TechSpot

Win64/sirefef Virus (again)

Inactive
By CheeseJam
Jul 10, 2013
  1. Hi, about a year ago I had the sirefef trojan and got help here (http://www.techspot.com/community/topics/win64-sirefef-virus-help.182401/?mobile=false)

    Everything was fixed, but it appears to have come back or I got a new one. Anyway...

    I left my computer, came back, and it was shut down. Upon reboot, it hangs at "Starting Windows". I can start it in safe mode. It has booted normally a few times but it is not repeatable. When it did boot normally, network, sound, and other basic functions were not working. Additionally, MSE was gone, and the operatign system looked liek Windows 97. I managed to reinstall MSE and it detected these trojans:

    Trojan:Win64/Sirefef.AA, Trojan:Win32/Sirefef.AN, Trojan:Win32/Sirefef!cfg

    MSE said it removed them but problems persisted. I have tried a few things )including a full Malwarebytes scan that found nothing and startup repair 4 times) as documented here (http://www.sevenforums.com/general-discussion/296806-windows-hangs-startup.html). But I don't seem to be making progress so I came here again! I have Windows 7 64bit, how should I proceed?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    You've been to this forum before so you should know what the initial steps are.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Safe Mode with Networking will be fine for now.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    Sorry, I did not remember having to do those initial steps.

    Malware log:
    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.04.04.07

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
    Internet Explorer 10.0.9200.16618
    Robert :: BERT [administrator]

    7/10/2013 4:08:58 PM
    mbam-log-2013-07-10 (16-08-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 228491
    Time elapsed: 4 minute(s), 31 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    DDS dds:

    DDS (Ver_2012-11-20.01) - NTFS_AMD64 MINIMAL
    Internet Explorer: 10.0.9200.16611 BrowserJavaVersion: 10.17.2
    Run by Robert at 16:16:34 on 2013-07-10
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    mURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
    uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
    StartupFolder: C:\Users\Robert\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Robert\AppData\Roaming\Dropbox\bin\Dropbox.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{22ACD203-BE0F-4818-8DD3-7E5DCB557A02} : DHCPNameServer = 10.2.5.10 10.2.5.20
    TCP: Interfaces\{7CFAEB85-693D-40AC-9D42-95829805B5D2} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{7CFAEB85-693D-40AC-9D42-95829805B5D2}\4586560234F64747167656 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{7CFAEB85-693D-40AC-9D42-95829805B5D2}\458656547676458627F67796E67624964736865637 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{7CFAEB85-693D-40AC-9D42-95829805B5D2}\465636B6562737F57657563747 : DHCPNameServer = 10.2.5.10
    TCP: Interfaces\{7CFAEB85-693D-40AC-9D42-95829805B5D2}\833336032343 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{7CFAEB85-693D-40AC-9D42-95829805B5D2}\E45445745414255323 : DHCPNameServer = 10.0.0.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-BHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblockx64.dll
    x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    x64-DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3301943&CUI=UN28646771472334313&UM=2&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - google.com
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Robert\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll
    FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
    FF - plugin: C:\windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\windows\SysWOW64\npmproxy.dll
    FF - plugin: D:\Games\Trials Evolution\datapack\orbit\npuplaypc.dll
    FF - plugin: D:\Games\Trials Evolution\datapack\orbit\npuplaypchub.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.delta.tlbrSrchUrl -
    FF - user.js: extensions.delta.id - a0af95f4000000000000e0ca9492d46b
    FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
    FF - user.js: extensions.delta.instlDay - 15863
    FF - user.js: extensions.delta.vrsn - 1.8.21.5
    FF - user.js: extensions.delta.vrsni - 1.8.21.5
    FF - user.js: extensions.delta.vrsnTs - 1.8.21.515:54:48
    FF - user.js: extensions.delta.prtnrId - delta
    FF - user.js: extensions.delta.prdct - delta
    FF - user.js: extensions.delta.aflt - babsst
    FF - user.js: extensions.delta.smplGrp - none
    FF - user.js: extensions.delta.tlbrId - base
    FF - user.js: extensions.delta.instlRef - sst
    FF - user.js: extensions.delta.dfltLng - en
    FF - user.js: extensions.delta.excTlbr - false
    FF - user.js: extensions.delta.ffxUnstlRst - true
    FF - user.js: extensions.delta.admin - false
    FF - user.js: extensions.delta_i.babTrack - affID=122460
    FF - user.js: extensions.delta_i.babExt -
    FF - user.js: extensions.delta_i.srcExt - ss
    FF - user.js: extensions.delta.autoRvrt - false
    FF - user.js: extensions.delta.rvrt - false
    FF - user.js: extensions.delta.newTab - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2013-07-10 20:08:2519032------w-C:\windows\System32\pwdrvio.sys
    2013-07-10 20:08:2512384------w-C:\windows\System32\pwdspio.sys
    2013-07-10 20:07:17--------d-----w-C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 8.0
    2013-07-10 03:21:2925928----a-w-C:\windows\System32\drivers\mbam.sys
    2013-07-10 00:24:17--------d-----w-C:\windows\pss
    2013-07-09 22:33:409552976----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2419C9A5-BE89-4B5F-A13C-4D14712CDF89}\mpengine.dll
    2013-07-08 21:37:549552976----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-06-27 19:17:30--------d-----w-C:\ProgramData\Package Cache
    2013-06-26 19:27:43385024----a-w-C:\windows\SYCLicense071115U.dll
    2013-06-26 19:27:43233472----a-w-C:\windows\SYCGUIU.dll
    2013-06-26 19:27:431232896----a-w-C:\windows\SYCIOU.dll
    2013-06-26 19:27:431028096----a-w-C:\windows\SYCGeoU.dll
    2013-06-21 16:08:38964552------w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{75B6A64A-6628-4590-B3E6-D454DB6A29D8}\gapaengine.dll
    2013-06-20 17:07:10--------d-----w-C:\ProgramData\MentorGraphics
    2013-06-18 03:36:4789088----a-w-C:\windows\SysWow64\atl71.dll
    2013-06-18 03:36:4669632----a-w-C:\windows\SysWow64\mfcm80.dll
    2013-06-18 03:36:4657856----a-w-C:\windows\SysWow64\mfcm80u.dll
    2013-06-18 03:36:461101824----a-w-C:\windows\SysWow64\mfc80.dll
    2013-06-18 03:36:461093120----a-w-C:\windows\SysWow64\mfc80u.dll
    2013-06-18 03:36:461060864----a-w-C:\windows\SysWow64\MFC71.dll
    2013-06-18 03:36:461047552----a-w-C:\windows\SysWow64\MFC71u.dll
    2013-06-13 14:24:37701952----a-w-C:\Program Files\Internet Explorer\ieproxy.dll
    2013-06-12 13:55:18751104----a-w-C:\windows\System32\win32spl.dll
    .
    ==================== Find3M ====================
    .
    2013-06-09 22:59:3690192----a-w-C:\windows\System32\mfcm110u.dll
    2013-06-08 12:28:462706432----a-w-C:\windows\System32\mshtml.tlb
    2013-06-08 11:13:192706432----a-w-C:\windows\SysWow64\mshtml.tlb
    2013-05-21 03:42:510----a-w-C:\windows\SysWow64\shoA8E4.tmp
    2013-05-17 01:25:571767936----a-w-C:\windows\SysWow64\wininet.dll
    2013-05-17 01:25:272877440----a-w-C:\windows\SysWow64\jscript9.dll
    2013-05-17 01:25:2661440----a-w-C:\windows\SysWow64\iesetup.dll
    2013-05-17 01:25:26109056----a-w-C:\windows\SysWow64\iesysprep.dll
    2013-05-17 00:59:032241024----a-w-C:\windows\System32\wininet.dll
    2013-05-17 00:58:103958784----a-w-C:\windows\System32\jscript9.dll
    2013-05-17 00:58:0867072----a-w-C:\windows\System32\iesetup.dll
    2013-05-17 00:58:08136704----a-w-C:\windows\System32\iesysprep.dll
    2013-05-14 12:23:2589600----a-w-C:\windows\System32\RegisterIEPKEYs.exe
    2013-05-14 08:40:1371680----a-w-C:\windows\SysWow64\RegisterIEPKEYs.exe
    2013-05-13 05:51:01184320----a-w-C:\windows\System32\cryptsvc.dll
    2013-05-13 05:51:001464320----a-w-C:\windows\System32\crypt32.dll
    2013-05-13 05:51:00139776----a-w-C:\windows\System32\cryptnet.dll
    2013-05-13 05:50:4052224----a-w-C:\windows\System32\certenc.dll
    2013-05-13 04:45:55140288----a-w-C:\windows\SysWow64\cryptsvc.dll
    2013-05-13 04:45:551160192----a-w-C:\windows\SysWow64\crypt32.dll
    2013-05-13 04:45:55103936----a-w-C:\windows\SysWow64\cryptnet.dll
    2013-05-13 03:43:551192448----a-w-C:\windows\System32\certutil.exe
    2013-05-13 03:08:10903168----a-w-C:\windows\SysWow64\certutil.exe
    2013-05-13 03:08:0643008----a-w-C:\windows\SysWow64\certenc.dll
    2013-05-10 05:49:2730720----a-w-C:\windows\System32\cryptdlg.dll
    2013-05-10 03:20:5424576----a-w-C:\windows\SysWow64\cryptdlg.dll
    2013-05-08 06:39:011910632----a-w-C:\windows\System32\drivers\tcpip.sys
    2013-05-08 06:10:12770384----a-w-C:\windows\SysWow64\msvcr100.dll
    2013-05-08 06:10:12421200----a-w-C:\windows\SysWow64\msvcp100.dll
    2013-05-02 09:06:08278800------w-C:\windows\System32\MpSigStub.exe
    2013-04-26 04:55:21492544----a-w-C:\windows\SysWow64\win32spl.dll
    2013-04-25 23:30:321505280----a-w-C:\windows\SysWow64\d3d11.dll
    2013-04-17 07:02:061230336----a-w-C:\windows\SysWow64\WindowsCodecs.dll
    2013-04-17 06:24:461424384----a-w-C:\windows\System32\WindowsCodecs.dll
    2013-04-13 05:49:23135168----a-w-C:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-04-13 05:49:19350208----a-w-C:\windows\apppatch\AppPatch64\AcLayers.dll
    2013-04-13 05:49:19308736----a-w-C:\windows\apppatch\AppPatch64\AcGenral.dll
    2013-04-13 05:49:19111104----a-w-C:\windows\apppatch\AppPatch64\acspecfc.dll
    2013-04-13 04:45:16474624----a-w-C:\windows\apppatch\AcSpecfc.dll
    2013-04-13 04:45:152176512----a-w-C:\windows\apppatch\AcGenral.dll
    2013-04-12 14:45:081656680----a-w-C:\windows\System32\drivers\ntfs.sys
    .
    ============= FINISH: 16:17:38.15 ===============

