 1 for x64-based Systems (KB976932).

9/23/2012 3:49:04 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intuit Update Service v4 service to connect.

9/23/2012 3:49:04 PM, Error: Service Control Manager [7000] - The Intuit Update Service v4 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/23/2012 3:45:27 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800030a0117, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092312-27877-01.

9/23/2012 3:43:23 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

9/23/2012 3:43:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

9/23/2012 12:20:34 PM, Error: amdsata [11] - The driver detected a controller error on \Device\RaidPort0.

9/23/2012 12:18:33 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

9/23/2012 12:15:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

9/23/2012 12:15:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

9/23/2012 12:15:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

9/23/2012 12:15:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

9/23/2012 12:15:06 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 ccSet_N360 discache eeCtrl IDSVia64 spldr SRTSP SRTSPX SymIRON SymNetS Wanarpv6

9/23/2012 12:14:56 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80003054117, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092312-23415-01.

9/22/2012 8:29:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 ccSet_N360 discache eeCtrl IDSVia64 spldr SRTSP SRTSPX SymIRON Wanarpv6

9/22/2012 8:29:09 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000047ab, 0x0000000000000002, 0x0000000000000001, 0xfffff80003064995). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092212-22167-01.

9/22/2012 8:25:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Norton Security Suite service to connect.

9/22/2012 8:25:50 PM, Error: Service Control Manager [7000] - The Norton Security Suite service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/22/2012 1:15:53 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Windows Malicious Software Removal Tool x64 - September 2012 (KB890830).

9/22/2012 1:09:09 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff8000309d995). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092212-30841-01.

9/21/2012 4:02:36 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000400000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff8000309b995). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092112-40451-01.

9/21/2012 4:00:25 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.

9/21/2012 4:00:25 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/21/2012 3:33:09 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.

9/21/2012 2:53:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 SRTSP

9/21/2012 2:52:46 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..

9/21/2012 2:51:53 PM, Error: SRTSP [5] -

9/21/2012 2:38:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

9/21/2012 2:37:06 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

9/21/2012 2:36:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

9/21/2012 2:36:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

9/21/2012 2:36:28 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000000, 0x0000000000000002, 0x0000000000000000, 0xfffff800030d8136). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092112-35381-01.

9/21/2012 2:36:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx64 ccSet_N360 DfsC discache eeCtrl IDSVia64 NetBIOS NetBT nsiproxy Psched rdbss spldr SRTSP SRTSPX SymIRON SymNetS tdx vwififlt Wanarpv6 WfpLwf

9/21/2012 2:36:21 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

9/21/2012 2:36:21 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

9/21/2012 2:36:21 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

9/21/2012 2:36:21 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/21/2012 2:36:21 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/21/2012 2:36:20 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/21/2012 2:36:20 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

9/21/2012 2:36:20 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

9/21/2012 2:36:20 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

9/21/2012 2:36:20 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

9/21/2012 2:14:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

9/21/2012 2:14:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

9/21/2012 2:12:36 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80003056117, 0x0000000000000000, 0x000007fffffa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092112-34179-01.

9/21/2012 2:09:10 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80003063117, 0x0000000000000000, 0x000007fffffa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092112-86923-01.

9/21/2012 12:24:22 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

9/20/2012 7:10:13 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Software Protection service to connect.

9/20/2012 7:10:13 AM, Error: Service Control Manager [7000] - The Software Protection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/20/2012 4:07:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

9/20/2012 4:02:27 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000088, 0x0000000000000002, 0x0000000000000001, 0xfffff8000309f8fe). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092012-25116-01.

9/20/2012 4:00:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.

9/20/2012 4:00:30 PM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/20/2012 2:35:29 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff80003069995). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092012-33836-01.

9/20/2012 2:26:02 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff8000305f995). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092012-89279-01.

9/20/2012 2:17:04 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

9/20/2012 2:17:04 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/20/2012 2:16:11 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000024 (0x00000000001904fb, 0xfffff88006a6e3a8, 0xfffff88006a6dc10, 0xfffff88001495825). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092012-73102-01.

.

==== End Of File ===========================

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Share this post


Link to post
Share on other sites

Good morning, Mr. Charlie. I look forward to working with you again.

RK Log is as follows:

RogueKiller V8.0.5 [09/23/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Jean [Admin rights]

Mode : Scan -- Date : 09/25/2012 07:23:35

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD32 00BEVT-22ZCT0 SATA Disk Device +++++

--- User ---

[MBR] 08068581104347a69fe0aaca55abc31e

[bSP] d338ea1457af39a95e38be6e79f5e04f : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24782848 | Size: 293143 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Processes tab

Put a check next to all of these and uncheck the rest: (if found)

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Done. Note: sytem blue screened again after curing malicous file.

TDSS log 1:

07:50:35.0797 4048 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24

07:50:37.0870 4048 ============================================================

07:50:37.0870 4048 Current date / time: 2012/09/25 07:50:37.0870

07:50:37.0870 4048 SystemInfo:

07:50:37.0870 4048

07:50:37.0870 4048 OS Version: 6.1.7600 ServicePack: 0.0

07:50:37.0870 4048 Product type: Workstation

07:50:37.0870 4048 ComputerName: SNURDLOCK

07:50:39.0055 4048 UserName: Jean

07:50:39.0055 4048 Windows directory: C:\Windows

07:50:39.0055 4048 System windows directory: C:\Windows

07:50:39.0056 4048 Running under WOW64

07:50:39.0056 4048 Processor architecture: Intel x64

07:50:39.0056 4048 Number of processors: 2

07:50:39.0056 4048 Page size: 0x1000

07:50:39.0056 4048 Boot type: Normal boot

07:50:39.0056 4048 ============================================================

07:50:40.0969 4048 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

07:50:40.0975 4048 ============================================================

07:50:40.0975 4048 \Device\Harddisk0\DR0:

07:50:40.0976 4048 MBR partitions:

07:50:40.0976 4048 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1770800, BlocksNum 0x32000

07:50:40.0976 4048 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x17A2800, BlocksNum 0x23C8BAB0

07:50:40.0976 4048 ============================================================

07:50:41.0015 4048 C: <-> \Device\Harddisk0\DR0\Partition2

07:50:41.0015 4048 ============================================================

07:50:41.0015 4048 Initialize success

07:50:41.0015 4048 ============================================================

07:50:50.0439 1900 Deinitialize success

TDSS Log 2:

07:56:11.0284 3840 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24

07:56:11.0705 3840 ============================================================

07:56:11.0705 3840 Current date / time: 2012/09/25 07:56:11.0705

07:56:11.0705 3840 SystemInfo:

07:56:11.0705 3840

07:56:11.0705 3840 OS Version: 6.1.7600 ServicePack: 0.0

07:56:11.0705 3840 Product type: Workstation

07:56:11.0705 3840 ComputerName: SNURDLOCK

07:56:11.0705 3840 UserName: Jean

07:56:11.0705 3840 Windows directory: C:\Windows

07:56:11.0705 3840 System windows directory: C:\Windows

07:56:11.0705 3840 Running under WOW64

07:56:11.0705 3840 Processor architecture: Intel x64

07:56:11.0705 3840 Number of processors: 2

07:56:11.0705 3840 Page size: 0x1000

07:56:11.0705 3840 Boot type: Normal boot

07:56:11.0705 3840 ============================================================

07:56:17.0411 3840 BG loaded

07:56:17.0832 3840 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

07:56:17.0832 3840 ============================================================

07:56:17.0832 3840 \Device\Harddisk0\DR0:

07:56:17.0848 3840 MBR partitions:

07:56:17.0848 3840 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1770800, BlocksNum 0x32000

07:56:17.0848 3840 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x17A2800, BlocksNum 0x23C8BAB0

07:56:17.0848 3840 ============================================================

07:56:17.0894 3840 C: <-> \Device\Harddisk0\DR0\Partition2

07:56:17.0894 3840 ============================================================

07:56:17.0894 3840 Initialize success

07:56:17.0894 3840 ============================================================

TDSS Log 3 was the long one - and is attached here. TDSSKiller.2.8.10.0_25.09.2012_07.57.43_log.txt

