TechSpot

Svchost.exe (trojan(something)) returns after reboot

Solved
By m0nk3n
Feb 18, 2013
Topic Status:
Not open for further replies.
  1. Hi, I'm new here and it was either this or microsoft support but I read some other topics about malwarebytes finding and stopping svchost.exe trojan but it return everytime I reboot my computer.
    malwarebytes wants to contain it then I does that sometimes it freezes the computer and other times not. I had thinking about wrecking the hdd since I downloaded gomplayer once and I double clicked the file to install it but it dissapeared so I downloaded it again and double clicked it and it dissapeared and the wallpaper was all 1's and 0's. idk why I got that from a video player software.

    anyway. malwarebytes arent able to remove the trojan wich I found out it's located in the c:users\myusername\appdata\local\temp. I ran mrt and it found 3 files but couldnt delete them for some reason.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

    Sometimes these logs can be very large, in that case please attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    RogueKiller Scan

    • Download RogueKiller from the following link and save it on your desktop:
      TechSpot
      Official Site (alternative)
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  3. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    RogueKiller V8.5.1 [Feb 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Jon [Admin rights]
    Mode : Shortcuts HJfix -- Date : 02/18/2013 20:15:34
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 2 / Fail 0
    Quick launch: Success 1 / Fail 0
    Programs: Success 5 / Fail 0
    Start menu: Success 1 / Fail 0
    User folder: Success 72 / Fail 0
    My documents: Success 1 / Fail 1
    My favorites: Success 0 / Fail 0
    My pictures: Success 8 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 664 / Fail 0
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume4 -- 0x3 --> Restored
    [E:] \Device\HarddiskVolume5 -- 0x3 --> Restored
    [F:] \Device\HarddiskVolume6 -- 0x3 --> Restored
    [G:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [H:] \Device\CdRom0 -- 0x5 --> Skipped
    [I:] \Device\CdRom1 -- 0x5 --> Skipped

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    Finished : << RKreport[5]_SC_02182013_02d2015.txt >>
    RKreport[1]_S_02182013_02d1115.txt ; RKreport[2]_D_02182013_02d1118.txt ; RKreport[3]_S_02182013_02d2010.txt ; RKreport[4]_D_02182013_02d2013.txt ; RKreport[5]_SC_02182013_02d2015.txt

    Attached Files:

  4. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    RogueKiller V8.5.1 [Feb 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Jon [Admin rights]
    Mode : Remove -- Date : 02/18/2013 20:13:08
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\Desktop.ini [-] --> REMOVED

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD10EADS-00L5B1 ATA Device +++++
    --- User ---
    [MBR] bfee1e1353248b1ab404402a3cc5604b
    [BSP] 9488371b38d42e5eb745c9ba0fa07e4b : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST31000528AS ATA Device +++++
    --- User ---
    [MBR] 5584b46757e24d3c2daf5e602affe2d9
    [BSP] 18c9ebb4d18767eb89342d92b4dfff13 : Linux MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953874 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 5806e0ad5c9b41cb0fd6e945525dd174
    [BSP] f97b955cfdc8647899c9bce60a504418 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: WDC WD15EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] fe0461a4e18847bfba82bdcb84116d26
    [BSP] 89844a27d1e3e1cf6be3ee3cc0a205d0 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430803 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive4: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 52bc9653096a172d7940d2aee92699ac
    [BSP] 9f581c53665f591506c8c9c896051c9e : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[4]_D_02182013_02d2013.txt >>
    RKreport[1]_S_02182013_02d1115.txt ; RKreport[2]_D_02182013_02d1118.txt ; RKreport[3]_S_02182013_02d2010.txt ; RKreport[4]_D_02182013_02d2013.txt
  5. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    RogueKiller V8.5.1 [Feb 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Jon [Admin rights]
    Mode : Scan -- Date : 02/18/2013 20:10:17
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\Desktop.ini [-] --> FOUND

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD10EADS-00L5B1 ATA Device +++++
    --- User ---
    [MBR] bfee1e1353248b1ab404402a3cc5604b
    [BSP] 9488371b38d42e5eb745c9ba0fa07e4b : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST31000528AS ATA Device +++++
    --- User ---
    [MBR] 5584b46757e24d3c2daf5e602affe2d9
    [BSP] 18c9ebb4d18767eb89342d92b4dfff13 : Linux MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953874 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 5806e0ad5c9b41cb0fd6e945525dd174
    [BSP] f97b955cfdc8647899c9bce60a504418 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: WDC WD15EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] fe0461a4e18847bfba82bdcb84116d26
    [BSP] 89844a27d1e3e1cf6be3ee3cc0a205d0 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430803 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive4: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 52bc9653096a172d7940d2aee92699ac
    [BSP] 9f581c53665f591506c8c9c896051c9e : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[3]_S_02182013_02d2010.txt >>
    RKreport[1]_S_02182013_02d1115.txt ; RKreport[2]_D_02182013_02d1118.txt ; RKreport[3]_S_02182013_02d2010.txt
  6. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Jon [Admin rights]
    Mode : Remove -- Date : 02/18/2013 11:18:58
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Adobe (C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent.vbe) [-] -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD10EADS-00L5B1 ATA Device +++++
    --- User ---
    [MBR] bfee1e1353248b1ab404402a3cc5604b
    [BSP] 9488371b38d42e5eb745c9ba0fa07e4b : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST31000528AS ATA Device +++++
    --- User ---
    [MBR] 5584b46757e24d3c2daf5e602affe2d9
    [BSP] 18c9ebb4d18767eb89342d92b4dfff13 : Linux MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953874 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 5806e0ad5c9b41cb0fd6e945525dd174
    [BSP] f97b955cfdc8647899c9bce60a504418 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: WDC WD15EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] fe0461a4e18847bfba82bdcb84116d26
    [BSP] 89844a27d1e3e1cf6be3ee3cc0a205d0 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430803 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive4: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 52bc9653096a172d7940d2aee92699ac
    [BSP] 9f581c53665f591506c8c9c896051c9e : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2]_D_02182013_02d1118.txt >>
    RKreport[1]_S_02182013_02d1115.txt ; RKreport[2]_D_02182013_02d1118.txt
  7. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Jon [Admin rights]
    Mode : Scan -- Date : 02/18/2013 11:15:14
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Adobe (C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent.vbe) [-] -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD10EADS-00L5B1 ATA Device +++++
    --- User ---
    [MBR] bfee1e1353248b1ab404402a3cc5604b
    [BSP] 9488371b38d42e5eb745c9ba0fa07e4b : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST31000528AS ATA Device +++++
    --- User ---
    [MBR] 5584b46757e24d3c2daf5e602affe2d9
    [BSP] 18c9ebb4d18767eb89342d92b4dfff13 : Linux MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953874 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 5806e0ad5c9b41cb0fd6e945525dd174
    [BSP] f97b955cfdc8647899c9bce60a504418 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive3: WDC WD15EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] fe0461a4e18847bfba82bdcb84116d26
    [BSP] 89844a27d1e3e1cf6be3ee3cc0a205d0 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1430803 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive4: WDC WD20EARX-00PASB0 ATA Device +++++
    --- User ---
    [MBR] 52bc9653096a172d7940d2aee92699ac
    [BSP] 9f581c53665f591506c8c9c896051c9e : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_02182013_02d1115.txt >>
    RKreport[1]_S_02182013_02d1115.txt
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Farbar Recovery Scan Tool x64

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
  9. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    Do I have to download it on the other computer on the flash drive?
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    However it works out. Any way you can get it on the flash drive, go for it. :)
  11. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    I dont have mouse and keyboard when im supposed to choose language.
     