    DDS attach:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    .
    ==== Disk Partitions =========================
    .
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    ???? ??? Windows Live
    ???? Windows Live
    ????? Windows Live
    ?????? ??????? ?? Windows Live
    ???????? ?????????? Windows Live
    ?????????? Windows Live
    ??????????? ?? Windows Live
    µTorrent
    7-Zip 9.20 (x64 edition)
    Adobe AIR
    Adobe Community Help
    Adobe Digital Editions
    Adobe Flash Player 11 ActiveX 64-bit
    Adobe Flash Player 11 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader X (10.1.1)
    Alan Wake
    AMD APP SDK Runtime
    AMD Catalyst Install Manager
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArnA 2: Combined Operations
    Asmedia ASM104x USB 3.0 Host Controller Driver
    Assassin's Creed ® III
    Audacity 1.3.14 (Unicode)
    „Windows Live Essentials“
    „Windows Live Mail“
    „Windows Live Messenger“
    „Windows Live“ fotogalerija
    BattlEye for OA Uninstall
    Bing Bar
    BioShock Infinite
    Blast Pack for Pocket Tanks Deluxe
    Bonjour
    Borderlands 2
    Broadcom 802.11 Network Adapter
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Localization All
    Catalyst Control Center Profiles Mobile
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Combat Arms
    CyberLink YouCam
    D3DX10
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dolby Axon - 1.4.0.2
    DriverAgent by eSupport.com
    Dropbox
    Dual-Core Optimizer
    Easy Settings
    Easy Software Manager
    Easy Support Center 1.0
    Energy Pack for Pocket Tanks Deluxe
    ETDWare PS/2-X64 10.7.5.0_SimpleUI
    ExpressCache
    F.lux
    FEZ v1.04
    Fire Pack BETA 3 for Pocket Tanks Deluxe
    FLAC to MP3 Converter 6.1.9
    Fotogalerija Windows Live
    Free M4a to MP3 Converter 7.0
    Futuremark SystemInfo
    Galeria de Fotografias do Windows Live
    Galeria fotografii uslugi Windows Live
    Galerie de photos Windows Live
    Galerie foto Windows Live
    Galería fotográfica de Windows Live
    Google Chrome
    Google Drive
    Google Update Helper
    Guild Wars 2
    Ice Pack BETA 3 for Pocket Tanks Deluxe
    Ice Pack BETA for Pocket Tanks Deluxe
    Ice Pack for Pocket Tanks Deluxe
    Intel(R) Display Audio Driver
    Intel(R) Management Engine Components
    Intel(R) Rapid Storage Technology
    Interactive Guide
    iTunes
    Java 7 Update 17
    Java Auto Updater
    Java(TM) 6 Update 31
    Java(TM) 6 Update 31 (64-bit)
    Java(TM) 7 Update 5 (64-bit)
    JavaFX 2.1.1
    Junk Mail filter update
    K-Lite Codec Pack 7.9.0 (Basic)
    LAME v3.98.3 for Audacity
    LAME v3.99.3 (for Windows)
    Malwarebytes Anti-Malware version 1.75.0.1300
    MATLAB R2011a
    Media Player Codec Pack 4.1.9
    Mesh Runtime
    MeshLab_64b 1.3.2
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office 2003 Web Components
    Microsoft Office 2010
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Starter 2010 - English
    Microsoft Office Word MUI (English) 2010
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610
    Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610
    Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610
    Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610
    Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610
    Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610
    Microsoft Visual Studio 2005 Remote Debugger Light (x64) - ENU
    Microsoft Visual Studio 2005 Tools for Applications - ENU
    Microsoft WSE 3.0 Runtime
    Microsoft Xbox 360 Accessories 1.2
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_ATL_x86_x64
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_CRT_x86_x64
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFC_x86_x64
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC80_MFCLOC_x86_x64
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_ATL_x86_x64
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_CRT_x86_x64
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFC_x86_x64
    MiniTool Partition Wizard Home Edition 8.0
    Minutor
    mIRC
    Mozilla Firefox 9.0.1 (x86 en-US)
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mumble 1.2.3
    Music Manager
    NVIDIA PhysX
    Party Pack for Pocket Tanks Deluxe
    Pazera Free MP4 to AVI Converter 1.6
    PDF Settings CS5
    PDFMate Free PDF Converter 1.40
    PlanetSide 2
    Plasma Pack for Pocket Tanks Deluxe
    PlayReady PC Runtime amd64
    Pocket Tanks Deluxe v1.3 By Argogo
    Pocket Tanks Deluxe v1.6 BETA 3
    Poczta uslugi Windows Live
    Podstawowe programy Windows Live
    Portforward Static IP Address 1.0.47
    Pošta Windows Live
    PX Profile Update
    QuickTime
    Raccolta foto di Windows Live
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Red Chain Portal
    Registrar Registry Manager 7.03
    Revo Uninstaller 1.94
    S?????? f?t???af??? t?? Windows Live
    Samsung Recovery Solution 5
    SAMSUNG USB Driver for Mobile Phones
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
    Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
    Simple Adblock
    Six Updater
    Skype Click to Call
    Skype™ 6.1
    SolidWorks 2011 SP0
    SolidWorks 2012 x64 Edition SP04
    SolidWorks eDrawings 2012 x64 Edition SP04
    SolidWorks Explorer 2012 SP04 x64 Edition
    SolidWorks Flow Simulation 2012 SP04 x64 Edition
    SolidWorks Workgroup PDM Server 2012 SP01 x64 Edition
    Space Pack BETA 3 for Pocket Tanks Deluxe
    Space Pack BETA for Pocket Tanks Deluxe
    Splashtop Streamer
    Spotify
    Star Wars: The Old Republic
    Star Wars®: Knights of the Old Republic (TM)
    Steam
    Synergy
    System Requirements Lab CYRI
    Team Fortress 2
    TeamViewer 7
    The Sims™ 3
    The Swapper
    The Walking Dead (c) 3 version 1
    Trials Evolution Gold Edition
    Tribes: Ascend
    UCSB CS56 S12 ChoicePoints 2 Ramon Rovirosa and Shervin Shaikh CalcGui
    Unified Remote
    Unlocker 1.9.1-x64
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2836939)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Uplay
    User Guide
    uTorrentBar Toolbar
    Ventrilo Client for Windows x64
    VirtualCloneDrive
    VLC media player 2.0.6
    WIDCOMM Bluetooth Software
    Windows Installer Clean Up
    Windows Live
    Windows Live ??
    Windows Live ?? ???
    Windows Live ???
    Windows Live ????
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Fotótár
    Windows Live Foto-galerija
    Windows Live fotoattelu galerija
    Windows Live Fotogalerie
    Windows Live Fotogalleri
    Windows Live Fotogaléria
    Windows Live Fotograf Galerisi
    Windows Live Galeria de Fotos
    Windows Live Galerija fotografija
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Mesh
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Pošta
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Temel Parçalar
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Liven asennustyökalu
    Windows Liven sähköposti
    Windows Liven valokuvavalikoima
    Windows Mobile Device Updater Component
    Zune
    Zune Language Pack (CHS)
    Zune Language Pack (CHT)
    Zune Language Pack (CSY)
    Zune Language Pack (DAN)
    Zune Language Pack (DEU)
    Zune Language Pack (ELL)
    Zune Language Pack (ESP)
    Zune Language Pack (FIN)
    Zune Language Pack (FRA)
    Zune Language Pack (HUN)
    Zune Language Pack (IND)
    Zune Language Pack (ITA)
    Zune Language Pack (JPN)
    Zune Language Pack (KOR)
    Zune Language Pack (MSL)
    Zune Language Pack (NLD)
    Zune Language Pack (NOR)
    Zune Language Pack (PLK)
    Zune Language Pack (PTB)
    Zune Language Pack (PTG)
    Zune Language Pack (RUS)
    Zune Language Pack (SVE)
    .
    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  5. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    Here is the Rogue log:

    RogueKiller V8.6.2 _x64_ [Jul 2 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : hxxp://www.adlice.com/forum/
    Website : hxxp://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Safe mode
    User : Robert [Admin rights]
    Mode : Remove -- Date : 07/10/2013 17:14:54
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 5 ¤¤¤
    [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] 8709bc60416022c9b875d52c10083408
    [BSP] e71e85990b7dfd2b255f3c74da68b24d : KIWI Image system MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 51200 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 105064448 | Size: 640966 Mo
    3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1417762816 | Size: 23137 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: +++++
    --- User ---
    [MBR] c24d9af7de7d2b6ff7f0ee0846275549
    [BSP] 0a9420da5d388cf72c9f5653515471d4 : Empty MBR Code
    Partition table:
    0 - [ACTIVE] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2048 | Size: 7639 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: +++++
    --- User ---
    [MBR] dc9813f82e0afb203372a30834e3a4a5
    [BSP] 0f745bdb11e1c74ec4c1b375ecf1311a : MBR Code unknown
    Partition table:
    0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 Mo
    1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 Mo
    2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 Mo
    3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 0 | Size: 1775989 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[0]_D_07102013_171454.txt >>
    RKreport[0]_S_07102013_171418.txt

    Following those steps for system restore, "System protection" does not exist. I searched for system restore, and Windows said it is not functioning properly.