Share this post


Link to post
Share on other sites

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

08:07:59.0115 2208 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

08:07:59.0116 2208 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~~~~~

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

~~~~~~~~~~~~~~~~~~~~~~~~

Reboot and scan the system again with RogueKiller and post the new log, MrC

Share this post


Link to post
Share on other sites

You did reboot before you deleted these correct??

08:07:59.0115 2208 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

08:07:59.0116 2208 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~~~~~~~

See if you can do this:

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Share this post


Link to post
Share on other sites
PM Subject: Catastrophic system failure. PM: I followed your instructions and deleted the previously skipped \Device\Harddisk0\DR0 ( TDSS File System ). The system blue screened again, and after dumping and rebooting, came back with only a black screen/cursor...

Any theories or miracles up your sleeve?

Yes, sir. I rebooted before running TDSS again and deleting the previously skipped \Device\Harddisk0\DR0 ( TDSS File System ) files as instructed (I'm aware of the risks associated with modifying system/registry files, and meticulously print/follow instructions line by line to ensure nothing is overlooked or done outside the instructions). All signs point to the system being one blue screen away from sudden death.

No luck with getting into the System Recovery Options. After loading the BIOS, it instantly goes to the black screen/blinking cursor and pressing F8 just makes it beep loudly (tried multiple times, both waiting for the bios to load before starting the F8 tapping, and tapping it while the BIOS was loading - same result after BIOS loaded - just loud beeping). It appears the only thing I can do is get into the BIOS.

Not even a C:\ prompt to get into the flash drive via cd, etc.

Share this post


Link to post
Share on other sites

Unfortunately, not. I've obtained her Windows Product Key (the OEM key used at Gateway to install the Windows clone on the laptop - the key on the bottom of the laptop was completely obliterated) and I am in the process of downloading a bootable Win7 that I can put on USB with an .iso download from her account so I can attempt to restore it on her system again when I do have that process completed.

In the mean time, I removed her hard-drive and slaved it to a working (fully protected) system (initially to ensure it was still intact - which, thankfully, it was), and re-ran the MBAM scan again to see if any of the previously discovered malware may no longer be an issue now that her previous install/Windows registry is gone. I got 3 hits, but found them in the TDSS quarantine, so we were getting somewhere before everything poofed.

Files Detected: 3

F:\TDSSKiller_Quarantine\25.09.2012_07.57.44\mbr0000\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> No action taken.

F:\TDSSKiller_Quarantine\25.09.2012_08.59.00\mbr0000\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> No action taken.

F:\TDSSKiller_Quarantine\25.09.2012_08.59.00\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> No action taken.

Interestingly, I originally found Trojan.Agent.BRVGen when starting this process, and now it's finding Trojan.Agent.MRGGen....

I subsequently ran a MSE scan on the drive (since MSE found additional things that MBAM did not), and that scan turned up nothing, so it appears at least some benefit was obtained by the OS imploding....

Share this post


Link to post
Share on other sites

This was the infection: Infected MBR (Master Boot Record)

08:07:55.0049 2208 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine

08:07:55.0103 2208 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine

08:07:55.0189 2208 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine

08:07:56.0330 2208 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine

08:07:56.0392 2208 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine

08:07:56.0416 2208 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine

08:07:56.0424 2208 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine

08:07:56.0707 2208 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine

08:07:56.0741 2208 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine

08:07:56.0756 2208 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine

08:07:56.0764 2208 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine

08:07:56.0811 2208 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine

08:07:56.0893 2208 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot

08:07:56.0902 2208 \Device\Harddisk0\DR0 - ok

08:07:59.0115 2208 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure

08:07:59.0115 2208 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

08:07:59.0116 2208 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Most likely the MBR partitions were damaged and that's why it won't boot.

If you make a Gparted disk as show in this post, we could probable fix it by setting the correct partition to boot from:

http://forums.malwar...ndpost&p=598901

Let me know, MrC

Share this post


Link to post
Share on other sites

Makes sense. I’ve got two options at this point, and I'll go which ever direction you deem best.

1 - I've got my hands on a Win 7 64bit backup disc and have gone through the steps above for System Recovery Options.

Farbar logs read as follows (Note: the error that indicates I used the wrong Windows 7 backup disc is correct - because Microsoft sent me the wrong .iso initially, but I have now rectified that and have the 64 bit disc burnt as well and ran the services.exe scan from that boot):

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2012

Ran by SYSTEM at 27-09-2012 12:06:24

Running from G:\

Windows 7 Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [162336 2009-07-21] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [162336 2009-07-21] ()

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 208.67.222.222

==================== Services (Whitelisted) ===================

2 AdobeActiveFileMonitor8.0; C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [169312 2009-09-06] (Adobe Systems Incorporated)

3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [250288 2012-09-21] (Adobe Systems Incorporated)

2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [55144 2011-10-24] (Apple Inc.)

4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)

2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)

2 EMP_UDSA; C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [104424 2010-06-09] (SEIKO EPSON CORPORATION)

2 ePowerSvc; C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [844320 2009-08-05] (Acer Incorporated)

3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [867080 2010-02-26] (Acresso Software Inc.)

3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-06-10] (Microsoft Corporation)

3 GameConsoleService; "C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe" [238328 2010-01-04] (WildTangent, Inc.)

2 Greg_Service; C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [1150496 2009-06-04] (Acer Incorporated)

2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [136176 2011-03-27] (Google Inc.)

3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [136176 2011-03-27] (Google Inc.)

2 HsfXAudioService; C:\Windows\SysWOW64\XAudio64.dll [436736 2009-04-29] (Conexant Systems, Inc.)

3 idsvc; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe" [856384 2009-06-10] (Microsoft Corporation)

2 IntuitUpdateServiceV4; "C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [13672 2011-08-25] (Intuit Inc.)

2 LightScribeService; "C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe" [73728 2010-11-22] (Hewlett-Packard Company)

3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [114144 2012-09-05] (Mozilla Foundation)

2 Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [935208 2010-05-18] (Nero AG)

4 NetTcpPortSharing; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation)

2 NTI IScheduleSvc; C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [62720 2009-08-20] (NewTech Infosystems, Inc.)

3 odserv; "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [440696 2011-07-20] (Microsoft Corporation)

3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [145184 2006-10-26] (Microsoft Corporation)

3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation)

2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [160944 2012-07-13] (Skype Technologies)

3 Sony SCSI Helper Service; "C:\Program Files (x86)\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe" [73728 2009-11-09] (Sony Corporation)

2 Updater Service; C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

2 YahooAUService; "C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe" [602392 2008-11-09] (Yahoo! Inc.)

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

0 99229891; C:\Windows\System32\drivers\30903339.sys [208216 2012-09-25] ()

3 athr; C:\Windows\System32\DRIVERS\athrx.sys [1484800 2009-07-08] (Atheros Communications, Inc.)

3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)

3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)

3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl664.sys [1311232 2009-06-10] (Broadcom Corporation)

3 CAXHWAZL; C:\Windows\System32\DRIVERS\CAXHWAZL.sys [292864 2009-02-12] (Conexant Systems, Inc.)

3 CnxtHdAudService; C:\Windows\System32\drivers\CHDRT64.sys [686080 2009-08-11] (Conexant Systems Inc.)

3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)

3 HSF_DPV; C:\Windows\System32\DRIVERS\CAX_DPV.sys [1485824 2009-02-12] (Conexant Systems, Inc.)

3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [6108416 2009-06-10] (Intel Corporation)

3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [29720 2010-07-28] (Initio Corporation)

3 k57nd60a; C:\Windows\System32\DRIVERS\k57nd60a.sys [317480 2009-06-20] (Broadcom Corporation)

3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation)

3 L1E; C:\Windows\System32\DRIVERS\L1E62x64.sys [54272 2009-06-19] (Atheros Communications, Inc.)

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)

1 MpKsl5b59b0ba; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0C11CA1E-21A0-4931-9638-C91B62B19335}\MpKsl5b59b0ba.sys [35664 2012-09-25] (Microsoft Corporation)

3 netr28x; C:\Windows\System32\DRIVERS\netr28x.sys [620544 2009-06-10] (Ralink Technology, Corp.)

0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [55024 2008-06-16] (Sonic Solutions)

3 SrvHsfHDA; C:\Windows\System32\DRIVERS\VSTAZL6.SYS [292864 2009-06-10] (Conexant Systems, Inc.)

3 SrvHsfV92; C:\Windows\System32\DRIVERS\VSTDPV6.SYS [1485312 2009-06-10] (Conexant Systems, Inc.)

3 SrvHsfWinac; C:\Windows\System32\DRIVERS\VSTCNXT6.SYS [740864 2009-06-10] (Conexant Systems, Inc.)

3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [51712 2011-08-02] (Apple, Inc.)

3 winachsf; C:\Windows\System32\DRIVERS\CAX_CNXT.sys [740864 2009-02-12] (Conexant Systems, Inc.)

2 XAudio; C:\Windows\System32\DRIVERS\XAudio64.sys [10240 2009-04-29] (Conexant Systems, Inc.)

3 54911887; [x]

3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]

3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-09-26 10:39 - 2012-09-26 10:48 - 00000000 ____D C:\Program Files (x86)\Magical Jelly Bean

2012-09-25 07:08 - 2012-09-25 07:08 - 00208216 ____A C:\Windows\System32\Drivers\30903339.sys

2012-09-25 06:59 - 2012-09-25 06:59 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\34674318.sys

2012-09-25 06:09 - 2012-09-25 06:09 - 00282896 ____A C:\Windows\Minidump\092512-43711-01.dmp

2012-09-25 06:07 - 2012-09-25 07:08 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-09-25 06:02 - 2012-09-25 06:02 - 00001385 ____A C:\Users\Jean\Desktop\RKreport[6].txt

2012-09-25 06:01 - 2012-09-25 06:01 - 00001363 ____A C:\Users\Jean\Desktop\RKreport[5].txt

2012-09-25 05:57 - 2012-09-25 05:57 - 00001497 ____A C:\Users\Jean\Desktop\RKreport[4].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001523 ____A C:\Users\Jean\Desktop\RKreport[3].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001489 ____A C:\Users\Jean\Desktop\RKreport[2].txt

2012-09-25 05:47 - 2012-09-25 05:47 - 00001170 ____A C:\Users\Jean\Desktop\tdsskiller - Shortcut.lnk

2012-09-25 05:46 - 2012-09-25 05:46 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Jean\Downloads\tdsskiller.exe

2012-09-25 05:23 - 2012-09-25 05:23 - 00001471 ____A C:\Users\Jean\Desktop\RKreport[1].txt

2012-09-25 05:22 - 2012-09-25 05:57 - 00000000 ____D C:\Users\Jean\Desktop\RK_Quarantine