  12. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    I dont have mouse and keyboard in either when I press f8 or using the windows installation cd
  13. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    Fixed it. usb 3.0 vs usb 2.0 scenario :p
  14. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-02-2013 01
    Ran by SYSTEM at 18-02-2013 21:41:15
    Running from J:\
    Windows 7 Ultimate (X64) OS Language: Norwegian Bokmal
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6827664 2012-12-23] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
    HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-09-30] (Microsoft Corporation)
    HKLM\...\Run: [IntelliType Pro] "C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe" [1464944 2012-11-02] (Microsoft Corporation)
    HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2076272 2012-11-02] (Microsoft Corporation)
    HKLM-x32\...\Run: [ASUS AiChargerPlus Execute] C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe [550272 2012-08-20] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [ASUS ShellProcess Execute] C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe [252544 2010-11-25] (ASUSTeK Computer Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-01-30] (DivX, LLC)
    HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1263512 2012-11-30] ()
    HKLM-x32\...\Run: [Nero MediaHome 4] "C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN [5178664 2012-02-28] (Nero AG)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [642808 2012-12-19] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)
    HKU\Jon\...\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe" [495616 2007-09-02] ()
    HKU\Jon\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3673728 2012-11-06] (DT Soft Ltd)
    HKU\Jon\...\Run: [SteelSeries Engine] C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [237056 2012-11-28] (SteelSeries ApS)
    HKU\Jon\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18708224 2013-01-08] (Skype Technologies S.A.)
    HKU\Jon\...\Run: [Spotify] "C:\Users\Jon\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [5926808 2013-02-16] (Spotify Ltd)
    HKU\Jon\...\Run: [Spotify Web Helper] "C:\Users\Jon\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199000 2013-02-16] (Spotify Ltd)
    HKU\Jon\...\Run: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean [3713032 2012-11-13] (Safer-Networking Ltd.)
    Tcpip\Parameters: [DhcpNameServer] 193.213.112.4 130.67.15.198 10.0.0.138
    Tcpip\..\Interfaces\{E9EED517-B476-4CF0-A4A6-A141B63A5AB4}: [NameServer]8.8.8.8,8.8.4.4

    ==================== Services (Whitelisted) ===================

    2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-12-23] ()
    2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-12-23] (ASUSTeK Computer Inc.)
    2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-12-23] (ASUSTeK Computer Inc.)
    2 AsusFanControlService; "C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.15\AsusFanControlService.exe" [1457664 2012-12-23] (ASUSTeK Computer Inc.)
    2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22056 2013-01-27] (Microsoft Corporation)
    2 NeroMediaHomeService.4; "C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe" [517416 2012-02-28] (Nero AG)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [379360 2013-01-27] (Microsoft Corporation)
    2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
    2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
    2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)