    Should I proceed with the next step you listed?
     
  6. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Yes.
     
  7. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    It said no threats were found. Here are the Malware logs:

    systemlog:
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    System is currently in a safe mode

    Account is Administrative

    Internet Explorer version: 10.0.9200.16618

    Java version: 1.6.0_31

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.195000 GHz
    Memory total: 8499281920, free: 7327473664

    Initializing...
    ------------ Kernel report ------------
    07/10/2013 17:25:33
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\system32\DRIVERS\excsd.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\compbatt.sys
    \SystemRoot\system32\drivers\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\drivers\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\drivers\asmtxhci.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\ETD.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\drivers\blbdrive.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\VClone.sys
    \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\mcdbus.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\SGdrv64.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\drivers\usbhub.sys
    \SystemRoot\system32\drivers\asmthub3.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\framebuf.dll
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\System32\Drivers\fastfat.SYS
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \??\C:\windows\system32\drivers\mbamchameleon.sys
    \??\C:\windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\msctf.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\wininet.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\sechost.dll
    \Windows\System32\imm32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\lpk.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\psapi.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\user32.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\shell32.dll
    \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
    \Windows\System32\devobj.dll
    \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\msasn1.dll
    \Windows\SysWOW64\normaliz.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk2\DR4
    Upper Device Object: 0xfffffa8008efe790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000098\
    Lower Device Object: 0xfffffa800953f810
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa8008c57060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-2\
    Lower Device Object: 0xfffffa8007d5d050
    Lower Device Driver Name: \Driver\iaStor\
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8008c33790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa8007d5f050
    Lower Device Driver Name: \Driver\iaStor\
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8008c33790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80082988b0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8008c33790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8007d5f050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 74D52988

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 104857600

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 105064448 Numsec = 1312698368

    Partition 3 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1417762816 Numsec = 47384576

    Disk Size: 750156374016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1465129168-1465149168)...
    Done!
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xfffffa8008c57060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8008c332c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8008c57060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8007d5d050, DeviceName: \Device\Ide\IAAStorageDevice-2\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 74F02DEA

    Partition information:

    Partition 0 type is Other (0x73)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 15644672
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 8012390400 bytes
    Sector size: 512 bytes

    Done!
    Physical Sector Size: 512
    Drive: 2, DevicePointer: 0xfffffa8008efe790, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa800a6d5880, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8008efe790, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800953f810, DeviceName: \Device\00000098\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    Drive 2
    Scanning MBR on drive 2...
    Inspecting partition table:
    Partition information:

    This drive is a Single Partition removable Drive.
    Partition file system is FAT
    Partition is not bootable

    Disk Size: 1028653056 bytes
    Sector size: 512 bytes

    Done!
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_1_0_2048_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_2_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_2_r.mbam...
    Removal finished

    other log:
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004
    www.malwarebytes.org

    Database version: v2013.06.01.01

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
    Internet Explorer 10.0.9200.16618
    Robert :: BERT [administrator]

    7/10/2013 5:25:37 PM
    mbar-log-2013-07-10 (17-25-37).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: PUP
    Objects scanned: 275696
    Time elapsed: 10 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
     
  8. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
     
  9. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    When I was receiving help somewhere else (linked in OP), I already used this tool. I used it again and the addition.txt was not created. Here is the FRST.txt:

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-07-2013 04
    Ran by Robert (administrator) on 10-07-2013 17:45:08
    Running from C:\Users\Robert\Desktop
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 10
    Boot Mode: Safe Mode (minimal)

    ==================== Could not list processes ===============

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [MSC] - "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
    HKCU\...\Run: [uTorrent] - "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [969104 2012-12-08] (BitTorrent, Inc.)
    Startup: C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> C:\Users\Robert\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    BHO: SimpleAdblock Class - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblockx64.dll (Simple Adblock)
    BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    BHO-x32: SimpleAdblock Class - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll (Simple Adblock)
    Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    Toolbar: HKLM-x32 - No Name - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
    Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
    Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11

    FireFox:
    ========
    FF ProfilePath: C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default
    FF user.js: detected! => C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default\user.js
    FF Homepage: google.com
    FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll ()
    FF Plugin: @java.com/DTPlugin,version=10.5.0 - C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=10.5.0 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin: @microsoft.com/GENUINE - disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Robert\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Robert\AppData\Local\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: ubisoft.com/uplaypc - D:\Games\Trials Evolution\datapack\orbit\npuplaypc.dll (Ubisoft)
    FF SearchPlugin: C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default\searchplugins\babylon.xml
    FF SearchPlugin: C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default\searchplugins\conduit.xml
    FF SearchPlugin: C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default\searchplugins\delta.xml
    FF Extension: No Name - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\ioyfqj5y.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

    Chrome:
    =======
    CHR HomePage: hxxp://www.google.com/
    CHR RestoreOnStartup: "hxxp://www.google.com/", "hxxp://search.conduit.com/?ctid=CT3301943&SearchSource=48&CUI=UN37182720615178260&UM=2", "hxxp://search.conduit.com/?ctid=CT3301943&SearchSource=48&CUI=UN37630268487258217&UM=2", "hxxp://www.delta-search.com/?affID=122460&babsrc=HP_ss&mntrId=A0AFE0CA9492D46B"
    CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
    CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
    CHR Plugin: (Shockwave Flash) - C:\Users\Robert\AppData\Local\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll ()
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Users\Robert\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Users\Robert\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
    CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
    CHR Plugin: (Java(TM) Platform SE 7 U9) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
    CHR Plugin: (Uplay PC) - C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll ()
    CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
    CHR Plugin: (Java Deployment Toolkit 7.0.70.10) - C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

    ==================== Services (Whitelisted) =================

    S4 CoordinatorServiceHost; D:\Programs\SolidWorks\SolidWorks\swScheduler\DTSCoordinatorService.exe [89192 2012-06-09] (Dassault Systèmes SolidWorks Corp.)
    S4 ExpressCache; C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [79664 2011-09-22] (Diskeeper Corporation)
    R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
    S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
    S4 Remote Solver for Flow Simulation 2012; D:\Programs\SolidWorks\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [114824 2012-04-09] (Mentor Graphics Corporation)

    ==================== Drivers (Whitelisted) ====================

    S3 anvsnddrv; C:\Windows\System32\drivers\anvsnddrv.sys [33872 2011-11-28] (AnvSoft Inc.)
    S1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [23344 2011-09-22] (Diskeeper Corporation)
    R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [80688 2011-09-22] (Diskeeper Corporation)
    S3 FlashUSB; C:\Windows\system32\drivers\FlashUSB_x64.sys [19968 2010-12-20] (Danish Wireless Design A/S)
    S3 HH10Help.sys; C:\windows\system32\drivers\HH10Help.sys [24088 2009-07-09] (H+H Software GmbH)
    S3 HH10Help.sys; C:\windows\system32\drivers\HH10Help.sys [24088 2009-07-09] (H+H Software GmbH)
    S3 InputFilter_Hid_FlexDef2b; C:\Windows\System32\DRIVERS\InputFilter_FlexDef2b.sys [17920 2010-06-19] (Siliten)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-07-01] ()
    S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-07-01] ()
    S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-07-01] ()
    S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-07-01] ()
    R2 SGDrv; C:\Windows\system32\drivers\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.)
    S3 shspusb; C:\Windows\system32\drivers\HSPUSB.sys [24064 2010-12-20] (MobileTop)
    S3 ssaebus; C:\Windows\system32\drivers\ssaebus.sys [136264 2010-12-20] (MCCI Corporation)
    S3 ssaeunic; C:\Windows\system32\drivers\ssaeunic.sys [178760 2010-12-20] (MCCI Corporation)
    S3 sscdserd; C:\Windows\system32\drivers\sscdserd.sys [141384 2010-12-20] (MCCI Corporation)
    S3 ssceserd; C:\Windows\system32\drivers\ssceserd.sys [129024 2010-12-20] (MCCI Corporation)
    S3 ssm_bus; C:\Windows\system32\drivers\ssm_bus.sys [136192 2010-12-20] (MCCI Corporation)
    S3 ssm_mdm; C:\Windows\system32\drivers\ssm_mdm.sys [172032 2010-12-20] (MCCI Corporation)
    S3 ssuddmgr; C:\Windows\system32\drivers\ssuddmgr.sys [202560 2011-02-17] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 ssudobex; C:\Windows\system32\drivers\ssudobex.sys [202560 2011-02-17] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 ssudserd; C:\Windows\system32\drivers\ssudserd.sys [202560 2011-02-17] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 ss_bserd; C:\Windows\system32\drivers\ss_bserd.sys [128000 2010-12-20] (MCCI Corporation)
    S1 vdrv1000; C:\Windows\System32\Drivers\VDRV1000.SYS [223256 2010-03-25] (H+H Software GmbH)
    S3 ViaUsbEtsDriver; C:\Windows\System32\drivers\ViaUsbEts.sys [21760 2008-05-29] (Via Telecom, Inc.)
    U4 mbamswissarmy;