2012-09-25 05:21 - 2012-09-25 05:21 - 01391616 ____A C:\Users\Jean\Downloads\RogueKiller.exe

2012-09-24 19:07 - 2012-09-24 19:08 - 00000000 ___RD C:\Program Files (x86)\Skype

2012-09-24 18:04 - 2012-09-24 18:04 - 00002154 ____A C:\Windows\epplauncher.mif

2012-09-24 17:56 - 2012-09-24 17:57 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-09-24 17:56 - 2012-09-24 17:56 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-09-24 17:56 - 2012-09-24 17:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2012-09-24 17:55 - 2010-04-09 03:06 - 00374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-09-24 17:45 - 2012-09-24 17:46 - 12621696 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\mseinstall.exe

2012-09-24 17:10 - 2012-09-24 17:10 - 00274672 ____A C:\Windows\Minidump\092412-28501-01.dmp

2012-09-24 17:07 - 2012-09-24 17:07 - 00274672 ____A C:\Windows\Minidump\092412-30279-01.dmp

2012-09-24 17:04 - 2012-09-24 17:04 - 00274672 ____A C:\Windows\Minidump\092412-32510-01.dmp

2012-09-24 14:23 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-09-24 13:00 - 2012-09-24 13:00 - 00023308 ____A C:\Users\Jean\Desktop\Attach.txt

2012-09-24 12:57 - 2012-09-24 12:57 - 00021566 ____A C:\Users\Jean\Desktop\DDS.txt

2012-09-24 12:25 - 2012-09-24 12:25 - 00607260 ____R (Swearware) C:\Users\Jean\Downloads\dds.com

2012-09-24 12:15 - 2012-09-24 12:22 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Mozilla

2012-09-24 12:15 - 2012-09-24 12:15 - 00000000 ____D C:\Users\Jean\AppData\Local\Mozilla

2012-09-24 11:54 - 2012-09-24 11:54 - 00001101 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Users\All Users\Mozilla

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-09-24 11:53 - 2012-09-24 11:53 - 17790056 ____A (Mozilla) C:\Users\Jean\Downloads\Firefox Setup 15.0.1.exe

2012-09-23 19:10 - 2012-09-23 19:10 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-09-23 19:10 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-09-23 19:10 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-09-23 19:10 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-09-23 19:10 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-09-23 19:10 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-09-23 19:10 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-09-23 19:10 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-09-23 19:10 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-09-23 19:10 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-09-23 19:10 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-09-23 19:10 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-09-23 19:10 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-09-23 19:10 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-09-23 19:10 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-09-23 19:10 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-09-23 19:10 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-09-23 19:10 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-09-23 19:10 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-09-23 19:10 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-09-23 19:10 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-09-23 19:10 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-09-23 19:10 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-09-23 19:10 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-09-23 19:10 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-09-23 19:10 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-09-23 19:10 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-09-23 19:10 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-09-23 19:10 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-09-23 19:10 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-09-23 16:43 - 2012-09-23 16:43 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Jean\Downloads\revosetup.exe

2012-09-23 16:43 - 2012-09-23 16:43 - 00001235 ____A C:\Users\Jean\Desktop\Revo Uninstaller.lnk

2012-09-23 16:43 - 2012-09-23 16:43 - 00000000 ____D C:\Program Files (x86)\VS Revo Group

2012-09-23 14:01 - 2012-09-23 14:01 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Malwarebytes

2012-09-23 14:01 - 2012-09-07 15:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-09-23 13:59 - 2012-09-23 14:00 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Jean\Downloads\mbam-setup-1.65.0.1400.exe

2012-09-23 13:57 - 2012-08-02 09:55 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-09-23 13:57 - 2012-08-02 09:05 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-09-23 13:57 - 2012-05-05 00:30 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

2012-09-23 13:57 - 2012-05-04 23:44 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

2012-09-23 13:57 - 2012-02-10 22:36 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2012-09-23 13:57 - 2012-02-10 22:29 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2012-09-23 13:57 - 2012-02-10 22:29 - 00067584 ____A (Microsoft Corporation) C:\Windows\splwow64.exe

2012-09-23 13:57 - 2012-02-10 21:44 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2012-09-23 13:56 - 2012-07-18 09:31 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-09-23 13:56 - 2012-07-04 14:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-09-23 13:56 - 2012-07-04 14:01 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-09-23 13:56 - 2012-07-04 14:01 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-09-23 13:56 - 2012-07-04 13:26 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-09-23 13:56 - 2012-07-04 13:23 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-09-23 13:56 - 2012-05-13 21:20 - 00956416 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2012-09-23 13:45 - 2012-09-23 13:45 - 00274672 ____A C:\Windows\Minidump\092312-27877-01.dmp

2012-09-23 10:28 - 2012-09-23 14:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-23 10:28 - 2012-09-23 10:28 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-09-23 10:27 - 2012-09-23 12:45 - 00000000 ____D C:\886402493004868d5e

2012-09-23 10:19 - 2012-09-24 17:33 - 00000000 ____D C:\Windows\pss

2012-09-22 13:12 - 2012-09-24 16:58 - 00000000 ____D C:\Program Files (x86)\Norton Security Suite

2012-09-22 11:08 - 2012-09-22 11:09 - 00274672 ____A C:\Windows\Minidump\092212-30841-01.dmp

2012-09-21 14:02 - 2012-09-21 14:02 - 00274672 ____A C:\Windows\Minidump\092112-40451-01.dmp

2012-09-21 12:33 - 2012-09-21 12:33 - 04096000 ____A C:\Program Files (x86)\GUTC783.tmp

2012-09-20 14:07 - 2012-09-20 14:07 - 00000000 ____D C:\Users\Jean\Documents\OneNote Notebooks

2012-09-14 12:46 - 2012-09-21 12:06 - 00000000 ___HD C:\Users\Jean\AppData\Roaming\578EEF29

==================== 3 Months Modified Files ==================

2012-09-25 07:08 - 2012-09-25 07:08 - 00208216 ____A C:\Windows\System32\Drivers\30903339.sys

2012-09-25 07:06 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-25 07:06 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-25 07:03 - 2009-11-03 07:13 - 01416668 ____A C:\Windows\WindowsUpdate.log

2012-09-25 07:00 - 2011-03-27 10:28 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-09-25 06:59 - 2012-09-25 06:59 - 00208216 ____A (Kaspersky Lab, GERT) C:\Windows\System32\Drivers\34674318.sys

2012-09-25 06:58 - 2011-03-27 10:28 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-09-25 06:58 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-25 06:57 - 2009-07-13 20:51 - 00660801 ____A C:\Windows\setupact.log

2012-09-25 06:30 - 2012-07-21 20:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-25 06:09 - 2012-09-25 06:09 - 00282896 ____A C:\Windows\Minidump\092512-43711-01.dmp

2012-09-25 06:09 - 2011-06-18 19:40 - 402492025 ____A C:\Windows\MEMORY.DMP

2012-09-25 06:02 - 2012-09-25 06:02 - 00001385 ____A C:\Users\Jean\Desktop\RKreport[6].txt

2012-09-25 06:01 - 2012-09-25 06:01 - 00001363 ____A C:\Users\Jean\Desktop\RKreport[5].txt

2012-09-25 05:57 - 2012-09-25 05:57 - 00001497 ____A C:\Users\Jean\Desktop\RKreport[4].txt

2012-09-25 05:56 - 2011-02-28 13:09 - 00418304 __ASH C:\Users\Jean\Desktop\Thumbs.db

2012-09-25 05:50 - 2012-09-25 05:50 - 00001523 ____A C:\Users\Jean\Desktop\RKreport[3].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001489 ____A C:\Users\Jean\Desktop\RKreport[2].txt

2012-09-25 05:47 - 2012-09-25 05:47 - 00001170 ____A C:\Users\Jean\Desktop\tdsskiller - Shortcut.lnk

2012-09-25 05:46 - 2012-09-25 05:46 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Jean\Downloads\tdsskiller.exe

2012-09-25 05:23 - 2012-09-25 05:23 - 00001471 ____A C:\Users\Jean\Desktop\RKreport[1].txt

2012-09-25 05:21 - 2012-09-25 05:21 - 01391616 ____A C:\Users\Jean\Downloads\RogueKiller.exe

2012-09-24 19:08 - 2011-03-27 10:27 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

2012-09-24 18:04 - 2012-09-24 18:04 - 00002154 ____A C:\Windows\epplauncher.mif

2012-09-24 17:56 - 2012-09-24 17:56 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-09-24 17:46 - 2012-09-24 17:45 - 12621696 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\mseinstall.exe

2012-09-24 17:10 - 2012-09-24 17:10 - 00274672 ____A C:\Windows\Minidump\092412-28501-01.dmp

2012-09-24 17:07 - 2012-09-24 17:07 - 00274672 ____A C:\Windows\Minidump\092412-30279-01.dmp

2012-09-24 17:04 - 2012-09-24 17:04 - 00274672 ____A C:\Windows\Minidump\092412-32510-01.dmp

2012-09-24 16:58 - 2009-08-14 22:59 - 02028614 ____A C:\Windows\PFRO.log

2012-09-24 14:29 - 2010-02-02 15:52 - 00001981 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2012-09-24 13:00 - 2012-09-24 13:00 - 00023308 ____A C:\Users\Jean\Desktop\Attach.txt

2012-09-24 12:57 - 2012-09-24 12:57 - 00021566 ____A C:\Users\Jean\Desktop\DDS.txt

2012-09-24 12:25 - 2012-09-24 12:25 - 00607260 ____R (Swearware) C:\Users\Jean\Downloads\dds.com

2012-09-24 11:54 - 2012-09-24 11:54 - 00001101 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-24 11:53 - 2012-09-24 11:53 - 17790056 ____A (Mozilla) C:\Users\Jean\Downloads\Firefox Setup 15.0.1.exe

2012-09-24 06:38 - 2009-07-13 20:45 - 00452640 ____A C:\Windows\System32\FNTCACHE.DAT

2012-09-23 19:10 - 2012-09-23 19:10 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-09-23 16:43 - 2012-09-23 16:43 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Jean\Downloads\revosetup.exe

2012-09-23 16:43 - 2012-09-23 16:43 - 00001235 ____A C:\Users\Jean\Desktop\Revo Uninstaller.lnk

2012-09-23 14:00 - 2012-09-23 13:59 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Jean\Downloads\mbam-setup-1.65.0.1400.exe

2012-09-23 13:45 - 2012-09-23 13:45 - 00274672 ____A C:\Windows\Minidump\092312-27877-01.dmp

2012-09-23 10:20 - 2009-07-13 20:51 - 00660017 ____A C:\Windows\setupact(67).log

2012-09-22 11:09 - 2012-09-22 11:08 - 00274672 ____A C:\Windows\Minidump\092212-30841-01.dmp

2012-09-21 14:02 - 2012-09-21 14:02 - 00274672 ____A C:\Windows\Minidump\092112-40451-01.dmp

2012-09-21 13:51 - 2011-11-30 13:21 - 00001371 ____A C:\Users\Jean\Desktop\Norton Installation Files.lnk

2012-09-21 13:33 - 2012-07-21 20:03 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-09-21 13:33 - 2012-07-21 20:03 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-09-21 12:33 - 2012-09-21 12:33 - 04096000 ____A C:\Program Files (x86)\GUTC783.tmp

2012-09-09 10:01 - 2012-08-21 07:23 - 00065536 __ASH C:\Users\Jean\Documents\Thumbs.db