    ==================== Drivers (Whitelisted) =====================

    3 AiChargerPlus; C:\Windows\SysWow64\Drivers\AiChargerPlus.sys [14848 2012-04-19] (ASUSTek Computer Inc.)
    1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13440 2012-12-23] ()
    1 AsUpIO; C:\Windows\SysWow64\Drivers\AsUpIO.sys [14464 2012-12-23] ()
    3 ASUSFILTER; C:\Windows\SysWow64\Drivers\ASUSFILTER.sys [46152 2012-12-23] (MCCI Corporation)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
    0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    3 SAlphamHid; C:\Windows\System32\DRIVERS\SAlpham64.sys [38016 2012-10-15] (SteelSeries Corporation)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2012-12-23] (Duplex Secure Ltd.)
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2013-02-18 21:40 - 2013-02-18 21:40 - 00000000 ____D C:\FRST
    2013-02-18 20:53 - 2013-02-18 20:53 - 00000781 ____A C:\Windows\setupact.log
    2013-02-18 20:53 - 2013-02-18 20:53 - 00000000 ____A C:\Windows\setuperr.log
    2013-02-18 20:15 - 2013-02-18 20:15 - 00001568 ____A C:\Users\Jon\Desktop\RKreport[5]_SC_02182013_02d2015.txt
    2013-02-18 20:13 - 2013-02-18 20:13 - 00002666 ____A C:\Users\Jon\Desktop\RKreport[4]_D_02182013_02d2013.txt
    2013-02-18 20:10 - 2013-02-18 20:10 - 00002625 ____A C:\Users\Jon\Desktop\RKreport[3]_S_02182013_02d2010.txt
    2013-02-18 20:07 - 2013-02-18 20:07 - 00798208 ____A C:\Users\Jon\Desktop\RogueKiller (1).exe
    2013-02-18 19:59 - 2013-02-18 19:59 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Jon\Desktop\tdsskiller (1).exe
    2013-02-18 11:18 - 2013-02-18 11:18 - 00002792 ____A C:\Users\Jon\Desktop\RKreport[2]_D_02182013_02d1118.txt
    2013-02-18 11:15 - 2013-02-18 11:15 - 00002737 ____A C:\Users\Jon\Desktop\RKreport[1]_S_02182013_02d1115.txt
    2013-02-18 11:14 - 2013-02-18 20:12 - 00000000 ____D C:\Users\Jon\Desktop\RK_Quarantine
    2013-02-18 11:13 - 2013-02-18 11:13 - 00798208 ____A C:\Users\Jon\Downloads\RogueKiller.exe
    2013-02-18 07:25 - 2013-02-18 09:17 - 00000000 ____D C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool
    2013-02-18 07:25 - 2013-02-18 07:25 - 00001365 ____A C:\Users\Jon\Desktop\Trojan SVCHOSTRemoval Tool.lnk
    2013-02-18 07:25 - 2012-12-10 10:04 - 00356352 ____A (eSellerate Inc.) C:\Windows\eSellerateEngine.dll
    2013-02-18 07:25 - 2012-12-10 10:04 - 00081920 ____A (eSellerate Inc.) C:\Windows\eSellerateControl350.dll
    2013-02-18 07:25 - 2009-07-23 17:32 - 01122304 ____A (The OpenSSL Project, http://www.openssl.org/) C:\Windows\SysWOW64\libeay32.dll
    2013-02-18 07:25 - 2009-07-23 17:32 - 00274432 ____A (The OpenSSL Project, http://www.openssl.org/) C:\Windows\SysWOW64\ssleay32.dll
    2013-02-18 07:23 - 2013-02-18 07:23 - 02729904 ____A (Security Stronghold ) C:\Users\Jon\Downloads\TrojanSVCHOSTRemovalTool.exe
    2013-02-18 07:20 - 2013-02-18 07:20 - 00000000 ____D C:\Program Files\CCleaner
    2013-02-18 07:19 - 2013-02-18 07:19 - 04189792 ____A (Piriform Ltd) C:\Users\Jon\Downloads\ccsetup327.exe
    2013-02-18 07:13 - 2013-02-18 07:13 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Jon\Downloads\tdsskiller.exe
    2013-02-18 07:03 - 2013-02-18 07:04 - 19139088 ____A (Microsoft Corporation) C:\Users\Jon\Downloads\Windows-KB890830-x64-V4.17.exe
    2013-02-18 06:58 - 2013-02-18 07:26 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2013-02-18 06:58 - 2013-02-18 06:58 - 00002173 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2013-02-18 06:58 - 2013-02-18 06:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-02-18 06:58 - 2009-01-25 12:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
    2013-02-18 06:57 - 2013-02-18 06:57 - 55454464 ____A (Safer-Networking Ltd. ) C:\Users\Jon\Downloads\SpybotSD2.exe
    2013-02-18 06:01 - 2013-01-09 07:02 - 08390656 ____A C:\Users\Jon\Desktop\Rampage-IV-Extreme-ASUS-3404.CAP
    2013-02-18 05:59 - 2013-02-18 05:59 - 04331547 ____A C:\Users\Jon\Downloads\Rampage-IV-Extreme-ASUS-3404.zip
    2013-02-17 10:26 - 2013-02-17 10:27 - 49227190 ____A C:\Users\Jon\Downloads\DCPlusPlus-0.810.exe
    2013-02-16 06:49 - 2013-02-16 06:49 - 00001757 ____A C:\Users\Jon\Desktop\Spotify.lnk
    2013-02-16 06:49 - 2013-02-16 06:49 - 00000000 ____D C:\Users\Jon\AppData\Local\Spotify
    2013-02-16 06:48 - 2013-02-18 06:45 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Spotify
    2013-02-16 06:48 - 2013-02-16 06:48 - 00090624 ____A (Spotify Ltd) C:\Users\Jon\Downloads\SpotifySetup.exe
    2013-02-14 19:33 - 2013-02-14 19:33 - 04873520 ____A C:\Users\Jon\Downloads\YTDSetup.exe
    2013-02-13 19:12 - 2013-02-13 19:12 - 00000000 ____D C:\Users\Jon\AppData\Local\DDMSettings
    2013-02-13 16:52 - 2013-01-09 02:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-02-13 16:52 - 2013-01-09 02:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-02-13 16:52 - 2013-01-09 02:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-02-13 16:52 - 2013-01-09 02:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-02-13 16:52 - 2013-01-09 02:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-02-13 16:52 - 2013-01-09 02:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-02-13 16:52 - 2013-01-09 02:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-02-13 16:52 - 2013-01-09 02:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-02-13 16:52 - 2013-01-09 02:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-02-13 16:52 - 2013-01-09 02:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2013-02-13 16:52 - 2013-01-09 02:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-02-13 16:52 - 2013-01-09 02:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-02-13 16:52 - 2013-01-09 02:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-02-13 16:52 - 2013-01-09 02:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-02-13 16:52 - 2013-01-09 02:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-02-13 16:52 - 2013-01-09 02:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-02-13 16:52 - 2013-01-08 23:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2013-02-13 16:52 - 2013-01-08 23:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2013-02-13 16:52 - 2013-01-08 23:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2013-02-13 16:52 - 2013-01-08 23:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2013-02-13 16:52 - 2013-01-08 23:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2013-02-13 16:52 - 2013-01-08 23:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2013-02-13 16:52 - 2013-01-08 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2013-02-13 16:52 - 2013-01-08 23:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2013-02-13 16:52 - 2013-01-08 22:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2013-02-13 16:52 - 2013-01-08 22:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2013-02-13 16:52 - 2013-01-08 22:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2013-02-13 16:52 - 2013-01-08 22:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2013-02-13 16:52 - 2013-01-08 22:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2013-02-13 16:52 - 2013-01-08 22:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2013-02-13 16:52 - 2013-01-08 22:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2013-02-13 16:52 - 2013-01-08 22:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2013-02-13 11:13 - 2013-02-13 11:13 - 00001912 ____A C:\Windows\epplauncher.mif
    2013-02-13 11:08 - 2013-01-05 06:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2013-02-13 11:08 - 2013-01-05 06:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2013-02-13 11:08 - 2013-01-05 06:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2013-02-13 11:07 - 2013-01-04 06:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