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-07-10 17:25 - 2013-07-10 17:36 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2013-07-10 17:25 - 2013-07-10 17:25 - 00000000 ____D C:\Users\Robert\Desktop\mbar-1.06.0.1004
    2013-07-10 17:14 - 2013-07-10 17:14 - 00002806 ____A C:\Users\Robert\Desktop\RKreport[0]_D_07102013_171454.txt
    2013-07-10 17:14 - 2013-07-10 17:14 - 00002704 ____A C:\Users\Robert\Desktop\RKreport[0]_S_07102013_171418.txt
    2013-07-10 17:12 - 2013-07-10 17:14 - 00000000 ____D C:\Users\Robert\Desktop\RK_Quarantine
    2013-07-10 17:12 - 2013-07-10 17:11 - 13399154 ____A C:\Users\Robert\Desktop\mbar-1.06.0.1004.zip
    2013-07-10 17:12 - 2013-07-10 17:09 - 03775488 ____A C:\Users\Robert\Desktop\RogueKillerX64.exe
    2013-07-10 16:17 - 2013-07-10 16:17 - 00015088 ____A C:\Users\Robert\Desktop\dds.txt
    2013-07-10 16:17 - 2013-07-10 16:17 - 00012440 ____A C:\Users\Robert\Desktop\attach.txt
    2013-07-10 16:15 - 2013-07-10 16:05 - 00688992 ____R (Swearware) C:\Users\Robert\Desktop\dds.com
    2013-07-10 13:08 - 2013-07-01 10:25 - 00019032 ____N C:\windows\system32\pwdrvio.sys
    2013-07-10 13:08 - 2013-07-01 10:25 - 00012384 ____N C:\windows\system32\pwdspio.sys
    2013-07-10 13:07 - 2013-07-10 13:07 - 00001206 ____A C:\Users\Public\Desktop\MiniTool Partition Wizard Home Edition.lnk
    2013-07-10 13:07 - 2013-07-10 13:07 - 00000000 ____D C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 8.0
    2013-07-10 13:06 - 2013-07-10 12:50 - 20198792 ____A (MiniTool Solution Ltd. ) C:\Users\Robert\Desktop\pwhe8.exe
    2013-07-10 11:07 - 2013-07-10 11:03 - 00000186 ____A C:\Users\Robert\Desktop\ActionCenterIcon.reg
    2013-07-10 09:46 - 2013-07-10 09:44 - 00356429 ____A (Farbar) C:\Users\Robert\Desktop\FSS.exe
    2013-07-10 09:45 - 2013-07-10 17:44 - 01777775 ____A (Farbar) C:\Users\Robert\Desktop\FRST64.exe
    2013-07-09 20:21 - 2013-07-09 20:21 - 00000742 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-07-09 20:21 - 2013-04-04 14:50 - 00025928 ____A (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
    2013-07-09 17:24 - 2013-07-09 17:24 - 00000000 ____D C:\windows\pss
    2013-07-08 20:27 - 2013-07-08 20:27 - 00262144 ____A C:\windows\Minidump\070813-70528-01.dmp
    2013-06-27 14:40 - 2013-06-27 14:40 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MeshLab
    2013-06-27 12:17 - 2013-06-27 12:18 - 00000000 ____D C:\ProgramData\Package Cache
    2013-06-26 12:27 - 2007-11-15 19:21 - 00385024 ____A (SYCODE) C:\windows\SYCLicense071115U.dll
    2013-06-26 12:27 - 2007-10-21 12:18 - 01232896 ____A (SYCODE) C:\windows\SYCIOU.dll
    2013-06-26 12:27 - 2007-10-21 12:17 - 01028096 ____A (SYCODE) C:\windows\SYCGeoU.dll
    2013-06-26 12:27 - 2007-10-21 12:17 - 00233472 ____A (SYCODE) C:\windows\SYCGUIU.dll
    2013-06-20 10:07 - 2013-06-20 10:07 - 00000000 ____D C:\ProgramData\MentorGraphics
    2013-06-17 21:29 - 2013-07-08 20:26 - 00006088 ____A C:\windows\setupact.log
    2013-06-17 21:29 - 2013-06-17 21:29 - 00000000 ____A C:\windows\setuperr.log
    2013-06-17 20:36 - 2011-01-11 05:15 - 00069632 ____A (Microsoft Corporation) C:\windows\SysWOW64\mfcm80.dll
    2013-06-17 20:36 - 2011-01-11 05:14 - 00057856 ____A (Microsoft Corporation) C:\windows\SysWOW64\mfcm80u.dll
    2013-06-17 20:36 - 2011-01-10 22:51 - 01101824 ____A (Microsoft Corporation) C:\windows\SysWOW64\mfc80.dll
    2013-06-17 20:36 - 2011-01-10 22:51 - 01093120 ____A (Microsoft Corporation) C:\windows\SysWOW64\mfc80u.dll
    2013-06-17 20:36 - 2011-01-10 22:51 - 00002372 ____A C:\windows\SysWOW64\Microsoft.VC80.MFC.manifest
    2013-06-17 20:36 - 2003-03-18 22:20 - 01060864 ____A (Microsoft Corporation) C:\windows\SysWOW64\MFC71.dll
    2013-06-17 20:36 - 2003-03-18 22:12 - 01047552 ____A (Microsoft Corporation) C:\windows\SysWOW64\MFC71u.dll
    2013-06-17 20:36 - 2003-03-18 20:05 - 00089088 ____A (Microsoft Corporation) C:\windows\SysWOW64\atl71.dll
    2013-06-15 06:18 - 2013-06-08 07:08 - 01365504 ____A (Microsoft Corporation) C:\windows\system32\urlmon.dll
    2013-06-15 06:18 - 2013-06-08 07:07 - 19233792 ____A (Microsoft Corporation) C:\windows\system32\mshtml.dll
    2013-06-15 06:18 - 2013-06-08 07:06 - 15404544 ____A (Microsoft Corporation) C:\windows\system32\ieframe.dll
    2013-06-15 06:18 - 2013-06-08 07:06 - 02648064 ____A (Microsoft Corporation) C:\windows\system32\iertutil.dll
    2013-06-15 06:18 - 2013-06-08 07:06 - 00526336 ____A (Microsoft Corporation) C:\windows\system32\ieui.dll
    2013-06-15 06:18 - 2013-06-08 05:28 - 02706432 ____A (Microsoft Corporation) C:\windows\system32\mshtml.tlb
    2013-06-15 06:18 - 2013-06-08 04:42 - 01141248 ____A (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
    2013-06-15 06:18 - 2013-06-08 04:40 - 14327808 ____A (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
    2013-06-15 06:18 - 2013-06-08 04:40 - 13760512 ____A (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
    2013-06-15 06:18 - 2013-06-08 04:40 - 02046976 ____A (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
    2013-06-15 06:18 - 2013-06-08 04:40 - 00391168 ____A (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
    2013-06-15 06:18 - 2013-06-08 04:13 - 02706432 ____A (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
    2013-06-13 07:24 - 2013-05-16 18:25 - 02877440 ____A (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 01767936 ____A (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 00690688 ____A (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 00493056 ____A (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 00109056 ____A (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 00061440 ____A (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 00039424 ____A (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
    2013-06-13 07:24 - 2013-05-16 18:25 - 00033280 ____A (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
    2013-06-13 07:24 - 2013-05-16 17:59 - 02241024 ____A (Microsoft Corporation) C:\windows\system32\wininet.dll
    2013-06-13 07:24 - 2013-05-16 17:59 - 00051712 ____A (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
    2013-06-13 07:24 - 2013-05-16 17:58 - 03958784 ____A (Microsoft Corporation) C:\windows\system32\jscript9.dll
    2013-06-13 07:24 - 2013-05-16 17:58 - 00855552 ____A (Microsoft Corporation) C:\windows\system32\jscript.dll
    2013-06-13 07:24 - 2013-05-16 17:58 - 00603136 ____A (Microsoft Corporation) C:\windows\system32\msfeeds.dll
    2013-06-13 07:24 - 2013-05-16 17:58 - 00136704 ____A (Microsoft Corporation) C:\windows\system32\iesysprep.dll
    2013-06-13 07:24 - 2013-05-16 17:58 - 00067072 ____A (Microsoft Corporation) C:\windows\system32\iesetup.dll
    2013-06-13 07:24 - 2013-05-16 17:58 - 00053248 ____A (Microsoft Corporation) C:\windows\system32\jsproxy.dll
    2013-06-13 07:24 - 2013-05-16 17:58 - 00039936 ____A (Microsoft Corporation) C:\windows\system32\iernonce.dll
    2013-06-13 07:24 - 2013-05-14 05:23 - 00089600 ____A (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
    2013-06-13 07:24 - 2013-05-14 01:40 - 00071680 ____A (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe
    2013-06-12 06:55 - 2013-05-12 22:51 - 01464320 ____A (Microsoft Corporation) C:\windows\system32\crypt32.dll
    2013-06-12 06:55 - 2013-05-12 22:51 - 00184320 ____A (Microsoft Corporation) C:\windows\system32\cryptsvc.dll
    2013-06-12 06:55 - 2013-05-12 22:51 - 00139776 ____A (Microsoft Corporation) C:\windows\system32\cryptnet.dll
    2013-06-12 06:55 - 2013-05-12 22:50 - 00052224 ____A (Microsoft Corporation) C:\windows\system32\certenc.dll
    2013-06-12 06:55 - 2013-05-12 21:45 - 01160192 ____A (Microsoft Corporation) C:\windows\SysWOW64\crypt32.dll
    2013-06-12 06:55 - 2013-05-12 21:45 - 00140288 ____A (Microsoft Corporation) C:\windows\SysWOW64\cryptsvc.dll
    2013-06-12 06:55 - 2013-05-12 21:45 - 00103936 ____A (Microsoft Corporation) C:\windows\SysWOW64\cryptnet.dll
    2013-06-12 06:55 - 2013-05-12 20:43 - 01192448 ____A (Microsoft Corporation) C:\windows\system32\certutil.exe
    2013-06-12 06:55 - 2013-05-12 20:08 - 00903168 ____A (Microsoft Corporation) C:\windows\SysWOW64\certutil.exe
    2013-06-12 06:55 - 2013-05-12 20:08 - 00043008 ____A (Microsoft Corporation) C:\windows\SysWOW64\certenc.dll
    2013-06-12 06:55 - 2013-05-09 22:49 - 00030720 ____A (Microsoft Corporation) C:\windows\system32\cryptdlg.dll
    2013-06-12 06:55 - 2013-05-09 20:20 - 00024576 ____A (Microsoft Corporation) C:\windows\SysWOW64\cryptdlg.dll
    2013-06-12 06:55 - 2013-05-07 23:39 - 01910632 ____A (Microsoft Corporation) C:\windows\system32\Drivers\tcpip.sys
    2013-06-12 06:55 - 2013-04-25 22:51 - 00751104 ____A (Microsoft Corporation) C:\windows\system32\win32spl.dll
    2013-06-12 06:55 - 2013-04-25 21:55 - 00492544 ____A (Microsoft Corporation) C:\windows\SysWOW64\win32spl.dll
    2013-06-12 06:55 - 2013-04-25 16:30 - 01505280 ____A (Microsoft Corporation) C:\windows\SysWOW64\d3d11.dll
    2013-06-12 06:55 - 2013-04-17 00:02 - 01230336 ____A (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
    2013-06-12 06:55 - 2013-04-16 23:24 - 01424384 ____A (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
    2013-06-12 06:55 - 2013-03-31 15:52 - 01887232 ____A (Microsoft Corporation) C:\windows\system32\d3d11.dll