2012-09-07 15:04 - 2012-09-23 14:01 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-30 22:43 - 2010-07-26 09:29 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-08-24 03:15 - 2012-09-23 19:10 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-08-24 02:39 - 2012-09-23 19:10 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-08-24 02:31 - 2012-09-23 19:10 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-08-24 02:22 - 2012-09-23 19:10 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-08-24 02:21 - 2012-09-23 19:10 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-08-24 02:20 - 2012-09-23 19:10 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-08-24 02:18 - 2012-09-23 19:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-08-24 02:17 - 2012-09-23 19:10 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-08-24 02:14 - 2012-09-23 19:10 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-08-24 02:14 - 2012-09-23 19:10 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-08-24 02:13 - 2012-09-23 19:10 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-08-24 02:12 - 2012-09-23 19:10 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-08-24 02:11 - 2012-09-23 19:10 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-08-24 02:10 - 2012-09-23 19:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-08-24 02:09 - 2012-09-23 19:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-08-24 02:04 - 2012-09-23 19:10 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-08-23 23:27 - 2012-09-23 19:10 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-08-23 23:03 - 2012-09-23 19:10 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-08-23 22:59 - 2012-09-23 19:10 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-08-23 22:51 - 2012-09-23 19:10 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-08-23 22:51 - 2012-09-23 19:10 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-08-23 22:51 - 2012-09-23 19:10 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-08-23 22:49 - 2012-09-23 19:10 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-08-23 22:48 - 2012-09-23 19:10 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-08-23 22:45 - 2012-09-23 19:10 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-08-23 22:44 - 2012-09-23 19:10 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-08-23 22:44 - 2012-09-23 19:10 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-08-23 22:43 - 2012-09-23 19:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-08-23 22:40 - 2012-09-23 19:10 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-08-15 20:16 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-12 17:40 - 2011-09-21 13:06 - 00001164 ____A C:\Windows\wininit.ini

2012-08-12 17:23 - 2012-08-12 17:23 - 00001064 ____A C:\Users\Jean\Desktop\Smart PC Cleaner.lnk

2012-08-02 09:55 - 2012-09-23 13:57 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-08-02 09:05 - 2012-09-23 13:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-07-24 07:03 - 2009-11-03 07:36 - 00067574 ____A C:\Windows\DirectX.log

2012-07-18 09:31 - 2012-09-23 13:56 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-16 12:20 - 2012-07-16 12:18 - 00000000 ____A C:\Users\Jean\Desktop\OK

2012-07-16 12:19 - 2012-07-16 12:18 - 04098584 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\X16-32694.exe.tmp

2012-07-15 16:05 - 2012-07-15 16:05 - 00001247 ____A C:\Users\Jean\Desktop\Any Video Converter.lnk

2012-07-12 20:20 - 2009-07-13 21:08 - 00032580 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-04 14:04 - 2012-09-23 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 14:01 - 2012-09-23 13:56 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 14:01 - 2012-09-23 13:56 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-07-04 13:26 - 2012-09-23 13:56 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-07-04 13:23 - 2012-09-23 13:56 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe

[2011-04-27 16:42] - [2011-02-25 22:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93

C:\Windows\System32\winlogon.exe

[2010-01-26 16:30] - [2009-10-27 22:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A

C:\Windows\System32\wininit.exe

[2009-07-13 15:52] - [2009-07-13 17:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\System32\svchost.exe

[2009-07-13 15:31] - [2009-07-13 17:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\User32.dll

[2009-07-13 15:38] - [2009-07-13 17:41] - 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6

C:\Windows\System32\userinit.exe

[2009-07-13 15:50] - [2009-07-13 17:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE

C:\Windows\System32\Drivers\volsnap.sys

[2009-07-13 15:20] - [2009-07-13 17:45] - 0294992 ____A (Microsoft Corporation) 58F82EED8CA24B461441F9C3E4F0BF5C

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-23 10:26:58

Restore point made on: 2012-09-23 16:45:08

Restore point made on: 2012-09-23 16:48:31

Restore point made on: 2012-09-23 17:25:11

Restore point made on: 2012-09-23 19:05:58

Restore point made on: 2012-09-24 09:35:21

Restore point made on: 2012-09-24 09:57:13

Restore point made on: 2012-09-24 10:01:51

Restore point made on: 2012-09-24 10:10:03

Restore point made on: 2012-09-24 10:16:13

Restore point made on: 2012-09-24 10:22:51

Restore point made on: 2012-09-24 10:23:55

Restore point made on: 2012-09-24 10:28:17

Restore point made on: 2012-09-24 10:34:48

Restore point made on: 2012-09-24 10:36:21

Restore point made on: 2012-09-24 10:42:25

Restore point made on: 2012-09-24 11:09:59

Restore point made on: 2012-09-24 11:36:05

Restore point made on: 2012-09-24 17:55:18

Restore point made on: 2012-09-24 19:06:11

==================== Memory info ===========================

Percentage of memory in use: 14%

Total physical RAM: 3838.36 MB

Available physical RAM: 3300.69 MB

Total Pagefile: 3836.64 MB

Available Pagefile: 3323.82 MB

Total Virtual: 2047.88 MB

Available Virtual: 1970.3 MB

==================== Partitions =============================

1 Drive c: (Gateway) (Fixed) (Total:286.27 GB) (Free:192.61 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:3.03 GB) NTFS

3 Drive f: (GRMCHPFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF

4 Drive g: (JUMP1) (Removable) (Total:7.31 GB) (Free:7.31 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7500 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 11 GB 1024 KB

Partition 2 Primary 100 MB 11 GB

Partition 3 Primary 286 GB 11 GB

=========================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Gateway NTFS Partition 286 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 7500 MB 0 B

=========================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2012-09-20 22:14

==================== End Of Log ============================

Services.exe search log:

Farbar Recovery Scan Tool (x64) Version: 25-09-2012

Ran by SYSTEM at 2012-09-27 18:28:09

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

My other option is to delete the partition of the MBR as shown in your linked instruction set. I've done the dry run with GParted, and (due to being unable to get a screenshot with the system the way it is) have a picture of the partitions attached. I was a little unsure of whether I should be deleting the diag or boot (assume diag from your prior discussion - but too risky to assume anything here). My next question is if I am deleting any partitions, should I be cloning the hard drive first to ensure nothing gets lost in this process? This lady makes her living from graphic designing on her computer, and if I can save files, etc. now, I definitely want to do so! If this process just corrects the MBR issue and all else is safe, let's proceed!

post-113052-0-38773500-1348792963.jpg

Share this post


Link to post
Share on other sites

Don't do anything yet.

Don't delete any partitions that's not the problem!!

You're using the incorrect disk for the system:

ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.

Second:

TDL4: custom:26000022 <===== ATTENTION! <----this is in the log and is the infection

I'll get back to you in the am.

MrC

Share this post


Link to post
Share on other sites
Microsoft sent me the wrong .iso initially, but I have now rectified that and have the 64 bit disc burnt as well

Yes, I know I had the wrong backup disc, but I now have the right disc. If you need a new Farbar scan showing that, I can run one.

I will not do anything until I receive further instruction from you in the AM.

Thanks.

Share this post


Link to post
Share on other sites

Great!

Run another FRST scan with the correct disk and post the new log, MrC

Share this post


Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-09-2012

Ran by SYSTEM at 28-09-2012 09:46:46

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [162336 2009-07-21] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [162336 2009-07-21] ()

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 EMP_UDSA; C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [104424 2010-06-09] (SEIKO EPSON CORPORATION)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) =====================

1 MpKsl2da59b7e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0C11CA1E-21A0-4931-9638-C91B62B19335}\MpKsl2da59b7e.sys [35664 2012-09-24] (Microsoft Corporation)

3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]

3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-09-26 10:39 - 2012-09-27 17:48 - 00000000 ____D C:\Program Files (x86)\Magical Jelly Bean

2012-09-25 06:07 - 2012-09-25 07:08 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-09-25 06:02 - 2012-09-25 06:02 - 00001385 ____A C:\Users\Jean\Desktop\RKreport[6].txt

2012-09-25 06:01 - 2012-09-25 06:01 - 00001363 ____A C:\Users\Jean\Desktop\RKreport[5].txt

2012-09-25 05:57 - 2012-09-25 05:57 - 00001497 ____A C:\Users\Jean\Desktop\RKreport[4].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001523 ____A C:\Users\Jean\Desktop\RKreport[3].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001489 ____A C:\Users\Jean\Desktop\RKreport[2].txt

2012-09-25 05:23 - 2012-09-25 05:23 - 00001471 ____A C:\Users\Jean\Desktop\RKreport[1].txt

2012-09-25 05:22 - 2012-09-27 17:48 - 00000000 ____D C:\Users\Jean\Desktop\RK_Quarantine

2012-09-24 18:04 - 2012-09-24 18:04 - 00002154 ____A C:\Windows\epplauncher.mif

2012-09-24 17:56 - 2012-09-24 17:57 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-09-24 17:56 - 2012-09-24 17:56 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-09-24 17:56 - 2012-09-24 17:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2012-09-24 17:55 - 2010-04-09 03:06 - 00374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-09-24 17:45 - 2012-09-24 17:46 - 12621696 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\mseinstall.exe

2012-09-24 17:10 - 2012-09-24 17:10 - 00274672 ____A C:\Windows\Minidump\092412-28501-01.dmp

2012-09-24 17:07 - 2012-09-24 17:07 - 00274672 ____A C:\Windows\Minidump\092412-30279-01.dmp

2012-09-24 17:04 - 2012-09-24 17:04 - 00274672 ____A C:\Windows\Minidump\092412-32510-01.dmp

2012-09-24 14:23 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-09-24 13:00 - 2012-09-24 13:00 - 00023308 ____A C:\Users\Jean\Desktop\Attach.txt

2012-09-24 12:57 - 2012-09-24 12:57 - 00021566 ____A C:\Users\Jean\Desktop\DDS.txt

2012-09-24 12:25 - 2012-09-24 12:25 - 00607260 ____R (Swearware) C:\Users\Jean\Downloads\dds.com

2012-09-24 12:15 - 2012-09-24 12:22 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Mozilla

2012-09-24 12:15 - 2012-09-24 12:15 - 00000000 ____D C:\Users\Jean\AppData\Local\Mozilla

2012-09-24 11:54 - 2012-09-24 11:54 - 00001101 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Users\All Users\Mozilla

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-09-24 11:53 - 2012-09-24 11:53 - 17790056 ____A (Mozilla) C:\Users\Jean\Downloads\Firefox Setup 15.0.1.exe

2012-09-23 19:10 - 2012-09-23 19:10 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-09-23 19:10 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-09-23 19:10 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-09-23 19:10 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-09-23 19:10 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-09-23 19:10 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-09-23 19:10 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-09-23 19:10 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-09-23 19:10 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-09-23 19:10 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-09-23 19:10 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-09-23 19:10 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-09-23 19:10 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-09-23 19:10 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-09-23 19:10 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-09-23 19:10 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-09-23 19:10 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-09-23 19:10 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-09-23 19:10 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-09-23 19:10 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-09-23 19:10 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-09-23 19:10 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-09-23 19:10 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-09-23 19:10 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-09-23 19:10 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-09-23 19:10 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-09-23 19:10 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-09-23 19:10 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-09-23 19:10 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-09-23 19:10 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-09-23 16:43 - 2012-09-23 16:43 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Jean\Downloads\revosetup.exe