    2013-02-13 11:07 - 2013-01-04 05:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2013-02-13 11:07 - 2013-01-04 04:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-02-13 11:07 - 2013-01-04 03:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2013-02-13 11:07 - 2013-01-04 03:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2013-02-13 11:07 - 2013-01-04 03:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2013-02-13 11:07 - 2013-01-04 03:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2013-02-13 11:06 - 2013-01-03 07:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-02-13 11:06 - 2013-01-03 07:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    2013-02-13 10:57 - 2013-02-13 10:57 - 00000000 ____D C:\Users\Jon\AppData\Local\FLT
    2013-02-13 10:47 - 2013-02-14 09:05 - 00009216 __ASH C:\Users\Jon\Desktop\Thumbs.db
    2013-02-13 10:38 - 2013-02-13 16:57 - 01333634 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2013-02-13 08:28 - 2013-02-13 08:28 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2013-02-13 08:28 - 2013-02-13 08:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2013-02-13 08:28 - 2013-02-13 08:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2013-02-13 08:28 - 2013-02-13 08:28 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2013-02-13 08:28 - 2013-02-13 08:28 - 00000000 ____D C:\Program Files (x86)\Java
    2013-02-11 16:42 - 2013-02-11 16:42 - 00000000 ____D C:\Users\Jon\AppData\Roaming\HackSlashLoot
    2013-02-10 22:45 - 2013-02-10 23:01 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Might & Magic Heroes VI
    2013-02-10 22:45 - 2013-02-10 23:01 - 00000000 ____D C:\Users\Jon\AppData\Local\Ubisoft Game Launcher
    2013-02-10 22:45 - 2013-02-10 22:51 - 00000000 ____D C:\Users\Jon\Documents\Might & Magic Heroes VI
    2013-02-10 22:36 - 2013-02-10 22:36 - 00000000 ____D C:\Program Files (x86)\Ubisoft
    2013-02-10 17:36 - 2013-02-10 17:36 - 00000000 ____D C:\Users\Jon\Desktop\Ny mappe
    2013-02-10 08:12 - 2013-02-10 08:12 - 00001545 ____A C:\Users\Jon\Desktop\dont rain on my parade.txt
    2013-02-09 07:13 - 2013-02-09 07:13 - 00001098 ____A C:\Users\Jon\Desktop\Heroes3 - Snarvei.lnk
    2013-02-09 04:09 - 2013-02-09 04:39 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Omerta
    2013-02-07 11:00 - 2013-02-07 11:00 - 00000000 ____D C:\Users\Jon\AppData\Local\Funcom
    2013-02-05 10:46 - 2013-02-05 10:46 - 00000000 ____D C:\Users\Jon\AppData\Local\PunkBuster
    2013-02-05 10:46 - 2013-02-05 10:46 - 00000000 ____D C:\ProgramData\Orbit
    2013-02-05 10:21 - 2013-02-14 09:08 - 00000000 ____D C:\Program Files (x86)\WinRAR
    2013-02-04 15:13 - 2013-02-04 15:13 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Windows Live Writer
    2013-02-04 15:13 - 2013-02-04 15:13 - 00000000 ____D C:\Users\Jon\AppData\Local\Windows Live Writer
    2013-02-04 02:21 - 2013-02-04 02:21 - 00000000 ____D C:\ProgramData\TERA
    2013-02-03 04:53 - 2013-02-03 04:53 - 00000000 ____D C:\Users\Jon\AppData\Local\SCE
    2013-02-03 01:48 - 2013-02-03 01:48 - 00000000 ____D C:\ProgramData\ATI
    2013-02-03 01:48 - 2013-02-03 01:48 - 00000000 ____D C:\Program Files (x86)\AMD AVT
    2013-02-03 01:48 - 2013-02-03 01:48 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2013-02-03 01:41 - 2013-02-03 01:43 - 153548912 ____A (Advanced Micro Devices, Inc.) C:\Users\Jon\Downloads\13-1_vista_win7_win8_64_dd_ccc_whql.exe
    2013-01-30 04:42 - 2013-01-30 04:42 - 00000000 ____D C:\ProgramData\Steam
    2013-01-29 03:25 - 2013-01-29 03:26 - 00000000 ____D C:\xenomorph
    2013-01-28 18:16 - 2013-02-18 08:19 - 00000000 ____D C:\Users\Jon\AppData\Roaming\DC++
    2013-01-28 18:16 - 2013-02-18 08:19 - 00000000 ____D C:\Users\Jon\AppData\Local\DC++
    2013-01-28 18:15 - 2013-01-28 18:16 - 00000000 ____D C:\Program Files (x86)\DC++
    2013-01-28 15:41 - 2013-01-28 15:41 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Nero
    2013-01-28 15:31 - 2013-01-30 06:15 - 00000000 ____D C:\users\NeroMediaHomeUser.4
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000020 ___SH C:\Users\NeroMediaHomeUser.4\ntuser.ini
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Start-meny
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Skrivere
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Mine dokumenter
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Maler
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Lokale innstillinger
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Documents\Mine bilder
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Documents\Min musikk
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Documents\Intern video
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\AppData\Local\Logg
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\AndrMask
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Local\Nero
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Nero
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 ____D C:\Users\Jon\AppData\Local\Nero
    2013-01-28 15:29 - 2013-01-28 15:31 - 00000000 ____D C:\ProgramData\Nero
    2013-01-28 15:29 - 2013-01-28 15:30 - 00000000 ____D C:\Program Files (x86)\Nero
    2013-01-28 15:29 - 2013-01-28 15:29 - 00002383 ____A C:\Users\Public\Desktop\Nero MediaHome 4.lnk
    2013-01-28 15:21 - 2013-01-28 15:22 - 85139100 ____A C:\Users\Jon\Downloads\NMH-4.5.20.45_LGE.zip
    2013-01-27 23:46 - 2013-01-28 00:02 - 00000000 ____D C:\Users\Jon\Documents\Euro Truck Simulator 2
    2013-01-27 02:39 - 2013-01-27 02:39 - 00000000 ____D C:\Windows\1C4551A64743409391E41477CD655043.TMP
    2013-01-27 01:51 - 2013-01-27 01:58 - 00000000 ____D C:\Users\Jon\Documents\SEGA Mega Drive Classics
    2013-01-26 21:41 - 2013-01-26 21:40 - 01081760 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2013-01-26 21:41 - 2013-01-26 21:40 - 00960416 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2013-01-26 21:41 - 2013-01-26 21:40 - 00308640 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2013-01-26 21:41 - 2013-01-26 21:40 - 00188832 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2013-01-26 21:41 - 2013-01-26 21:40 - 00188832 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2013-01-26 21:41 - 2013-01-26 21:40 - 00108448 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
    2013-01-26 21:40 - 2013-01-26 21:40 - 00000000 ____D C:\Program Files\Java
    2013-01-26 21:30 - 2013-02-13 17:00 - 00000000 ____D C:\Users\Jon\AppData\Roaming\.minecraft
    2013-01-26 21:30 - 2013-01-26 21:30 - 00263186 ____A C:\Users\Jon\Desktop\Minecraft.exe
    2013-01-26 21:00 - 2013-01-26 21:04 - 00000000 ____D C:\Users\Jon\AppData\Roaming\NationRed
    2013-01-26 20:42 - 2013-01-26 20:42 - 00000000 ____D C:\ProgramData\Remedy
    2013-01-20 15:59 - 2013-01-20 15:59 - 00230320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2013-01-19 17:43 - 2013-01-19 17:43 - 00000000 ____D C:\Windows\SysWOW64\xlive
    2013-01-19 17:43 - 2013-01-19 17:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Games for Windows - LIVE
    2013-01-19 17:43 - 2008-07-12 08:18 - 04992520 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_39.dll
    2013-01-19 17:43 - 2008-07-12 08:18 - 03851784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
    2013-01-19 17:43 - 2008-07-12 08:18 - 01942552 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_39.dll
    2013-01-19 17:43 - 2008-07-12 08:18 - 01493528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
    2013-01-19 17:43 - 2008-07-12 08:18 - 00540688 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_39.dll
    2013-01-19 17:43 - 2008-07-12 08:18 - 00467984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
    2013-01-19 05:31 - 2013-01-19 05:31 - 00000000 ____D C:\Users\Jon\Documents\Gaslamp Games
    2013-01-19 03:06 - 2013-01-19 03:06 - 00000000 ____D C:\Users\Jon\AppData\Local\2K Games
    2013-01-19 03:06 - 2013-01-19 03:06 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
    2013-01-19 01:07 - 2013-01-19 01:07 - 00013057 ____A C:\Users\Jon\Desktop\Lyd - Snarvei.lnk