    ==================== One Month Modified Files and Folders =======

    2013-07-10 17:44 - 2013-07-10 09:45 - 01777775 ____A (Farbar) C:\Users\Robert\Desktop\FRST64.exe
    2013-07-10 17:36 - 2013-07-10 17:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2013-07-10 17:25 - 2013-07-10 17:25 - 00000000 ____D C:\Users\Robert\Desktop\mbar-1.06.0.1004
    2013-07-10 17:19 - 2011-11-21 11:41 - 01706970 ____A C:\windows\WindowsUpdate.log
    2013-07-10 17:14 - 2013-07-10 17:14 - 00002806 ____A C:\Users\Robert\Desktop\RKreport[0]_D_07102013_171454.txt
    2013-07-10 17:14 - 2013-07-10 17:14 - 00002704 ____A C:\Users\Robert\Desktop\RKreport[0]_S_07102013_171418.txt
    2013-07-10 17:14 - 2013-07-10 17:12 - 00000000 ____D C:\Users\Robert\Desktop\RK_Quarantine
    2013-07-10 17:11 - 2013-07-10 17:12 - 13399154 ____A C:\Users\Robert\Desktop\mbar-1.06.0.1004.zip
    2013-07-10 17:09 - 2013-07-10 17:12 - 03775488 ____A C:\Users\Robert\Desktop\RogueKillerX64.exe
    2013-07-10 16:17 - 2013-07-10 16:17 - 00015088 ____A C:\Users\Robert\Desktop\dds.txt
    2013-07-10 16:17 - 2013-07-10 16:17 - 00012440 ____A C:\Users\Robert\Desktop\attach.txt
    2013-07-10 16:05 - 2013-07-10 16:15 - 00688992 ____R (Swearware) C:\Users\Robert\Desktop\dds.com
    2013-07-10 13:07 - 2013-07-10 13:07 - 00001206 ____A C:\Users\Public\Desktop\MiniTool Partition Wizard Home Edition.lnk
    2013-07-10 13:07 - 2013-07-10 13:07 - 00000000 ____D C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 8.0
    2013-07-10 12:50 - 2013-07-10 13:06 - 20198792 ____A (MiniTool Solution Ltd. ) C:\Users\Robert\Desktop\pwhe8.exe
    2013-07-10 11:08 - 2011-12-25 15:12 - 00000000 ____D C:\Users\Robert\AppData\Roaming\uTorrent
    2013-07-10 11:03 - 2013-07-10 11:07 - 00000186 ____A C:\Users\Robert\Desktop\ActionCenterIcon.reg
    2013-07-10 10:43 - 2012-04-25 12:39 - 00000898 ____A C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-07-10 10:31 - 2011-12-25 12:21 - 00000912 ____A C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000UA.job
    2013-07-10 09:48 - 2009-07-13 21:45 - 00021200 ___AH C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-07-10 09:48 - 2009-07-13 21:45 - 00021200 ___AH C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-07-10 09:44 - 2013-07-10 09:46 - 00356429 ____A (Farbar) C:\Users\Robert\Desktop\FSS.exe
    2013-07-10 09:42 - 2011-12-25 15:20 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Dropbox
    2013-07-10 09:42 - 2011-12-25 12:17 - 00000000 ___RD C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    2013-07-10 09:41 - 2012-04-25 12:39 - 00000894 ____A C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-07-10 09:30 - 2011-12-28 17:34 - 00000000 ____D C:\Users\Robert\AppData\Roaming\SolidWorks
    2013-07-09 23:53 - 2011-12-25 15:35 - 00000000 ____D C:\Users\Robert\AppData\Roaming\vlc
    2013-07-09 20:21 - 2013-07-09 20:21 - 00000742 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-07-09 20:15 - 2011-11-09 14:59 - 00002243 ____A C:\windows\epplauncher.mif
    2013-07-09 20:14 - 2011-12-25 16:13 - 00174558 ____A C:\windows\PFRO.log
    2013-07-09 20:11 - 2012-06-30 22:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2013-07-09 20:11 - 2012-06-30 22:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2013-07-09 17:24 - 2013-07-09 17:24 - 00000000 ____D C:\windows\pss
    2013-07-09 16:57 - 2009-07-13 22:13 - 00779788 ____A C:\windows\system32\PerfStringBackup.INI
    2013-07-09 12:16 - 2012-11-02 18:05 - 00000000 ____D C:\Users\Robert\AppData\Local\TempSWBackupDirectory
    2013-07-09 11:10 - 2011-12-29 16:48 - 00000000 ____D C:\Users\Robert\AppData\Local\SolidWorks
    2013-07-09 07:00 - 2011-12-25 12:21 - 00000860 ____A C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000Core.job
    2013-07-08 20:27 - 2013-07-08 20:27 - 00262144 ____A C:\windows\Minidump\070813-70528-01.dmp
    2013-07-08 20:27 - 2012-01-02 13:34 - 00000000 ____D C:\windows\Minidump
    2013-07-08 20:26 - 2013-06-17 21:29 - 00006088 ____A C:\windows\setupact.log
    2013-07-06 12:38 - 2012-04-25 12:39 - 00003894 ____A C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
    2013-07-06 12:38 - 2012-04-25 12:39 - 00003642 ____A C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
    2013-07-05 05:26 - 2011-12-25 12:21 - 00003884 ____A C:\windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000UA
    2013-07-05 05:26 - 2011-12-25 12:21 - 00003488 ____A C:\windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000Core
    2013-07-02 10:23 - 2009-07-13 22:08 - 00032564 ____A C:\windows\Tasks\SCHEDLGU.TXT
    2013-07-02 10:20 - 2013-04-01 14:49 - 00000000 ____D C:\Users\Robert\Desktop\SolidWorks
    2013-07-02 09:16 - 2011-12-25 12:17 - 00000000 ____D C:\Users\Robert
    2013-07-02 09:07 - 2013-01-02 11:38 - 00000000 ____D C:\Program Files (x86)\Unified Remote
    2013-07-01 17:29 - 2009-07-13 20:20 - 00000000 ____D C:\windows\system32\NDF
    2013-07-01 10:25 - 2013-07-10 13:08 - 00019032 ____N C:\windows\system32\pwdrvio.sys
    2013-07-01 10:25 - 2013-07-10 13:08 - 00012384 ____N C:\windows\system32\pwdspio.sys
    2013-06-27 14:40 - 2013-06-27 14:40 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MeshLab
    2013-06-27 12:18 - 2013-06-27 12:17 - 00000000 ____D C:\ProgramData\Package Cache
    2013-06-27 11:54 - 2011-12-25 16:01 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Apple Computer
    2013-06-23 00:03 - 2012-02-22 17:27 - 00000132 ____A C:\Users\Robert\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2013-06-20 13:27 - 2011-12-25 12:23 - 00002377 ____A C:\Users\Robert\Desktop\Google Chrome.lnk
    2013-06-20 10:07 - 2013-06-20 10:07 - 00000000 ____D C:\ProgramData\MentorGraphics
    2013-06-18 07:43 - 2011-11-09 14:59 - 00774004 ____A C:\windows\SysWOW64\PerfStringBackup.INI
    2013-06-17 21:29 - 2013-06-17 21:29 - 00000000 ____A C:\windows\setuperr.log
    2013-06-17 20:36 - 2011-10-16 22:22 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2013-06-17 06:36 - 2011-12-29 16:47 - 00000000 ____D C:\ProgramData\FLEXnet
    2013-06-13 07:25 - 2011-11-09 18:18 - 75825640 ____A (Microsoft Corporation) C:\windows\system32\MRT.exe
    2013-06-11 16:09 - 2011-12-29 00:38 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Spotify
    2013-06-11 16:07 - 2011-12-29 00:40 - 00000000 ____D C:\Users\Robert\AppData\Local\Spotify