2012-09-23 16:43 - 2012-09-23 16:43 - 00001235 ____A C:\Users\Jean\Desktop\Revo Uninstaller.lnk

2012-09-23 16:43 - 2012-09-23 16:43 - 00000000 ____D C:\Program Files (x86)\VS Revo Group

2012-09-23 14:01 - 2012-09-23 14:01 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Malwarebytes

2012-09-23 14:01 - 2012-09-07 15:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-09-23 13:59 - 2012-09-23 14:00 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Jean\Downloads\mbam-setup-1.65.0.1400.exe

2012-09-23 13:57 - 2012-08-02 09:55 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-09-23 13:57 - 2012-08-02 09:05 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-09-23 13:57 - 2012-05-05 00:30 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

2012-09-23 13:57 - 2012-05-04 23:44 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

2012-09-23 13:57 - 2012-02-10 22:36 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2012-09-23 13:57 - 2012-02-10 22:29 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2012-09-23 13:57 - 2012-02-10 22:29 - 00067584 ____A (Microsoft Corporation) C:\Windows\splwow64.exe

2012-09-23 13:57 - 2012-02-10 21:44 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2012-09-23 13:56 - 2012-07-18 09:31 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-09-23 13:56 - 2012-07-04 14:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-09-23 13:56 - 2012-07-04 14:01 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-09-23 13:56 - 2012-07-04 14:01 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-09-23 13:56 - 2012-07-04 13:26 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-09-23 13:56 - 2012-07-04 13:23 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-09-23 13:56 - 2012-05-13 21:20 - 00956416 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2012-09-23 13:45 - 2012-09-23 13:45 - 00274672 ____A C:\Windows\Minidump\092312-27877-01.dmp

2012-09-23 10:28 - 2012-09-23 14:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-23 10:28 - 2012-09-23 10:28 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-09-23 10:27 - 2012-09-23 12:45 - 00000000 ____D C:\886402493004868d5e

2012-09-23 10:19 - 2012-09-24 17:33 - 00000000 ____D C:\Windows\pss

2012-09-22 13:12 - 2012-09-24 16:58 - 00000000 ____D C:\Program Files (x86)\Norton Security Suite

2012-09-22 11:08 - 2012-09-22 11:09 - 00274672 ____A C:\Windows\Minidump\092212-30841-01.dmp

2012-09-21 14:02 - 2012-09-21 14:02 - 00274672 ____A C:\Windows\Minidump\092112-40451-01.dmp

2012-09-21 12:33 - 2012-09-21 12:33 - 04096000 ____A C:\Program Files (x86)\GUTC783.tmp

2012-09-20 14:07 - 2012-09-20 14:07 - 00000000 ____D C:\Users\Jean\Documents\OneNote Notebooks

2012-09-14 12:46 - 2012-09-21 12:06 - 00000000 ___HD C:\Users\Jean\AppData\Roaming\578EEF29

==================== 3 Months Modified Files ==================

2012-09-25 06:02 - 2012-09-25 06:02 - 00001385 ____A C:\Users\Jean\Desktop\RKreport[6].txt

2012-09-25 06:01 - 2012-09-25 06:01 - 00001363 ____A C:\Users\Jean\Desktop\RKreport[5].txt

2012-09-25 05:57 - 2012-09-25 05:57 - 00001497 ____A C:\Users\Jean\Desktop\RKreport[4].txt

2012-09-25 05:56 - 2011-02-28 13:09 - 00418304 __ASH C:\Users\Jean\Desktop\Thumbs.db

2012-09-25 05:50 - 2012-09-25 05:50 - 00001523 ____A C:\Users\Jean\Desktop\RKreport[3].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001489 ____A C:\Users\Jean\Desktop\RKreport[2].txt

2012-09-25 05:23 - 2012-09-25 05:23 - 00001471 ____A C:\Users\Jean\Desktop\RKreport[1].txt

2012-09-24 19:06 - 2009-11-03 07:13 - 01301382 ____A C:\Windows\WindowsUpdate.log

2012-09-24 19:00 - 2011-03-27 10:28 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-09-24 18:30 - 2012-07-21 20:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-24 18:17 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-24 18:17 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-24 18:08 - 2011-03-27 10:28 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-09-24 18:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-24 18:06 - 2009-07-13 20:51 - 00660577 ____A C:\Windows\setupact.log

2012-09-24 18:04 - 2012-09-24 18:04 - 00002154 ____A C:\Windows\epplauncher.mif

2012-09-24 17:56 - 2012-09-24 17:56 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-09-24 17:46 - 2012-09-24 17:45 - 12621696 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\mseinstall.exe

2012-09-24 17:10 - 2012-09-24 17:10 - 00274672 ____A C:\Windows\Minidump\092412-28501-01.dmp

2012-09-24 17:10 - 2011-06-18 19:40 - 313961177 ____A C:\Windows\MEMORY.DMP

2012-09-24 17:07 - 2012-09-24 17:07 - 00274672 ____A C:\Windows\Minidump\092412-30279-01.dmp

2012-09-24 17:04 - 2012-09-24 17:04 - 00274672 ____A C:\Windows\Minidump\092412-32510-01.dmp

2012-09-24 16:58 - 2009-08-14 22:59 - 02028614 ____A C:\Windows\PFRO.log

2012-09-24 14:29 - 2010-02-02 15:52 - 00001981 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2012-09-24 13:00 - 2012-09-24 13:00 - 00023308 ____A C:\Users\Jean\Desktop\Attach.txt

2012-09-24 12:57 - 2012-09-24 12:57 - 00021566 ____A C:\Users\Jean\Desktop\DDS.txt

2012-09-24 12:25 - 2012-09-24 12:25 - 00607260 ____R (Swearware) C:\Users\Jean\Downloads\dds.com

2012-09-24 11:54 - 2012-09-24 11:54 - 00001101 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-24 11:53 - 2012-09-24 11:53 - 17790056 ____A (Mozilla) C:\Users\Jean\Downloads\Firefox Setup 15.0.1.exe

2012-09-24 06:38 - 2009-07-13 20:45 - 00452640 ____A C:\Windows\System32\FNTCACHE.DAT

2012-09-23 19:10 - 2012-09-23 19:10 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-09-23 16:43 - 2012-09-23 16:43 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Jean\Downloads\revosetup.exe

2012-09-23 16:43 - 2012-09-23 16:43 - 00001235 ____A C:\Users\Jean\Desktop\Revo Uninstaller.lnk

2012-09-23 14:00 - 2012-09-23 13:59 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Jean\Downloads\mbam-setup-1.65.0.1400.exe

2012-09-23 13:45 - 2012-09-23 13:45 - 00274672 ____A C:\Windows\Minidump\092312-27877-01.dmp

2012-09-23 10:20 - 2009-07-13 20:51 - 00660017 ____A C:\Windows\setupact(67).log

2012-09-22 11:09 - 2012-09-22 11:08 - 00274672 ____A C:\Windows\Minidump\092212-30841-01.dmp

2012-09-21 14:02 - 2012-09-21 14:02 - 00274672 ____A C:\Windows\Minidump\092112-40451-01.dmp

2012-09-21 13:51 - 2011-11-30 13:21 - 00001371 ____A C:\Users\Jean\Desktop\Norton Installation Files.lnk

2012-09-21 13:33 - 2012-07-21 20:03 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-09-21 13:33 - 2012-07-21 20:03 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-09-21 12:33 - 2012-09-21 12:33 - 04096000 ____A C:\Program Files (x86)\GUTC783.tmp

2012-09-09 10:01 - 2012-08-21 07:23 - 00065536 __ASH C:\Users\Jean\Documents\Thumbs.db

2012-09-07 15:04 - 2012-09-23 14:01 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-30 22:43 - 2010-07-26 09:29 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-08-24 03:15 - 2012-09-23 19:10 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-08-24 02:39 - 2012-09-23 19:10 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-08-24 02:31 - 2012-09-23 19:10 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-08-24 02:22 - 2012-09-23 19:10 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-08-24 02:21 - 2012-09-23 19:10 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-08-24 02:20 - 2012-09-23 19:10 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-08-24 02:18 - 2012-09-23 19:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-08-24 02:17 - 2012-09-23 19:10 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-08-24 02:14 - 2012-09-23 19:10 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-08-24 02:14 - 2012-09-23 19:10 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-08-24 02:13 - 2012-09-23 19:10 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-08-24 02:12 - 2012-09-23 19:10 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-08-24 02:11 - 2012-09-23 19:10 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-08-24 02:10 - 2012-09-23 19:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-08-24 02:09 - 2012-09-23 19:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-08-24 02:04 - 2012-09-23 19:10 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-08-23 23:27 - 2012-09-23 19:10 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-08-23 23:03 - 2012-09-23 19:10 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-08-23 22:59 - 2012-09-23 19:10 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-08-23 22:51 - 2012-09-23 19:10 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-08-23 22:51 - 2012-09-23 19:10 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-08-23 22:51 - 2012-09-23 19:10 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-08-23 22:49 - 2012-09-23 19:10 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-08-23 22:48 - 2012-09-23 19:10 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-08-23 22:45 - 2012-09-23 19:10 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-08-23 22:44 - 2012-09-23 19:10 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-08-23 22:44 - 2012-09-23 19:10 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-08-23 22:43 - 2012-09-23 19:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-08-23 22:40 - 2012-09-23 19:10 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-08-15 20:16 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-12 17:40 - 2011-09-21 13:06 - 00001164 ____A C:\Windows\wininit.ini

2012-08-12 17:23 - 2012-08-12 17:23 - 00001064 ____A C:\Users\Jean\Desktop\Smart PC Cleaner.lnk

2012-08-02 09:55 - 2012-09-23 13:57 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-08-02 09:05 - 2012-09-23 13:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-07-24 07:03 - 2009-11-03 07:36 - 00067574 ____A C:\Windows\DirectX.log

2012-07-18 09:31 - 2012-09-23 13:56 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-16 12:20 - 2012-07-16 12:18 - 00000000 ____A C:\Users\Jean\Desktop\OK

2012-07-16 12:19 - 2012-07-16 12:18 - 04098584 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\X16-32694.exe.tmp

2012-07-15 16:05 - 2012-07-15 16:05 - 00001247 ____A C:\Users\Jean\Desktop\Any Video Converter.lnk

2012-07-12 20:20 - 2009-07-13 21:08 - 00032580 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-04 14:04 - 2012-09-23 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 14:01 - 2012-09-23 13:56 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 14:01 - 2012-09-23 13:56 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-07-04 13:26 - 2012-09-23 13:56 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-07-04 13:23 - 2012-09-23 13:56 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-23 10:26:58

Restore point made on: 2012-09-23 16:45:08

Restore point made on: 2012-09-23 16:48:31

Restore point made on: 2012-09-23 17:25:11

Restore point made on: 2012-09-23 19:05:58

Restore point made on: 2012-09-24 09:35:21

Restore point made on: 2012-09-24 09:57:13

Restore point made on: 2012-09-24 10:01:51

Restore point made on: 2012-09-24 10:10:03

Restore point made on: 2012-09-24 10:16:13

Restore point made on: 2012-09-24 10:22:51

Restore point made on: 2012-09-24 10:23:55

Restore point made on: 2012-09-24 10:28:17

Restore point made on: 2012-09-24 10:34:48

Restore point made on: 2012-09-24 10:36:21

Restore point made on: 2012-09-24 10:42:25

Restore point made on: 2012-09-24 11:09:59

Restore point made on: 2012-09-24 11:36:05

Restore point made on: 2012-09-24 17:55:18

Restore point made on: 2012-09-24 19:06:11

==================== Memory info ===========================

Percentage of memory in use: 16%

Total physical RAM: 3838.36 MB

Available physical RAM: 3197.64 MB

Total Pagefile: 3836.51 MB

Available Pagefile: 3206.9 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (Gateway) (Fixed) (Total:286.27 GB) (Free:192.75 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:3.03 GB) NTFS

3 Drive f: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF

4 Drive g: (JUMP1) (Removable) (Total:7.31 GB) (Free:7.31 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7500 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 11 GB 1024 KB

Partition 2 Primary 100 MB 11 GB

Partition 3 Primary 286 GB 11 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Gateway NTFS Partition 286 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 7500 MB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2012-09-20 22:14

==================== End Of Log =============================

Share this post


Link to post
Share on other sites

OK, lets get the infection first and then see if it boots up.

If not we have to change the boot from system reserve 100mb to the Gateway 287gb.