    ==================== One Month Modified Files and Folders =======

    2013-02-18 21:40 - 2013-02-18 21:40 - 00000000 ____D C:\FRST
    2013-02-18 21:00 - 2012-12-23 05:30 - 00000000 ____D C:\users\Jon
    2013-02-18 21:00 - 2012-12-23 05:29 - 01848220 ____A C:\Windows\WindowsUpdate.log
    2013-02-18 20:56 - 2009-07-14 10:16 - 00492494 ____A C:\Windows\System32\perfh014.dat
    2013-02-18 20:56 - 2009-07-14 10:16 - 00094284 ____A C:\Windows\System32\perfc014.dat
    2013-02-18 20:56 - 2009-07-14 06:13 - 01355478 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-02-18 20:53 - 2013-02-18 20:53 - 00000781 ____A C:\Windows\setupact.log
    2013-02-18 20:53 - 2013-02-18 20:53 - 00000000 ____A C:\Windows\setuperr.log
    2013-02-18 20:35 - 2012-12-23 06:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-02-18 20:15 - 2013-02-18 20:15 - 00001568 ____A C:\Users\Jon\Desktop\RKreport[5]_SC_02182013_02d2015.txt
    2013-02-18 20:13 - 2013-02-18 20:13 - 00002666 ____A C:\Users\Jon\Desktop\RKreport[4]_D_02182013_02d2013.txt
    2013-02-18 20:12 - 2013-02-18 11:14 - 00000000 ____D C:\Users\Jon\Desktop\RK_Quarantine
    2013-02-18 20:10 - 2013-02-18 20:10 - 00002625 ____A C:\Users\Jon\Desktop\RKreport[3]_S_02182013_02d2010.txt
    2013-02-18 20:08 - 2012-12-23 07:49 - 00000000 ____D C:\Program Files (x86)\MSI Afterburner
    2013-02-18 20:07 - 2013-02-18 20:07 - 00798208 ____A C:\Users\Jon\Desktop\RogueKiller (1).exe
    2013-02-18 19:59 - 2013-02-18 19:59 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Jon\Desktop\tdsskiller (1).exe
    2013-02-18 11:21 - 2009-07-14 05:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-02-18 11:21 - 2009-07-14 05:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-02-18 11:18 - 2013-02-18 11:18 - 00002792 ____A C:\Users\Jon\Desktop\RKreport[2]_D_02182013_02d1118.txt
    2013-02-18 11:15 - 2013-02-18 11:15 - 00002737 ____A C:\Users\Jon\Desktop\RKreport[1]_S_02182013_02d1115.txt
    2013-02-18 11:13 - 2013-02-18 11:13 - 00798208 ____A C:\Users\Jon\Downloads\RogueKiller.exe
    2013-02-18 11:02 - 2012-12-23 08:03 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Winamp
    2013-02-18 09:17 - 2013-02-18 07:25 - 00000000 ____D C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool
    2013-02-18 08:52 - 2012-12-26 16:59 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Skype
    2013-02-18 08:48 - 2012-12-23 08:01 - 00000000 ____D C:\Users\Jon\AppData\Roaming\mIRC
    2013-02-18 08:19 - 2013-01-28 18:16 - 00000000 ____D C:\Users\Jon\AppData\Roaming\DC++
    2013-02-18 08:19 - 2013-01-28 18:16 - 00000000 ____D C:\Users\Jon\AppData\Local\DC++
    2013-02-18 07:29 - 2013-01-09 12:08 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Media Player Classic
    2013-02-18 07:29 - 2013-01-08 18:11 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Azureus
    2013-02-18 07:29 - 2012-12-27 05:20 - 00000000 ____D C:\Users\Jon\Tracing
    2013-02-18 07:29 - 2012-12-23 07:32 - 00000000 ____D C:\Users\Jon\AppData\Roaming\DAEMON Tools Lite
    2013-02-18 07:29 - 2012-12-23 07:17 - 00000000 ____D C:\Users\Jon\AppData\Roaming\uTorrent
    2013-02-18 07:29 - 2012-12-23 05:22 - 00000000 ____D C:\Windows\Panther
    2013-02-18 07:26 - 2013-02-18 06:58 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2013-02-18 07:25 - 2013-02-18 07:25 - 00001365 ____A C:\Users\Jon\Desktop\Trojan SVCHOSTRemoval Tool.lnk
    2013-02-18 07:23 - 2013-02-18 07:23 - 02729904 ____A (Security Stronghold ) C:\Users\Jon\Downloads\TrojanSVCHOSTRemovalTool.exe
    2013-02-18 07:20 - 2013-02-18 07:20 - 00000000 ____D C:\Program Files\CCleaner
    2013-02-18 07:19 - 2013-02-18 07:19 - 04189792 ____A (Piriform Ltd) C:\Users\Jon\Downloads\ccsetup327.exe
    2013-02-18 07:13 - 2013-02-18 07:13 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Jon\Downloads\tdsskiller.exe
    2013-02-18 07:04 - 2013-02-18 07:03 - 19139088 ____A (Microsoft Corporation) C:\Users\Jon\Downloads\Windows-KB890830-x64-V4.17.exe
    2013-02-18 06:58 - 2013-02-18 06:58 - 00002173 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2013-02-18 06:58 - 2013-02-18 06:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-02-18 06:57 - 2013-02-18 06:57 - 55454464 ____A (Safer-Networking Ltd. ) C:\Users\Jon\Downloads\SpybotSD2.exe
    2013-02-18 06:45 - 2013-02-16 06:48 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Spotify
    2013-02-18 06:45 - 2013-01-16 13:15 - 00000982 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-02-18 06:45 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-02-18 06:01 - 2012-12-23 06:46 - 05455248 ____A C:\Windows\PE_File.dll
    2013-02-18 06:01 - 2012-12-23 06:45 - 05465008 ____A C:\Windows\PE_Rom.dll
    2013-02-18 05:59 - 2013-02-18 05:59 - 04331547 ____A C:\Users\Jon\Downloads\Rampage-IV-Extreme-ASUS-3404.zip
    2013-02-17 10:27 - 2013-02-17 10:26 - 49227190 ____A C:\Users\Jon\Downloads\DCPlusPlus-0.810.exe
    2013-02-16 06:49 - 2013-02-16 06:49 - 00001757 ____A C:\Users\Jon\Desktop\Spotify.lnk
    2013-02-16 06:49 - 2013-02-16 06:49 - 00000000 ____D C:\Users\Jon\AppData\Local\Spotify
    2013-02-16 06:48 - 2013-02-16 06:48 - 00090624 ____A (Spotify Ltd) C:\Users\Jon\Downloads\SpotifySetup.exe
    2013-02-14 19:33 - 2013-02-14 19:33 - 04873520 ____A C:\Users\Jon\Downloads\YTDSetup.exe
    2013-02-14 09:08 - 2013-02-05 10:21 - 00000000 ____D C:\Program Files (x86)\WinRAR
    2013-02-14 09:05 - 2013-02-13 10:47 - 00009216 __ASH C:\Users\Jon\Desktop\Thumbs.db
    2013-02-14 03:17 - 2013-01-16 13:15 - 00000986 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-02-14 03:16 - 2009-07-14 05:45 - 00277968 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-02-14 03:00 - 2012-12-23 06:10 - 00000000 ____D C:\Users\Jon\AppData\Local\Deployment
    2013-02-13 19:12 - 2013-02-13 19:12 - 00000000 ____D C:\Users\Jon\AppData\Local\DDMSettings
    2013-02-13 17:29 - 2013-01-08 02:38 - 00000000 ____D C:\Users\Jon\Documents\StarCraft II
    2013-02-13 17:00 - 2013-01-26 21:30 - 00000000 ____D C:\Users\Jon\AppData\Roaming\.minecraft
    2013-02-13 16:57 - 2013-02-13 10:38 - 01333634 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2013-02-13 16:33 - 2012-12-23 07:23 - 00000000 ____D C:\Program Files (x86)\DivX
    2013-02-13 16:33 - 2012-12-23 07:20 - 00000000 ____D C:\ProgramData\DivX
    2013-02-13 16:32 - 2012-12-23 07:24 - 00000000 ____D C:\Program Files\DivX
    2013-02-13 11:13 - 2013-02-13 11:13 - 00001912 ____A C:\Windows\epplauncher.mif
    2013-02-13 11:13 - 2012-12-23 06:34 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2013-02-13 11:13 - 2012-12-23 06:34 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2013-02-13 10:57 - 2013-02-13 10:57 - 00000000 ____D C:\Users\Jon\AppData\Local\FLT
    2013-02-13 10:57 - 2012-12-23 10:03 - 00000000 ____D C:\Users\Jon\Documents\my games
    2013-02-13 10:48 - 2009-07-14 04:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2013-02-13 08:28 - 2013-02-13 08:28 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2013-02-13 08:28 - 2013-02-13 08:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2013-02-13 08:28 - 2013-02-13 08:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2013-02-13 08:28 - 2013-02-13 08:28 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2013-02-13 08:28 - 2013-02-13 08:28 - 00000000 ____D C:\Program Files (x86)\Java
    2013-02-13 08:28 - 2012-12-23 07:56 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
    2013-02-13 08:28 - 2012-12-23 07:56 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
    2013-02-11 16:42 - 2013-02-11 16:42 - 00000000 ____D C:\Users\Jon\AppData\Roaming\HackSlashLoot
    2013-02-11 11:11 - 2012-12-23 06:05 - 00000000 ____D C:\ProgramData\Adobe