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


    LastRegBack: 2013-07-03 12:28

    ==================== End Of Log ============================
     
  10. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    I don't actually see any signs of Sirefef (ZeroAccess).

    Let's see if we can roll your computer back.

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
    See if you can boot normally.
     

    Attached Files:

  11. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    Well MSE was uninstalled, and when I reinstalled it and scanned, that's what it said I had. Anyway, it seems that an error occured with the fix:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-07-2013 04
    Ran by Robert at 2013-07-10 18:01:49 Run:4
    Running from C:\Users\Robert\Desktop
    Boot Mode: Safe Mode (minimal)
    ==============================================

    Error: The restore operation should be done in the recovery mode.

    ==== End of Fixlog ====
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    My fault. Sorry about it :)

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  13. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    Here you go:

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-07-2013 04
    Ran by SYSTEM on 10-07-2013 18:23:19
    Running from H:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 10
    Boot Mode: Recovery

    The current controlset is ControlSet002
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [MSC] - "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
    HKU\Robert\...\Run: [uTorrent] - "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [969104 2012-12-08] (BitTorrent, Inc.)
    Startup: C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ==================== Services (Whitelisted) =================

    S4 ExpressCache; C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe [79664 2011-09-22] (Diskeeper Corporation)
    S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
    S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
    S4 CoordinatorServiceHost; D:\Programs\SolidWorks\SolidWorks\swScheduler\DTSCoordinatorService.exe [x]
    S4 Remote Solver for Flow Simulation 2012; D:\Programs\SolidWorks\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [x]

    ==================== Drivers (Whitelisted) ====================

    S3 anvsnddrv; C:\Windows\System32\drivers\anvsnddrv.sys [33872 2011-11-28] (AnvSoft Inc.)
    S1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [23344 2011-09-22] (Diskeeper Corporation)
    S0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [80688 2011-09-22] (Diskeeper Corporation)
    S3 FlashUSB; C:\Windows\system32\drivers\FlashUSB_x64.sys [19968 2010-12-20] (Danish Wireless Design A/S)
    S3 HH10Help.sys; C:\windows\system32\drivers\HH10Help.sys [24088 2009-07-09] (H+H Software GmbH)
    S3 HH10Help.sys; C:\windows\system32\drivers\HH10Help.sys [24088 2009-07-09] (H+H Software GmbH)
    S3 InputFilter_Hid_FlexDef2b; C:\Windows\System32\DRIVERS\InputFilter_FlexDef2b.sys [17920 2010-06-19] (Siliten)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-07-01] ()
    S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19032 2013-07-01] ()
    S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-07-01] ()
    S3 pwdspio; C:\windows\system32\pwdspio.sys [12384 2013-07-01] ()
    S2 SGDrv; C:\Windows\system32\drivers\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.)
    S3 shspusb; C:\Windows\system32\drivers\HSPUSB.sys [24064 2010-12-20] (MobileTop)
    S3 ssaebus; C:\Windows\system32\drivers\ssaebus.sys [136264 2010-12-20] (MCCI Corporation)
    S3 ssaeunic; C:\Windows\system32\drivers\ssaeunic.sys [178760 2010-12-20] (MCCI Corporation)
    S3 sscdserd; C:\Windows\system32\drivers\sscdserd.sys [141384 2010-12-20] (MCCI Corporation)
    S3 ssceserd; C:\Windows\system32\drivers\ssceserd.sys [129024 2010-12-20] (MCCI Corporation)
    S3 ssm_bus; C:\Windows\system32\drivers\ssm_bus.sys [136192 2010-12-20] (MCCI Corporation)
    S3 ssm_mdm; C:\Windows\system32\drivers\ssm_mdm.sys [172032 2010-12-20] (MCCI Corporation)
    S3 ssuddmgr; C:\Windows\system32\drivers\ssuddmgr.sys [202560 2011-02-17] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 ssudobex; C:\Windows\system32\drivers\ssudobex.sys [202560 2011-02-17] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 ssudserd; C:\Windows\system32\drivers\ssudserd.sys [202560 2011-02-17] (DEVGURU Co., LTD.(www.devguru.co.kr))
    S3 ss_bserd; C:\Windows\system32\drivers\ss_bserd.sys [128000 2010-12-20] (MCCI Corporation)
    S1 vdrv1000; C:\Windows\System32\Drivers\VDRV1000.SYS [223256 2010-03-25] (H+H Software GmbH)
    S3 ViaUsbEtsDriver; C:\Windows\System32\drivers\ViaUsbEts.sys [21760 2008-05-29] (Via Telecom, Inc.)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-07-10 16:25 - 2013-07-10 16:36 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2013-07-10 16:25 - 2013-07-10 16:25 - 00000000 ____D C:\Users\Robert\Desktop\mbar-1.06.0.1004
    2013-07-10 16:12 - 2013-07-10 16:14 - 00000000 ____D C:\Users\Robert\Desktop\RK_Quarantine
    2013-07-10 16:12 - 2013-07-10 16:11 - 13399154 ____A C:\Users\Robert\Desktop\mbar-1.06.0.1004.zip
    2013-07-10 16:12 - 2013-07-10 16:09 - 03775488 ____A C:\Users\Robert\Desktop\RogueKillerX64.exe
    2013-07-10 15:15 - 2013-07-10 15:05 - 00688992 ____R (Swearware) C:\Users\Robert\Desktop\dds.com
    2013-07-10 12:08 - 2013-07-01 09:25 - 00019032 ____N C:\Windows\System32\pwdrvio.sys
    2013-07-10 12:08 - 2013-07-01 09:25 - 00012384 ____N C:\Windows\System32\pwdspio.sys
    2013-07-10 12:07 - 2013-07-10 12:07 - 00001206 ____A C:\Users\Public\Desktop\MiniTool Partition Wizard Home Edition.lnk
    2013-07-10 12:07 - 2013-07-10 12:07 - 00000000 ____D C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 8.0
    2013-07-10 12:06 - 2013-07-10 11:50 - 20198792 ____A (MiniTool Solution Ltd. ) C:\Users\Robert\Desktop\pwhe8.exe
    2013-07-10 10:07 - 2013-07-10 10:03 - 00000186 ____A C:\Users\Robert\Desktop\ActionCenterIcon.reg
    2013-07-10 08:46 - 2013-07-10 08:44 - 00356429 ____A (Farbar) C:\Users\Robert\Desktop\FSS.exe
    2013-07-10 08:45 - 2013-07-10 16:44 - 01777775 ____A (Farbar) C:\Users\Robert\Desktop\FRST64.exe
    2013-07-09 19:21 - 2013-07-09 19:21 - 00000742 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-07-09 19:21 - 2013-04-04 13:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-07-09 16:24 - 2013-07-09 16:24 - 00000000 ____D C:\Windows\pss
    2013-07-08 19:27 - 2013-07-08 19:27 - 00262144 ____A C:\Windows\Minidump\070813-70528-01.dmp
    2013-06-27 11:17 - 2013-06-27 11:18 - 00000000 ____D C:\ProgramData\Package Cache
    2013-06-26 11:27 - 2007-11-15 18:21 - 00385024 ____A (SYCODE) C:\Windows\SYCLicense071115U.dll
    2013-06-26 11:27 - 2007-10-21 11:18 - 01232896 ____A (SYCODE) C:\Windows\SYCIOU.dll
    2013-06-26 11:27 - 2007-10-21 11:17 - 01028096 ____A (SYCODE) C:\Windows\SYCGeoU.dll
    2013-06-26 11:27 - 2007-10-21 11:17 - 00233472 ____A (SYCODE) C:\Windows\SYCGUIU.dll
    2013-06-20 09:07 - 2013-06-20 09:07 - 00000000 ____D C:\ProgramData\MentorGraphics
    2013-06-17 20:29 - 2013-07-08 19:26 - 00006088 ____A C:\Windows\setupact.log
    2013-06-17 20:29 - 2013-06-17 20:29 - 00000000 ____A C:\Windows\setuperr.log
    2013-06-17 19:36 - 2011-01-11 04:15 - 00069632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfcm80.dll
    2013-06-17 19:36 - 2011-01-11 04:14 - 00057856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfcm80u.dll
    2013-06-17 19:36 - 2011-01-10 21:51 - 01101824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc80.dll
    2013-06-17 19:36 - 2011-01-10 21:51 - 01093120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc80u.dll
    2013-06-17 19:36 - 2011-01-10 21:51 - 00002372 ____A C:\Windows\SysWOW64\Microsoft.VC80.MFC.manifest
    2013-06-17 19:36 - 2003-03-18 21:20 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MFC71.dll
    2013-06-17 19:36 - 2003-03-18 21:12 - 01047552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MFC71u.dll
    2013-06-17 19:36 - 2003-03-18 19:05 - 00089088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\atl71.dll
    2013-06-15 05:18 - 2013-06-08 06:08 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-06-15 05:18 - 2013-06-08 06:07 - 19233792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-06-15 05:18 - 2013-06-08 06:06 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-06-15 05:18 - 2013-06-08 06:06 - 02648064 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-06-15 05:18 - 2013-06-08 06:06 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-06-15 05:18 - 2013-06-08 04:28 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-06-15 05:18 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2013-06-15 05:18 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2013-06-15 05:18 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2013-06-15 05:18 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2013-06-15 05:18 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2013-06-15 05:18 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2013-06-13 06:24 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2013-06-13 06:24 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2013-06-13 06:24 - 2013-05-16 16:59 - 02241024 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-06-13 06:24 - 2013-05-16 16:59 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2013-06-13 06:24 - 2013-05-16 16:58 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-06-13 06:24 - 2013-05-16 16:58 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-06-13 06:24 - 2013-05-16 16:58 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-06-13 06:24 - 2013-05-16 16:58 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
    2013-06-13 06:24 - 2013-05-16 16:58 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2013-06-13 06:24 - 2013-05-16 16:58 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-06-13 06:24 - 2013-05-16 16:58 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2013-06-13 06:24 - 2013-05-14 04:23 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
    2013-06-13 06:24 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
    2013-06-12 05:55 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2013-06-12 05:55 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2013-06-12 05:55 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2013-06-12 05:55 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
    2013-06-12 05:55 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2013-06-12 05:55 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2013-06-12 05:55 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2013-06-12 05:55 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
    2013-06-12 05:55 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
    2013-06-12 05:55 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
    2013-06-12 05:55 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
    2013-06-12 05:55 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
    2013-06-12 05:55 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-06-12 05:55 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
    2013-06-12 05:55 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
    2013-06-12 05:55 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
    2013-06-12 05:55 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
    2013-06-12 05:55 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
    2013-06-12 05:55 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