~~~~~~~~~~~~~~~~~~~

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Share this post


Link to post
Share on other sites

Thanks! :fingers crossed:

Here's the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-09-2012

Ran by SYSTEM at 2012-09-28 10:26:16 Run:1

Running from G:\

==============================================

The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

Negative. Still black screen with blinking cursor. (Yes, I reordered the BIOS to boot from HD before attempting to boot).

New FRST log....

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-09-2012

Ran by SYSTEM at 28-09-2012 11:42:25

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [162336 2009-07-21] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [162336 2009-07-21] ()

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 EMP_UDSA; C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [104424 2010-06-09] (SEIKO EPSON CORPORATION)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) =====================

1 MpKsl2da59b7e; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0C11CA1E-21A0-4931-9638-C91B62B19335}\MpKsl2da59b7e.sys [35664 2012-09-24] (Microsoft Corporation)

3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]

3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-09-26 10:39 - 2012-09-27 17:48 - 00000000 ____D C:\Program Files (x86)\Magical Jelly Bean

2012-09-25 06:07 - 2012-09-25 07:08 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-09-25 06:02 - 2012-09-25 06:02 - 00001385 ____A C:\Users\Jean\Desktop\RKreport[6].txt

2012-09-25 06:01 - 2012-09-25 06:01 - 00001363 ____A C:\Users\Jean\Desktop\RKreport[5].txt

2012-09-25 05:57 - 2012-09-25 05:57 - 00001497 ____A C:\Users\Jean\Desktop\RKreport[4].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001523 ____A C:\Users\Jean\Desktop\RKreport[3].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001489 ____A C:\Users\Jean\Desktop\RKreport[2].txt

2012-09-25 05:23 - 2012-09-25 05:23 - 00001471 ____A C:\Users\Jean\Desktop\RKreport[1].txt

2012-09-25 05:22 - 2012-09-27 17:48 - 00000000 ____D C:\Users\Jean\Desktop\RK_Quarantine

2012-09-24 18:04 - 2012-09-24 18:04 - 00002154 ____A C:\Windows\epplauncher.mif

2012-09-24 17:56 - 2012-09-24 17:57 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-09-24 17:56 - 2012-09-24 17:56 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-09-24 17:56 - 2012-09-24 17:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2012-09-24 17:55 - 2010-04-09 03:06 - 00374664 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-09-24 17:45 - 2012-09-24 17:46 - 12621696 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\mseinstall.exe

2012-09-24 17:10 - 2012-09-24 17:10 - 00274672 ____A C:\Windows\Minidump\092412-28501-01.dmp

2012-09-24 17:07 - 2012-09-24 17:07 - 00274672 ____A C:\Windows\Minidump\092412-30279-01.dmp

2012-09-24 17:04 - 2012-09-24 17:04 - 00274672 ____A C:\Windows\Minidump\092412-32510-01.dmp

2012-09-24 14:23 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-09-24 13:00 - 2012-09-24 13:00 - 00023308 ____A C:\Users\Jean\Desktop\Attach.txt

2012-09-24 12:57 - 2012-09-24 12:57 - 00021566 ____A C:\Users\Jean\Desktop\DDS.txt

2012-09-24 12:25 - 2012-09-24 12:25 - 00607260 ____R (Swearware) C:\Users\Jean\Downloads\dds.com

2012-09-24 12:15 - 2012-09-24 12:22 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Mozilla

2012-09-24 12:15 - 2012-09-24 12:15 - 00000000 ____D C:\Users\Jean\AppData\Local\Mozilla

2012-09-24 11:54 - 2012-09-24 11:54 - 00001101 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Users\All Users\Mozilla

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-09-24 11:54 - 2012-09-24 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-09-24 11:53 - 2012-09-24 11:53 - 17790056 ____A (Mozilla) C:\Users\Jean\Downloads\Firefox Setup 15.0.1.exe