    2013-02-11 11:10 - 2012-12-23 06:06 - 00697712 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-02-11 11:10 - 2012-12-23 06:06 - 00074096 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-02-10 23:01 - 2013-02-10 22:45 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Might & Magic Heroes VI
    2013-02-10 23:01 - 2013-02-10 22:45 - 00000000 ____D C:\Users\Jon\AppData\Local\Ubisoft Game Launcher
    2013-02-10 22:51 - 2013-02-10 22:45 - 00000000 ____D C:\Users\Jon\Documents\Might & Magic Heroes VI
    2013-02-10 22:36 - 2013-02-10 22:36 - 00000000 ____D C:\Program Files (x86)\Ubisoft
    2013-02-10 22:36 - 2012-12-23 06:26 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
    2013-02-10 17:36 - 2013-02-10 17:36 - 00000000 ____D C:\Users\Jon\Desktop\Ny mappe
    2013-02-10 08:12 - 2013-02-10 08:12 - 00001545 ____A C:\Users\Jon\Desktop\dont rain on my parade.txt
    2013-02-09 07:13 - 2013-02-09 07:13 - 00001098 ____A C:\Users\Jon\Desktop\Heroes3 - Snarvei.lnk
    2013-02-09 04:39 - 2013-02-09 04:09 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Omerta
    2013-02-07 11:00 - 2013-02-07 11:00 - 00000000 ____D C:\Users\Jon\AppData\Local\Funcom
    2013-02-06 06:09 - 2013-01-16 12:23 - 00000000 ____D C:\Users\Jon\Documents\EA Games
    2013-02-06 06:09 - 2013-01-16 12:20 - 00000000 ____D C:\Users\Jon\AppData\Local\EA Games
    2013-02-05 10:46 - 2013-02-05 10:46 - 00000000 ____D C:\Users\Jon\AppData\Local\PunkBuster
    2013-02-05 10:46 - 2013-02-05 10:46 - 00000000 ____D C:\ProgramData\Orbit
    2013-02-04 22:49 - 2012-12-26 17:06 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-02-04 15:13 - 2013-02-04 15:13 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Windows Live Writer
    2013-02-04 15:13 - 2013-02-04 15:13 - 00000000 ____D C:\Users\Jon\AppData\Local\Windows Live Writer
    2013-02-04 15:13 - 2012-12-26 16:09 - 00000000 ____D C:\Users\Jon\AppData\Local\Windows Live
    2013-02-04 13:21 - 2012-12-23 07:25 - 00000000 ____D C:\Users\Jon\AppData\Roaming\DivX
    2013-02-04 02:21 - 2013-02-04 02:21 - 00000000 ____D C:\ProgramData\TERA
    2013-02-03 04:53 - 2013-02-03 04:53 - 00000000 ____D C:\Users\Jon\AppData\Local\SCE
    2013-02-03 01:48 - 2013-02-03 01:48 - 00000000 ____D C:\ProgramData\ATI
    2013-02-03 01:48 - 2013-02-03 01:48 - 00000000 ____D C:\Program Files (x86)\AMD AVT
    2013-02-03 01:48 - 2013-02-03 01:48 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2013-02-03 01:48 - 2012-12-23 06:06 - 00000000 ____D C:\ProgramData\AMD
    2013-02-03 01:47 - 2012-12-25 19:46 - 00000000 ____D C:\Program Files\ATI Technologies
    2013-02-03 01:43 - 2013-02-03 01:41 - 153548912 ____A (Advanced Micro Devices, Inc.) C:\Users\Jon\Downloads\13-1_vista_win7_win8_64_dd_ccc_whql.exe
    2013-01-30 11:53 - 2012-12-23 06:46 - 00273840 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2013-01-30 06:15 - 2013-01-28 15:31 - 00000000 ____D C:\users\NeroMediaHomeUser.4
    2013-01-30 04:42 - 2013-01-30 04:42 - 00000000 ____D C:\ProgramData\Steam
    2013-01-29 07:15 - 2012-12-30 07:28 - 00419840 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
    2013-01-29 07:15 - 2012-12-30 07:28 - 00413696 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
    2013-01-29 07:15 - 2012-12-30 07:28 - 00133632 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
    2013-01-29 07:15 - 2012-12-30 07:28 - 00110592 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
    2013-01-29 03:26 - 2013-01-29 03:25 - 00000000 ____D C:\xenomorph
    2013-01-28 18:16 - 2013-01-28 18:15 - 00000000 ____D C:\Program Files (x86)\DC++
    2013-01-28 18:16 - 2012-12-23 05:30 - 00000000 ____D C:\Users\Jon\AppData\Local\VirtualStore
    2013-01-28 15:41 - 2013-01-28 15:41 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Nero
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000020 ___SH C:\Users\NeroMediaHomeUser.4\ntuser.ini
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Start-meny
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Skrivere
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Mine dokumenter
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Maler
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Lokale innstillinger
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Documents\Mine bilder
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Documents\Min musikk
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\Documents\Intern video
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\AppData\Local\Logg
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 __SHD C:\Users\NeroMediaHomeUser.4\AndrMask
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Local\Nero
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 ____D C:\Users\Jon\AppData\Roaming\Nero
    2013-01-28 15:31 - 2013-01-28 15:31 - 00000000 ____D C:\Users\Jon\AppData\Local\Nero
    2013-01-28 15:31 - 2013-01-28 15:29 - 00000000 ____D C:\ProgramData\Nero
    2013-01-28 15:30 - 2013-01-28 15:29 - 00000000 ____D C:\Program Files (x86)\Nero
    2013-01-28 15:29 - 2013-01-28 15:29 - 00002383 ____A C:\Users\Public\Desktop\Nero MediaHome 4.lnk
    2013-01-28 15:22 - 2013-01-28 15:21 - 85139100 ____A C:\Users\Jon\Downloads\NMH-4.5.20.45_LGE.zip
    2013-01-28 14:49 - 2012-12-23 05:57 - 00000028 ____A C:\Users\Jon\Desktop\hgp.txt
    2013-01-28 00:02 - 2013-01-27 23:46 - 00000000 ____D C:\Users\Jon\Documents\Euro Truck Simulator 2
    2013-01-27 07:01 - 2012-12-26 16:59 - 00000000 ___RD C:\Program Files (x86)\Skype
    2013-01-27 07:01 - 2012-12-26 16:55 - 00000000 ____D C:\ProgramData\Skype
    2013-01-27 07:01 - 2012-12-26 16:55 - 00000000 ____D C:\Program Files (x86)\Windows Live
    2013-01-27 02:39 - 2013-01-27 02:39 - 00000000 ____D C:\Windows\1C4551A64743409391E41477CD655043.TMP
    2013-01-27 01:58 - 2013-01-27 01:51 - 00000000 ____D C:\Users\Jon\Documents\SEGA Mega Drive Classics
    2013-01-26 21:40 - 2013-01-26 21:41 - 01081760 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2013-01-26 21:40 - 2013-01-26 21:41 - 00960416 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2013-01-26 21:40 - 2013-01-26 21:41 - 00308640 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2013-01-26 21:40 - 2013-01-26 21:41 - 00188832 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2013-01-26 21:40 - 2013-01-26 21:41 - 00188832 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2013-01-26 21:40 - 2013-01-26 21:41 - 00108448 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
    2013-01-26 21:40 - 2013-01-26 21:40 - 00000000 ____D C:\Program Files\Java
    2013-01-26 21:30 - 2013-01-26 21:30 - 00263186 ____A C:\Users\Jon\Desktop\Minecraft.exe
    2013-01-26 21:04 - 2013-01-26 21:00 - 00000000 ____D C:\Users\Jon\AppData\Roaming\NationRed
    2013-01-26 20:42 - 2013-01-26 20:42 - 00000000 ____D C:\ProgramData\Remedy
    2013-01-20 18:35 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\LiveKernelReports
    2013-01-20 15:59 - 2013-01-20 15:59 - 00230320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2013-01-20 15:59 - 2012-08-30 22:03 - 00130008 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2013-01-19 17:43 - 2013-01-19 17:43 - 00000000 ____D C:\Windows\SysWOW64\xlive
    2013-01-19 17:43 - 2013-01-19 17:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Games for Windows - LIVE
    2013-01-19 05:31 - 2013-01-19 05:31 - 00000000 ____D C:\Users\Jon\Documents\Gaslamp Games
    2013-01-19 03:06 - 2013-01-19 03:06 - 00000000 ____D C:\Users\Jon\AppData\Local\2K Games
    2013-01-19 03:06 - 2013-01-19 03:06 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
    2013-01-19 01:07 - 2013-01-19 01:07 - 00013057 ____A C:\Users\Jon\Desktop\Lyd - Snarvei.lnk