    ==================== One Month Modified Files and Folders =======

    2013-07-10 16:44 - 2013-07-10 08:45 - 01777775 ____A (Farbar) C:\Users\Robert\Desktop\FRST64.exe
    2013-07-10 16:36 - 2013-07-10 16:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2013-07-10 16:25 - 2013-07-10 16:25 - 00000000 ____D C:\Users\Robert\Desktop\mbar-1.06.0.1004
    2013-07-10 16:19 - 2011-11-21 10:41 - 01706970 ____A C:\Windows\WindowsUpdate.log
    2013-07-10 16:14 - 2013-07-10 16:12 - 00000000 ____D C:\Users\Robert\Desktop\RK_Quarantine
    2013-07-10 16:11 - 2013-07-10 16:12 - 13399154 ____A C:\Users\Robert\Desktop\mbar-1.06.0.1004.zip
    2013-07-10 16:09 - 2013-07-10 16:12 - 03775488 ____A C:\Users\Robert\Desktop\RogueKillerX64.exe
    2013-07-10 15:05 - 2013-07-10 15:15 - 00688992 ____R (Swearware) C:\Users\Robert\Desktop\dds.com
    2013-07-10 12:07 - 2013-07-10 12:07 - 00001206 ____A C:\Users\Public\Desktop\MiniTool Partition Wizard Home Edition.lnk
    2013-07-10 12:07 - 2013-07-10 12:07 - 00000000 ____D C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 8.0
    2013-07-10 11:50 - 2013-07-10 12:06 - 20198792 ____A (MiniTool Solution Ltd. ) C:\Users\Robert\Desktop\pwhe8.exe
    2013-07-10 10:08 - 2011-12-25 14:12 - 00000000 ____D C:\Users\Robert\AppData\Roaming\uTorrent
    2013-07-10 10:03 - 2013-07-10 10:07 - 00000186 ____A C:\Users\Robert\Desktop\ActionCenterIcon.reg
    2013-07-10 09:43 - 2012-04-25 11:39 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-07-10 09:31 - 2011-12-25 11:21 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000UA.job
    2013-07-10 08:48 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-07-10 08:48 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-07-10 08:44 - 2013-07-10 08:46 - 00356429 ____A (Farbar) C:\Users\Robert\Desktop\FSS.exe
    2013-07-10 08:42 - 2011-12-25 14:20 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Dropbox
    2013-07-10 08:41 - 2012-04-25 11:39 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-07-10 08:30 - 2011-12-28 16:34 - 00000000 ____D C:\Users\Robert\AppData\Roaming\SolidWorks
    2013-07-09 22:53 - 2011-12-25 14:35 - 00000000 ____D C:\Users\Robert\AppData\Roaming\vlc
    2013-07-09 19:21 - 2013-07-09 19:21 - 00000742 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-07-09 19:15 - 2011-11-09 13:59 - 00002243 ____A C:\Windows\epplauncher.mif
    2013-07-09 19:14 - 2011-12-25 15:13 - 00174558 ____A C:\Windows\PFRO.log
    2013-07-09 19:11 - 2012-06-30 21:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2013-07-09 19:11 - 2012-06-30 21:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2013-07-09 16:24 - 2013-07-09 16:24 - 00000000 ____D C:\Windows\pss
    2013-07-09 15:57 - 2009-07-13 21:13 - 00779788 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-07-09 11:16 - 2012-11-02 17:05 - 00000000 ____D C:\Users\Robert\AppData\Local\TempSWBackupDirectory
    2013-07-09 10:10 - 2011-12-29 15:48 - 00000000 ____D C:\Users\Robert\AppData\Local\SolidWorks
    2013-07-09 06:00 - 2011-12-25 11:21 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000Core.job
    2013-07-08 19:27 - 2013-07-08 19:27 - 00262144 ____A C:\Windows\Minidump\070813-70528-01.dmp
    2013-07-08 19:27 - 2012-01-02 12:34 - 00000000 ____D C:\Windows\Minidump
    2013-07-08 19:26 - 2013-06-17 20:29 - 00006088 ____A C:\Windows\setupact.log
    2013-07-06 11:38 - 2012-04-25 11:39 - 00003894 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
    2013-07-06 11:38 - 2012-04-25 11:39 - 00003642 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
    2013-07-05 04:26 - 2011-12-25 11:21 - 00003884 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000UA
    2013-07-05 04:26 - 2011-12-25 11:21 - 00003488 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1617886939-4081324411-3031297083-1000Core
    2013-07-02 09:23 - 2009-07-13 21:08 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-07-02 09:20 - 2013-04-01 13:49 - 00000000 ____D C:\Users\Robert\Desktop\SolidWorks
    2013-07-02 08:16 - 2011-12-25 11:17 - 00000000 ____D C:\users\Robert
    2013-07-02 08:07 - 2013-01-02 10:38 - 00000000 ____D C:\Program Files (x86)\Unified Remote
    2013-07-01 16:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-07-01 09:25 - 2013-07-10 12:08 - 00019032 ____N C:\Windows\System32\pwdrvio.sys
    2013-07-01 09:25 - 2013-07-10 12:08 - 00012384 ____N C:\Windows\System32\pwdspio.sys
    2013-06-27 11:18 - 2013-06-27 11:17 - 00000000 ____D C:\ProgramData\Package Cache
    2013-06-27 10:54 - 2011-12-25 15:01 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Apple Computer
    2013-06-22 23:03 - 2012-02-22 16:27 - 00000132 ____A C:\Users\Robert\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2013-06-20 12:27 - 2011-12-25 11:23 - 00002377 ____A C:\Users\Robert\Desktop\Google Chrome.lnk
    2013-06-20 09:07 - 2013-06-20 09:07 - 00000000 ____D C:\ProgramData\MentorGraphics
    2013-06-18 06:43 - 2011-11-09 13:59 - 00774004 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2013-06-17 20:29 - 2013-06-17 20:29 - 00000000 ____A C:\Windows\setuperr.log
    2013-06-17 19:36 - 2011-10-16 21:22 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2013-06-17 05:36 - 2011-12-29 15:47 - 00000000 ____D C:\ProgramData\FLEXnet
    2013-06-13 06:25 - 2011-11-09 17:18 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-06-11 15:09 - 2011-12-28 23:38 - 00000000 ____D C:\Users\Robert\AppData\Roaming\Spotify
    2013-06-11 15:07 - 2011-12-28 23:40 - 00000000 ____D C:\Users\Robert\AppData\Local\Spotify

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 10%
    Total physical RAM: 8105.55 MB
    Available physical RAM: 7265.07 MB
    Total Pagefile: 8103.75 MB
    Available Pagefile: 7258.7 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.85 MB

    ==================== Drives ================================

    Drive c: (Windows) (Fixed) (Total:50 GB) (Free:0.66 GB) NTFS (Disk=1 Partition=2)
    Drive e: (TEMP_PART01) (Fixed) (Total:625.94 GB) (Free:275.08 GB) NTFS (Disk=1 Partition=3)
    Drive f: (SAMSUNG_REC) (Fixed) (Total:22.59 GB) (Free:2.75 GB) NTFS (Disk=1 Partition=4) ==>[System with boot components (obtained from reading drive)]
    Drive h: () (Removable) (Total:0.96 GB) (Free:0.91 GB) FAT (Disk=2 Partition=1)
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=1 Partition=1) ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 7 GB) (Disk ID: 74F02DEA)
    Partition 1: (Active) - (Size=7 GB) - (Type=73)

    ========================================================
    Disk: 1 (Size: 699 GB) (Disk ID: 74D52988)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=50 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=626 GB) - (Type=07 NTFS)
    Partition 4: (Not Active) - (Size=23 GB) - (Type=27)

    ========================================================
    Disk: 2 (Size: 981 MB) (Disk ID: 6F20736B)
    Partition 1: (Not Active) - (Size=544 GB) - (Type=72)
    Partition 2: (Not Active) - (Size=923 GB) - (Type=65)
    Partition 3: (Not Active) - (Size=923 GB) - (Type=79)
    Partition 4: (Not Active) - (Size=-336763289600) - (Type=0D)


    LastRegBack: 2013-07-03 11:28

    ==================== End Of Log ============================
     
  14. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
    See if you can boot normally.
     