2012-09-23 19:10 - 2012-09-23 19:10 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-09-23 19:10 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-09-23 19:10 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-09-23 19:10 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-09-23 19:10 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-09-23 19:10 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-09-23 19:10 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-09-23 19:10 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-09-23 19:10 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-09-23 19:10 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-09-23 19:10 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-09-23 19:10 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-09-23 19:10 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-09-23 19:10 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-09-23 19:10 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-09-23 19:10 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-09-23 19:10 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-09-23 19:10 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-09-23 19:10 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-09-23 19:10 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-09-23 19:10 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-09-23 19:10 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-09-23 19:10 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-09-23 19:10 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-09-23 19:10 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-09-23 19:10 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-09-23 19:10 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-09-23 19:10 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-09-23 19:10 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-09-23 19:10 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-09-23 19:10 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-09-23 16:43 - 2012-09-23 16:43 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Jean\Downloads\revosetup.exe

2012-09-23 16:43 - 2012-09-23 16:43 - 00001235 ____A C:\Users\Jean\Desktop\Revo Uninstaller.lnk

2012-09-23 16:43 - 2012-09-23 16:43 - 00000000 ____D C:\Program Files (x86)\VS Revo Group

2012-09-23 14:01 - 2012-09-23 14:01 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Malwarebytes

2012-09-23 14:01 - 2012-09-07 15:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-09-23 13:59 - 2012-09-23 14:00 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Jean\Downloads\mbam-setup-1.65.0.1400.exe

2012-09-23 13:57 - 2012-08-02 09:55 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-09-23 13:57 - 2012-08-02 09:05 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-09-23 13:57 - 2012-05-05 00:30 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll

2012-09-23 13:57 - 2012-05-04 23:44 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll

2012-09-23 13:57 - 2012-02-10 22:36 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2012-09-23 13:57 - 2012-02-10 22:29 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2012-09-23 13:57 - 2012-02-10 22:29 - 00067584 ____A (Microsoft Corporation) C:\Windows\splwow64.exe

2012-09-23 13:57 - 2012-02-10 21:44 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2012-09-23 13:56 - 2012-07-18 09:31 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-09-23 13:56 - 2012-07-04 14:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-09-23 13:56 - 2012-07-04 14:01 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-09-23 13:56 - 2012-07-04 14:01 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-09-23 13:56 - 2012-07-04 13:26 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-09-23 13:56 - 2012-07-04 13:23 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

2012-09-23 13:56 - 2012-05-13 21:20 - 00956416 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2012-09-23 13:45 - 2012-09-23 13:45 - 00274672 ____A C:\Windows\Minidump\092312-27877-01.dmp

2012-09-23 10:28 - 2012-09-23 14:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-23 10:28 - 2012-09-23 10:28 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-09-23 10:27 - 2012-09-23 12:45 - 00000000 ____D C:\886402493004868d5e

2012-09-23 10:19 - 2012-09-24 17:33 - 00000000 ____D C:\Windows\pss

2012-09-22 13:12 - 2012-09-24 16:58 - 00000000 ____D C:\Program Files (x86)\Norton Security Suite

2012-09-22 11:08 - 2012-09-22 11:09 - 00274672 ____A C:\Windows\Minidump\092212-30841-01.dmp

2012-09-21 14:02 - 2012-09-21 14:02 - 00274672 ____A C:\Windows\Minidump\092112-40451-01.dmp

2012-09-21 12:33 - 2012-09-21 12:33 - 04096000 ____A C:\Program Files (x86)\GUTC783.tmp

2012-09-20 14:07 - 2012-09-20 14:07 - 00000000 ____D C:\Users\Jean\Documents\OneNote Notebooks

2012-09-14 12:46 - 2012-09-21 12:06 - 00000000 ___HD C:\Users\Jean\AppData\Roaming\578EEF29

==================== 3 Months Modified Files ==================

2012-09-25 06:02 - 2012-09-25 06:02 - 00001385 ____A C:\Users\Jean\Desktop\RKreport[6].txt

2012-09-25 06:01 - 2012-09-25 06:01 - 00001363 ____A C:\Users\Jean\Desktop\RKreport[5].txt

2012-09-25 05:57 - 2012-09-25 05:57 - 00001497 ____A C:\Users\Jean\Desktop\RKreport[4].txt

2012-09-25 05:56 - 2011-02-28 13:09 - 00418304 __ASH C:\Users\Jean\Desktop\Thumbs.db

2012-09-25 05:50 - 2012-09-25 05:50 - 00001523 ____A C:\Users\Jean\Desktop\RKreport[3].txt

2012-09-25 05:50 - 2012-09-25 05:50 - 00001489 ____A C:\Users\Jean\Desktop\RKreport[2].txt

2012-09-25 05:23 - 2012-09-25 05:23 - 00001471 ____A C:\Users\Jean\Desktop\RKreport[1].txt

2012-09-24 19:06 - 2009-11-03 07:13 - 01301382 ____A C:\Windows\WindowsUpdate.log

2012-09-24 19:00 - 2011-03-27 10:28 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-09-24 18:30 - 2012-07-21 20:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-09-24 18:17 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-09-24 18:17 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-09-24 18:08 - 2011-03-27 10:28 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-09-24 18:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-09-24 18:06 - 2009-07-13 20:51 - 00660577 ____A C:\Windows\setupact.log

2012-09-24 18:04 - 2012-09-24 18:04 - 00002154 ____A C:\Windows\epplauncher.mif

2012-09-24 17:56 - 2012-09-24 17:56 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-09-24 17:46 - 2012-09-24 17:45 - 12621696 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\mseinstall.exe

2012-09-24 17:10 - 2012-09-24 17:10 - 00274672 ____A C:\Windows\Minidump\092412-28501-01.dmp

2012-09-24 17:10 - 2011-06-18 19:40 - 313961177 ____A C:\Windows\MEMORY.DMP

2012-09-24 17:07 - 2012-09-24 17:07 - 00274672 ____A C:\Windows\Minidump\092412-30279-01.dmp

2012-09-24 17:04 - 2012-09-24 17:04 - 00274672 ____A C:\Windows\Minidump\092412-32510-01.dmp

2012-09-24 16:58 - 2009-08-14 22:59 - 02028614 ____A C:\Windows\PFRO.log

2012-09-24 14:29 - 2010-02-02 15:52 - 00001981 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk

2012-09-24 13:00 - 2012-09-24 13:00 - 00023308 ____A C:\Users\Jean\Desktop\Attach.txt

2012-09-24 12:57 - 2012-09-24 12:57 - 00021566 ____A C:\Users\Jean\Desktop\DDS.txt

2012-09-24 12:25 - 2012-09-24 12:25 - 00607260 ____R (Swearware) C:\Users\Jean\Downloads\dds.com

2012-09-24 11:54 - 2012-09-24 11:54 - 00001101 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-09-24 11:53 - 2012-09-24 11:53 - 17790056 ____A (Mozilla) C:\Users\Jean\Downloads\Firefox Setup 15.0.1.exe

2012-09-24 06:38 - 2009-07-13 20:45 - 00452640 ____A C:\Windows\System32\FNTCACHE.DAT

2012-09-23 19:10 - 2012-09-23 19:10 - 00000129 ____A C:\Windows\System32\MRT.INI

2012-09-23 16:43 - 2012-09-23 16:43 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Jean\Downloads\revosetup.exe

2012-09-23 16:43 - 2012-09-23 16:43 - 00001235 ____A C:\Users\Jean\Desktop\Revo Uninstaller.lnk

2012-09-23 14:00 - 2012-09-23 13:59 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Jean\Downloads\mbam-setup-1.65.0.1400.exe

2012-09-23 13:45 - 2012-09-23 13:45 - 00274672 ____A C:\Windows\Minidump\092312-27877-01.dmp

2012-09-23 10:20 - 2009-07-13 20:51 - 00660017 ____A C:\Windows\setupact(67).log

2012-09-22 11:09 - 2012-09-22 11:08 - 00274672 ____A C:\Windows\Minidump\092212-30841-01.dmp

2012-09-21 14:02 - 2012-09-21 14:02 - 00274672 ____A C:\Windows\Minidump\092112-40451-01.dmp

2012-09-21 13:51 - 2011-11-30 13:21 - 00001371 ____A C:\Users\Jean\Desktop\Norton Installation Files.lnk

2012-09-21 13:33 - 2012-07-21 20:03 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-09-21 13:33 - 2012-07-21 20:03 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-09-21 12:33 - 2012-09-21 12:33 - 04096000 ____A C:\Program Files (x86)\GUTC783.tmp

2012-09-09 10:01 - 2012-08-21 07:23 - 00065536 __ASH C:\Users\Jean\Documents\Thumbs.db

2012-09-07 15:04 - 2012-09-23 14:01 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-30 22:43 - 2010-07-26 09:29 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-08-24 03:15 - 2012-09-23 19:10 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-08-24 02:39 - 2012-09-23 19:10 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-08-24 02:31 - 2012-09-23 19:10 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-08-24 02:22 - 2012-09-23 19:10 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-08-24 02:21 - 2012-09-23 19:10 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-08-24 02:20 - 2012-09-23 19:10 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-08-24 02:18 - 2012-09-23 19:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-08-24 02:17 - 2012-09-23 19:10 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-08-24 02:14 - 2012-09-23 19:10 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-08-24 02:14 - 2012-09-23 19:10 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-08-24 02:13 - 2012-09-23 19:10 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-08-24 02:12 - 2012-09-23 19:10 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-08-24 02:11 - 2012-09-23 19:10 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-08-24 02:10 - 2012-09-23 19:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-08-24 02:09 - 2012-09-23 19:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-08-24 02:04 - 2012-09-23 19:10 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-08-23 23:27 - 2012-09-23 19:10 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-08-23 23:03 - 2012-09-23 19:10 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-08-23 22:59 - 2012-09-23 19:10 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-08-23 22:51 - 2012-09-23 19:10 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-08-23 22:51 - 2012-09-23 19:10 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-08-23 22:51 - 2012-09-23 19:10 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-08-23 22:49 - 2012-09-23 19:10 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-08-23 22:48 - 2012-09-23 19:10 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-08-23 22:47 - 2012-09-23 19:10 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-08-23 22:45 - 2012-09-23 19:10 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-08-23 22:44 - 2012-09-23 19:10 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-08-23 22:44 - 2012-09-23 19:10 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-08-23 22:43 - 2012-09-23 19:10 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-08-23 22:40 - 2012-09-23 19:10 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-08-15 20:16 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-12 17:40 - 2011-09-21 13:06 - 00001164 ____A C:\Windows\wininit.ini