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-02-13 16:52:28
    Restore point made on: 2013-02-17 01:48:40

    ==================== Memory info ===========================

    Percentage of memory in use: 7%
    Total physical RAM: 16324.66 MB
    Available physical RAM: 15112.61 MB
    Total Pagefile: 16322.81 MB
    Available Pagefile: 15107.84 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:931.41 GB) (Free:868.53 GB) NTFS
    2 Drive d: (Usortert) (Fixed) (Total:1397.26 GB) (Free:295.38 GB) NTFS
    3 Drive e: (Spel) (Fixed) (Total:931.51 GB) (Free:642.02 GB) NTFS
    4 Drive f: (Nedlasta) (Fixed) (Total:1863.01 GB) (Free:1552.56 GB) NTFS
    5 Drive g: (Steam Platform) (Fixed) (Total:1863.01 GB) (Free:419.03 GB) NTFS
    6 Drive I: (GRMCULXFRER_NO_DVD) (CDROM) (Total:2.9 GB) (Free:0 GB) UDF
    7 Drive j: (KINGSTON) (Removable) (Total:7.23 GB) (Free:7.23 GB) FAT32
    8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    9 Drive y: (Reservert av systemet) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disknr. Status Str. Ledig Dyn GPT
    -------- ------------- ------- ------- --- ---
    Disk 0 Tilkoblet 931 G byte 0 byte
    Disk 1 Tilkoblet 1397 G byte 0 byte
    Disk 2 Tilkoblet 931 G byte 0 byte
    Disk 3 Tilkoblet 1863 G byte 0 byte
    Disk 4 Tilkoblet 1863 G byte 0 byte
    Disk 5 Tilkoblet 7424 M byte 0 byte


    Partitions of Disk 0:
    ===============

    Disk-ID: CB25002E

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 100 M 1024 K byte
    Partisjon 2 Prim‘r 931 G 101 M byte

    ==================================================================================

    Disk: 0
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Ja
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 1 Y Reservert a NTFS Partisjon 100 M OK

    =========================================================

    Disk: 0
    Partisjon 2
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 105906176

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 2 C NTFS Partisjon 931 G OK

    =========================================================

    Partitions of Disk 1:
    ===============

    Disk-ID: 35878E53

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 1397 G 1024 K byte

    ==================================================================================

    Disk: 1
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 3 D Usortert NTFS Partisjon 1397 G OK

    =========================================================

    Partitions of Disk 2:
    ===============

    Disk-ID: FF6A79A0

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 931 G 1024 K byte

    ==================================================================================

    Disk: 2
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 4 E Spel NTFS Partisjon 931 G OK

    =========================================================

    Partitions of Disk 3:
    ===============

    Disk-ID: BF7BA5D6

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 1863 G 1024 K byte

    ==================================================================================

    Disk: 3
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 5 F Nedlasta NTFS Partisjon 1863 G OK

    =========================================================

    Partitions of Disk 4:
    ===============

    Disk-ID: BF7BA5D7

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 1863 G 1024 K byte

    ==================================================================================

    Disk: 4
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 6 G Steam Platf NTFS Partisjon 1863 G OK

    =========================================================

    Partitions of Disk 5:
    ===============

    Disk-ID: 04030201

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 7422 M 1580 K byte

    ==================================================================================

    Disk: 5
    Partisjon 1
    Type : 0B
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1617920

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 7 J KINGSTON FAT32 Flyttbar 7422 M OK

    =========================================================

    Last Boot: 2013-02-13 02:48

    ==================== End Of Log =============================
  15. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    Farbar Recovery Scan Tool (x64) Version: 17-02-2013 01
    Ran by SYSTEM at 2013-02-18 21:43:01
    Running from J:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Check Partitions

    Please download Listparts64
    Run the tool,
    check the "list BCD" box
    click "Scan" and post the log (Result.txt) it makes.
  17. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    ListParts by Farbar Version: 16-01-2013
    Ran by Jon (administrator) on 19-02-2013 at 20:05:18
    Windows 7 (X64)
    Running From: C:\Users\Jon\Downloads
    Language: 0414
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 51%
    Total physical RAM: 16324.66 MB
    Available physical RAM: 7929.87 MB
    Total Pagefile: 32647.51 MB
    Available Pagefile: 22625.45 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:931.41 GB) (Free:866.96 GB) NTFS
    2 Drive d: (Usortert) (Fixed) (Total:1397.26 GB) (Free:295.38 GB) NTFS
    3 Drive e: (Steam Platform) (Fixed) (Total:1863.01 GB) (Free:419.03 GB) NTFS
    4 Drive f: (Spel) (Fixed) (Total:931.51 GB) (Free:640.83 GB) NTFS
    5 Drive g: (Nedlasta) (Fixed) (Total:1863.01 GB) (Free:1546.46 GB) NTFS

    Disknr. Status Str. Ledig Dyn GPT
    -------- ------------- ------- ------- --- ---
    Disk 0 Tilkoblet 931 G byte 0 byte
    Disk 1 Tilkoblet 1863 G byte 0 byte
    Disk 2 Tilkoblet 931 G byte 0 byte
    Disk 3 Tilkoblet 1863 G byte 0 byte
    Disk 4 Tilkoblet 1397 G byte 0 byte


    Partitions of Disk 0:
    ===============

    Disk-ID: CB25002E

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 100 M 1024 K byte
    Partisjon 2 Prim‘r 931 G 101 M byte

    ======================================================================================================

    Disk: 0
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Ja
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 2 Reservert a NTFS Partisjon 100 M OK System

    ======================================================================================================

    Disk: 0
    Partisjon 2
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 105906176