    Attached Files:

  15. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    Here it is:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-07-2013 04
    Ran by SYSTEM at 2013-07-10 18:35:55 Run:5
    Running from H:\
    Boot Mode: Recovery
    ==============================================

    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.

    ==== End of Fixlog ====
     
  16. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    It hung at "Starting Windows" like before when booting normally.
     
  17. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    I waited until it shutdown after hanging for too long, and tried booting again. This time is booted successfully.
     
  18. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    I opened Chrome, and the screen went black then restarted again. It booted up normally again. How should I proceed?
     
  19. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    That's better :)
    Re-run RogueKiller from normal mode.
     
  20. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    So I ran RogueKiller, deleted, and went to my desktop. The screen went black again, and restarted. Then, I tried to boot normally, and got blue screen. Then I booted again successfully, and saved the logs to the flash drive. I went to Chrome to post them here, and ti blue screened again. Here are the two log files it spit out:

    1:

    RogueKiller V8.6.2 _x64_ [Jul 2 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : hxxp://www.adlice.com/forum/
    Website : hxxp://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Robert [Admin rights]
    Mode : Remove -- Date : 07/10/2013 18:55:45
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 4 ¤¤¤
    [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 1 ¤¤¤
    [V2][SUSP PATH] FastBrowsing2 : "%windir%\Temp\FastBrowsing2.exe" [x] -> DELETED

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS727575A9E364 +++++
    --- User ---
    [MBR] 8709bc60416022c9b875d52c10083408
    [BSP] e71e85990b7dfd2b255f3c74da68b24d : KIWI Image system MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 51200 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 105064448 | Size: 640966 Mo
    3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1417762816 | Size: 23137 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: Hitachi HTS727575A9E364 +++++
    --- User ---
    [MBR] c24d9af7de7d2b6ff7f0ee0846275549
    [BSP] 0a9420da5d388cf72c9f5653515471d4 : Empty MBR Code
    Partition table:
    0 - [ACTIVE] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2048 | Size: 7639 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_07102013_185545.txt >>
    RKreport[0]_S_07102013_185531.txt


    2:

    RogueKiller V8.6.2 _x64_ [Jul 2 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : hxxp://www.adlice.com/forum/
    Website : hxxp://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Robert [Admin rights]
    Mode : Scan -- Date : 07/10/2013 18:55:31
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 4 ¤¤¤
    [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 1 ¤¤¤
    [V2][SUSP PATH] FastBrowsing2 : "%windir%\Temp\FastBrowsing2.exe" [x] -> FOUND

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS727575A9E364 +++++
    --- User ---
    [MBR] 8709bc60416022c9b875d52c10083408
    [BSP] e71e85990b7dfd2b255f3c74da68b24d : KIWI Image system MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 51200 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 105064448 | Size: 640966 Mo
    3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1417762816 | Size: 23137 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: Hitachi HTS727575A9E364 +++++
    --- User ---
    [MBR] c24d9af7de7d2b6ff7f0ee0846275549
    [BSP] 0a9420da5d388cf72c9f5653515471d4 : Empty MBR Code
    Partition table:
    0 - [ACTIVE] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2048 | Size: 7639 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_S_07102013_185531.txt >>


    Is the blue screen a bad sign?
     
  21. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    First of all try different browser and see if same thing happens.

    Then...

    Download BlueScreenView
    Unzip downloaded file.
    Double click on BlueScreenView.exe file to run the program.
    When scanning is done, go Edit>Select All.
    Go File>Save Selected Items, and save the report as BSOD.txt.
    Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.
     
  22. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    It seems to blue screen randomly. Here is the BSOD:

    ==================================================
    Dump File : 071013-53009-01.dmp
    Crash Time : 7/10/2013 7:02:22 PM
    Bug Check String : MEMORY_MANAGEMENT
    Bug Check Code : 0x0000001a
    Parameter 1 : 00000000`00041790
    Parameter 2 : fffffa80`05de8e30
    Parameter 3 : 00000000`0000ffff
    Parameter 4 : 00000000`00000000
    Caused By Driver : ntoskrnl.exe
    Caused By Address : ntoskrnl.exe+75c00
    File Description : NT Kernel & System
    Product Name : Microsoft® Windows® Operating System
    Company : Microsoft Corporation
    File Version : 6.1.7601.18113 (win7sp1_gdr.130318-1533)
    Processor : x64
    Crash Address : ntoskrnl.exe+75c00
    Stack Address 1 :
    Stack Address 2 :
    Stack Address 3 :
    Computer Name :
    Full Path : C:\windows\Minidump\071013-53009-01.dmp
    Processors Count : 8
    Major Version : 15
    Minor Version : 7601
    Dump File Size : 262,144
    Dump File Time : 7/10/2013 7:03:42 PM
    ==================================================

    ==================================================
    Dump File : 071013-65177-01.dmp
    Crash Time : 7/10/2013 6:58:30 PM
    Bug Check String :
    Bug Check Code : 0x00000116
    Parameter 1 : fffffa80`0ab17010
    Parameter 2 : fffff880`04a49af4
    Parameter 3 : 00000000`00000000
    Parameter 4 : 00000000`00000002
    Caused By Driver : dxgkrnl.sys
    Caused By Address : dxgkrnl.sys+5d054
    File Description :
    Product Name :
    Company :
    File Version :
    Processor : x64
    Crash Address : ntoskrnl.exe+75c00
    Stack Address 1 :
    Stack Address 2 :
    Stack Address 3 :
    Computer Name :
    Full Path : C:\windows\Minidump\071013-65177-01.dmp
    Processors Count : 8
    Major Version : 15
    Minor Version : 7601
    Dump File Size : 262,144
    Dump File Time : 7/10/2013 7:00:00 PM
    ==================================================

    ==================================================
    Dump File : 071013-68453-01.dmp
    Crash Time : 7/10/2013 6:45:10 PM
    Bug Check String :
    Bug Check Code : 0x00000116
    Parameter 1 : fffffa80`075584e0
    Parameter 2 : fffff880`04a25af4
    Parameter 3 : 00000000`00000000
    Parameter 4 : 00000000`00000002
    Caused By Driver : dxgkrnl.sys
    Caused By Address : dxgkrnl.sys+5d054
    File Description :
    Product Name :
    Company :
    File Version :
    Processor : x64
    Crash Address : ntoskrnl.exe+75c00
    Stack Address 1 :
    Stack Address 2 :
    Stack Address 3 :
    Computer Name :
    Full Path : C:\windows\Minidump\071013-68453-01.dmp
    Processors Count : 8
    Major Version : 15
    Minor Version : 7601
    Dump File Size : 262,144
    Dump File Time : 7/10/2013 6:46:58 PM
    ==================================================

    ==================================================
    Dump File : 070813-70528-01.dmp
    Crash Time : 7/8/2013 8:25:28 PM
    Bug Check String :
    Bug Check Code : 0x00000116
    Parameter 1 : fffffa80`0f18c190
    Parameter 2 : fffff880`04b00af4
    Parameter 3 : 00000000`00000000
    Parameter 4 : 00000000`00000002
    Caused By Driver : dxgkrnl.sys
    Caused By Address : dxgkrnl.sys+5d054
    File Description :
    Product Name :
    Company :
    File Version :
    Processor : x64
    Crash Address : ntoskrnl.exe+75c00
    Stack Address 1 :
    Stack Address 2 :
    Stack Address 3 :
    Computer Name :
    Full Path : C:\windows\Minidump\070813-70528-01.dmp
    Processors Count : 8
    Major Version : 15
    Minor Version : 7601
    Dump File Size : 262,144
    Dump File Time : 7/8/2013 8:27:21 PM
    ==================================================
     
  23. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    It's fairly inconclusive since we have different type of errors and different system files are involved.
    My first suspect would be some RAM issue but...

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.
     
  24. CheeseJam

    CheeseJam TS Rookie Topic Starter Posts: 31

    Thanks for all your help! I posted a topic in the BSOD section, hopefully it gets fixed. So was there never any Malware in the first place?
     
  25. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    No.
     
    CheeseJam likes this.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.