2012-08-12 17:23 - 2012-08-12 17:23 - 00001064 ____A C:\Users\Jean\Desktop\Smart PC Cleaner.lnk

2012-08-02 09:55 - 2012-09-23 13:57 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-08-02 09:05 - 2012-09-23 13:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-07-24 07:03 - 2009-11-03 07:36 - 00067574 ____A C:\Windows\DirectX.log

2012-07-18 09:31 - 2012-09-23 13:56 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-16 12:20 - 2012-07-16 12:18 - 00000000 ____A C:\Users\Jean\Desktop\OK

2012-07-16 12:19 - 2012-07-16 12:18 - 04098584 ____A (Microsoft Corporation) C:\Users\Jean\Downloads\X16-32694.exe.tmp

2012-07-15 16:05 - 2012-07-15 16:05 - 00001247 ____A C:\Users\Jean\Desktop\Any Video Converter.lnk

2012-07-12 20:20 - 2009-07-13 21:08 - 00032580 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-04 14:04 - 2012-09-23 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll

2012-07-04 14:01 - 2012-09-23 13:56 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll

2012-07-04 14:01 - 2012-09-23 13:56 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll

2012-07-04 13:26 - 2012-09-23 13:56 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll

2012-07-04 13:23 - 2012-09-23 13:56 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-23 10:26:58

Restore point made on: 2012-09-23 16:45:08

Restore point made on: 2012-09-23 16:48:31

Restore point made on: 2012-09-23 17:25:11

Restore point made on: 2012-09-23 19:05:58

Restore point made on: 2012-09-24 09:35:21

Restore point made on: 2012-09-24 09:57:13

Restore point made on: 2012-09-24 10:01:51

Restore point made on: 2012-09-24 10:10:03

Restore point made on: 2012-09-24 10:16:13

Restore point made on: 2012-09-24 10:22:51

Restore point made on: 2012-09-24 10:23:55

Restore point made on: 2012-09-24 10:28:17

Restore point made on: 2012-09-24 10:34:48

Restore point made on: 2012-09-24 10:36:21

Restore point made on: 2012-09-24 10:42:25

Restore point made on: 2012-09-24 11:09:59

Restore point made on: 2012-09-24 11:36:05

Restore point made on: 2012-09-24 17:55:18

Restore point made on: 2012-09-24 19:06:11

==================== Memory info ===========================

Percentage of memory in use: 16%

Total physical RAM: 3838.36 MB

Available physical RAM: 3209.19 MB

Total Pagefile: 3836.51 MB

Available Pagefile: 3212.42 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (Gateway) (Fixed) (Total:286.27 GB) (Free:192.75 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:3.03 GB) NTFS

3 Drive f: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF

4 Drive g: (JUMP1) (Removable) (Total:7.31 GB) (Free:7.31 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7500 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 11 GB 1024 KB

Partition 2 Primary 100 MB 11 GB

Partition 3 Primary 286 GB 11 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Gateway NTFS Partition 286 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 7500 MB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2012-09-20 22:14

==================== End Of Log =============================

Share this post


Link to post
Share on other sites

  • Download ListParts to a USB flash drive.
  • Download ListParts64 to a USB flash drive. <----------this one
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.

    [*]Back in the command window ....

    • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • ListParts will start to run.
      • Press the Scan button.
      • When finished scanning it will make a log Result.txt on the flash drive.

    [*]Close the command window.

    [*]Boot back into normal mode and post me the Result.txt log please.

MrC

Share this post


Link to post
Share on other sites

Dang. I was hoping that the one remaining item in the FRSTlog could still be fixed:

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

Listparts64 log:

ListParts by Farbar Version: 25-09-2012

Ran by SYSTEM (administrator) on 28-09-2012 at 13:41:42

Windows 7 (X64)

Running From: G:\

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 12%

Total physical RAM: 3838.36 MB

Available physical RAM: 3352.57 MB

Total Pagefile: 3836.51 MB

Available Pagefile: 3330.63 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (Gateway) (Fixed) (Total:286.27 GB) (Free:192.75 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:3.03 GB) NTFS

4 Drive f: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF

5 Drive g: (JUMP1) (Removable) (Total:7.31 GB) (Free:7.31 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7500 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 11 GB 1024 KB

Partition 2 Primary 100 MB 11 GB

Partition 3 Primary 286 GB 11 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D Gateway NTFS Partition 286 GB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 7500 MB 0 B

======================================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

======================================================================================================

Windows Boot Manager

--------------------

identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}

device partition=C:

path \bootmgr

description Windows Boot Manager

locale en-US

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

default {ceda2f2a-c890-11de-beb3-cf189aeeba4a}

resumeobject {ceda2f29-c890-11de-beb3-cf189aeeba4a}

displayorder {ceda2f2a-c890-11de-beb3-cf189aeeba4a}

toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}

timeout 30

Windows Boot Loader

-------------------

identifier {ceda2f2a-c890-11de-beb3-cf189aeeba4a}

device partition=D:

path \Windows\system32\winload.exe

description Windows 7

locale en-US

inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

recoverysequence {ceda2f2b-c890-11de-beb3-cf189aeeba4a}

recoveryenabled Yes

osdevice partition=D:

systemroot \Windows

resumeobject {ceda2f29-c890-11de-beb3-cf189aeeba4a}

nx OptIn

detecthal Yes

bootlog No

Windows Boot Loader

-------------------

identifier {ceda2f2b-c890-11de-beb3-cf189aeeba4a}

device ramdisk=[D:]\Recovery\ceda2f2b-c890-11de-beb3-cf189aeeba4a\Winre.wim,{ceda2f2c-c890-11de-beb3-cf189aeeba4a}

path \windows\system32\winload.exe

description Windows Recovery Environment

inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

osdevice ramdisk=[D:]\Recovery\ceda2f2b-c890-11de-beb3-cf189aeeba4a\Winre.wim,{ceda2f2c-c890-11de-beb3-cf189aeeba4a}

systemroot \windows

nx OptIn

winpe Yes

custom:46000010 Yes

Resume from Hibernate

---------------------

identifier {ceda2f29-c890-11de-beb3-cf189aeeba4a}

device partition=D:

path \Windows\system32\winresume.exe

description Windows Resume Application

locale en-US

inherit {1afa9c49-16ab-4a5c-901b-212802da9460}

filedevice partition=D:

filepath \hiberfil.sys

debugoptionenabled No

Windows Memory Tester

---------------------

identifier {b2721d73-1db4-4c62-bf78-c548a880142d}

device partition=C:

path \boot\memtest.exe

description Windows Memory Diagnostic

locale en-US

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

badmemoryaccess Yes

EMS Settings

------------

identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}

bootems Yes

Debugger Settings

-----------------

identifier {4636856e-540f-4170-a130-a84776f4c654}

debugtype Serial

debugport 1

baudrate 115200

RAM Defects

-----------

identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings

---------------

identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

inherit {4636856e-540f-4170-a130-a84776f4c654}

{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}

{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings

--------------------

identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings

-------------------

identifier {7ff607e0-4395-11db-b0de-0800200c9a66}

hypervisordebugtype Serial

hypervisordebugport 1

hypervisorbaudrate 115200

Resume Loader Settings

----------------------

identifier {1afa9c49-16ab-4a5c-901b-212802da9460}

inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options

--------------

identifier {ceda2f2c-c890-11de-beb3-cf189aeeba4a}

description Ramdisk Options

ramdisksdidevice partition=D:

ramdisksdipath \Recovery\ceda2f2b-c890-11de-beb3-cf189aeeba4a\boot.sdi

****** End Of Log ******

Share this post


Link to post
Share on other sites

Please give this a try:

  • Download and Save Fix.txt (attached) to the flash drive where ListParts is located.

Next

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.

    [*]Back in the command window ....

    • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • ListParts will start to run.
      • Press the Fix button.
      • ListParts will process the script in Fix.txt
      • When finished please press the Scan button.
      • A log Result.txt will be saved to the flash drive. Also look for LPfixlog.txt

    [*]Close the command window.

    [*]Boot back into normal mode and post me the Result.txt log please.

Let me know.....MrC

Share this post


Link to post
Share on other sites

Interesting...I applied the fix, and went to my alternate system to post the result.txt, and found the same result.txt from earlier in the day. However, as I was working on that, I re-ordered the BIOS and rebooted and WE'RE UP!!! yay!

If you need that Result.txt still, I can try running that fix.txt again from a command prompt, though I don't believe it necessary now.

If you need this for any reason, the LPfixlog is as follows:

Script used: "Disk=0 Partition=2 inactive"

Script used: "Disk=0 Partition=2 active"

Script used: "Disk=0 Partition=2 inactive"

Script used: "Disk=0 Partition=2 active"

Script used: "custom"

An error occurred while attempting to delete the specified data element.

Element not found.

Script used: ""

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.