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 3 C NTFS Partisjon 931 G OK Oppstart

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Disk-ID: BF7BA5D6

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 1863 G 1024 K byte

    ======================================================================================================

    Disk: 1
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 4 G Nedlasta NTFS Partisjon 1863 G OK

    ======================================================================================================

    Partitions of Disk 2:
    ===============

    Disk-ID: FF6A79A0

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 931 G 1024 K byte

    ======================================================================================================

    Disk: 2
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 5 F Spel NTFS Partisjon 931 G OK

    ======================================================================================================

    Partitions of Disk 3:
    ===============

    Disk-ID: BF7BA5D7

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 1863 G 1024 K byte

    ======================================================================================================

    Disk: 3
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 6 E Steam Platf NTFS Partisjon 1863 G OK

    ======================================================================================================

    Partitions of Disk 4:
    ===============

    Disk-ID: 35878E53

    Partisjonsnr. Type Str. Forskyvning
    ------------- ---------------- ------- -----------
    Partisjon 1 Prim‘r 1397 G 1024 K byte

    ======================================================================================================

    Disk: 4
    Partisjon 1
    Type : 07
    Skjult: Nei
    Aktiv : Nei
    Forskyvning I byte: 1048576

    Volumnr. Bks Etikett Fs Type Str. Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volum 7 D Usortert NTFS Partisjon 1397 G OK

    ======================================================================================================

    Windows oppstartsbehandling
    ---------------------------
    identifikator {bootmgr}
    device partition=\Device\HarddiskVolume1
    description Windows Boot Manager
    locale nb-NO
    inherit {globalsettings}
    default {current}
    resumeobject {5fd4dc17-4cb8-11e2-9667-abd379d820e7}
    displayorder {current}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows oppstartslasting
    ------------------------
    identifikator {current}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale nb-NO
    inherit {bootloadersettings}
    recoverysequence {5fd4dc19-4cb8-11e2-9667-abd379d820e7}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {5fd4dc17-4cb8-11e2-9667-abd379d820e7}
    nx OptIn

    Windows oppstartslasting
    ------------------------
    identifikator {5fd4dc19-4cb8-11e2-9667-abd379d820e7}
    device ramdisk=[C:]\Recovery\5fd4dc19-4cb8-11e2-9667-abd379d820e7\Winre.wim,{5fd4dc1a-4cb8-11e2-9667-abd379d820e7}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {bootloadersettings}
    osdevice ramdisk=[C:]\Recovery\5fd4dc19-4cb8-11e2-9667-abd379d820e7\Winre.wim,{5fd4dc1a-4cb8-11e2-9667-abd379d820e7}
    systemroot \windows
    nx OptIn
    winpe Yes

    Gjenoppta etter dvalemodus
    --------------------------
    identifikator {5fd4dc17-4cb8-11e2-9667-abd379d820e7}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale nb-NO
    inherit {resumeloadersettings}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows minnetester
    -------------------
    identifikator {memdiag}
    device partition=\Device\HarddiskVolume1
    path \boot\memtest.exe
    description Windows Minnediagnose
    locale nb-NO
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS-innstillinger
    -----------------
    identifikator {emssettings}
    bootems Yes

    Feils›kingsinnstillinger
    ------------------------
    identifikator {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM-defekter
    ------------
    identifikator {badmemory}

    Globale innstillinger
    ---------------------
    identifikator {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Innstillinger for oppstartslasting
    ----------------------------------
    identifikator {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor-innstillinger
    ------------------------
    identifikator {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Innstillinger for gjenopptakelse
    --------------------------------
    identifikator {resumeloadersettings}
    inherit {globalsettings}

    Enhetsalternativer
    ------------------
    identifikator {5fd4dc1a-4cb8-11e2-9667-abd379d820e7}
    description Ramdisk Options
    ramdisksdidevice partition=C:
    ramdisksdipath \Recovery\5fd4dc19-4cb8-11e2-9667-abd379d820e7\boot.sdi


    ****** End Of Log ******
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
  19. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    I dont think there is anything. I've restarted a couple of times and malwarebytes doesnt find anything anymore. but I ran a program some days ago before I came here that found 3 dll files wich looked suspicious but I dont remember wich program. I dont have it on my computer anymore.
  20. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    Although it is a bit slow during from login to actually begin to start programs.
  21. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    I have spybot 2 on here and it says I might have a rootkit infection. it says

    Master Boot Records
    5 MBRs checked.
    unkown MBRs: Physical drive 2

    should I fix mbr on that drive? or do a errorfix?
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    The MBR looked fine earlier when it was checked:

    Let's do the following, please:

    avast! aswMBR

    Please download aswMBR from here
    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Uncheck "Trace disk IO calls".
    • Click the Scan button to start the scan as illustrated below
    [​IMG]
    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives.
    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • Please also find MBR.dat on your Desktop, and rename it to MBRscan.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.


    OTL Quick Scan

    Please download OTL by OldTimer to your Desktop.
    • Close all windows and double click OTL.exe.
    • Click Quick Scan button and let the program run uninterrupted.
    • It will produce a log for you called OTL.txt, please post it in your next reply.
    • You may need to use two posts to get it all.
  23. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2013-02-21 15:18:06
    -----------------------------
    15:18:06.459 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:18:06.459 Number of processors: 8 586 0x2D07
    15:18:06.459 ComputerName: JON-PC UserName: Jon
    15:18:08.329 Initialize success
    15:18:23.019 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    15:18:23.023 Disk 0 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953869MB BusType: 11
    15:18:23.027 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
    15:18:23.030 Disk 1 Vendor: WDC_WD20EARX-00PASB0 51.0AB51 Size: 1907729MB BusType: 11
    15:18:23.034 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP7T0L0-7
    15:18:23.038 Disk 2 Vendor: ST31000528AS CC35 Size: 953869MB BusType: 11
    15:18:23.043 Disk 3 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP4T0L0-4
    15:18:23.048 Disk 3 Vendor: WDC_WD15EARX-00PASB0 51.0AB51 Size: 1430799MB BusType: 11
    15:18:23.051 Disk 4 \Device\Harddisk4\DR4 -> \Device\Ide\IdeDeviceP5T0L0-5
    15:18:23.054 Disk 4 Vendor: WDC_WD20EARX-00PASB0 51.0AB51 Size: 1907729MB BusType: 11
    15:18:23.069 Disk 0 MBR read successfully
    15:18:23.073 Disk 0 MBR scan
    15:18:23.077 Disk 0 Windows 7 default MBR code
    15:18:23.081 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    15:18:23.098 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
    15:18:23.107 Disk 0 scanning C:\Windows\system32\drivers
    15:18:29.520 Service scanning
    15:18:42.290 Modules scanning
    15:18:42.301 Scan finished successfully
    15:19:07.491 Disk 0 MBR has been saved successfully to "C:\Users\Jon\Desktop\MBR.dat"
    15:19:07.521 The log file has been saved successfully to "C:\Users\Jon\Desktop\aswMBR.txt"
  24. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    Here is the otl txt. was too large +50000 letters.

    Attached Files:

    • OTL.Txt
      File size:
      108.7 KB
      Views:
      1
  25. m0nk3n

    m0nk3n Newcomer, in training Topic Starter Posts: 23

    The MBRscan.txt wont upload since its a .dat file idk how to upload that.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.