Jump to content

feb29

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by feb29

    FBI Moneypak no safe mode access

    in Resolved Malware Removal Logs

    Posted

    Thanks, MrCharlie. Do I need to run anything else, ie Malwarebytes or superspybot to clean up?

    Danny

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-01-2013 02

    Ran by SYSTEM at 2013-01-30 13:38:23 Run:1

    Running from F:\

    ==============================================

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\osrsh Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\winax Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\watidl Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

    C:\Users\Owner\AppData\Roaming\skype.ini moved successfully.

    C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx moved successfully.

    C:\Users\Owner\AppData\Roaming\winax.dll moved successfully.

    C:\Users\Owner\AppData\Roaming\watidl.dll moved successfully.

    C:\Users\Owner\AppData\Roaming\osrsh.dll moved successfully.

    C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx not found.

    C:\$Recycle.Bin\S-1-5-21-302394131-1905736877-2128619648-1000\$47948b2fda6c8a44705b1405ef19b4b1 moved successfully.

    C:\$Recycle.Bin\S-1-5-18\$47948b2fda6c8a44705b1405ef19b4b1 moved successfully.

    ==== End of Fixlog ====

    FBI Moneypak no safe mode access

    in Resolved Malware Removal Logs

    Posted

    Hello,

    I am running Windows Vista 32 and am stuck on the faux-warning page. I can not access safe mode, it always switches to the full mode and the fbi warning page.

    I have copied the FRST.txt and Services.txt below.

    Thanks in advance for any help.

    Danny Sillivant

    Charleston, SC USA

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2013 02

    Ran by SYSTEM at 30-01-2013 12:40:20

    Running from F:\

    Windows 7 Professional (X86) OS Language: English(US)

    The current controlset is ControlSet002

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [uSCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-06-22] (Broadcom Corporation)

    HKLM\...\Run: [ESInetConnect] "C:\EagleSoft\Shared Files\esinetconnect.exe" [204800 2007-04-04] (Patterson Dental Supply, Inc.)

    HKLM\...\Run: [ESServer] "C:\EagleSoft\Shared Files\startsrv.exe" [36864 2004-02-03] ()

    HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)

    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)

    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)

    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)

    HKU\Owner\...\Run: [osrsh] rundll32.exe "C:\Users\Owner\AppData\Roaming\osrsh.dll",PSTSetNewData [160768 2013-01-29] (Syntek Corporation)

    HKU\Owner\...\Run: [winax] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\winax.dll",ASTFromString [613888 2013-01-29] (Ray Hinchliffe)

    HKU\Owner\...\Run: [watidl] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\watidl.dll",Init [333824 2013-01-29] (ALPS Electric Co., Ltd.)

    HKU\Owner\...\Winlogon: [shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [94208 2011-11-16] ()

    HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)

    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$47948b2fda6c8a44705b1405ef19b4b1\n. ATTENTION! ====> ZeroAccess

    Tcpip\Parameters: [DhcpNameServer] 10.1.10.1

    AppInit_DLLs: C:\PROGRA~1\KEYCRY~1\KEYCRY~3.DLL

    Lsa: [Authentication Packages] msv1_0 wvauth

    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Constant Guard.lnk

    ShortcutTarget: Constant Guard.lnk -> C:\Program Files\Constant Guard Protection Suite\IDVault.exe (White Sky, Inc.)

    ==================== Services (Whitelisted) ===================

    2 atashost; "C:\Windows\system32\atashost.exe" [116536 2011-04-08] (Cisco WebEx LLC)

    2 IDVaultSvc; "C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe" [66600 2013-01-14] (White Sky, Inc.)

    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)

    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [287824 2012-09-12] (Microsoft Corporation)

    3 SecureStorageService; "C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [1032192 2010-02-03] (Wave Systems Corp.)

    2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1273856 2008-11-12] ()

    2 TdmService; "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" [1164648 2010-03-29] (Wave Systems Corp.)

    2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2010-02-18] (Intel Corporation)

    2 XCSecurity; "C:\ProgramData\CAM Commerce Solutions\X-Charge\Application\XCSecurityService.exe" [1554432 2010-10-02] ()

    2 XCService; "C:\ProgramData\CAM Commerce Solutions\X-Charge\Application\XCService.exe" [461824 2010-10-02] ()

    ==================== Drivers (Whitelisted) ====================

    1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog32.sys [82320 2013-01-29] (Zemana Ltd.)

    3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [60104 2010-07-12] (FTDI Ltd.)

    3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt32.sys [25936 2013-01-05] (Zemana Ltd.)

    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)

    3 NAL; \??\C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )

    0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)

    2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [229888 2010-01-19] (Wave Systems Corp.)

    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========

    2013-01-30 12:40 - 2013-01-30 12:40 - 00000000 ____D C:\FRST

    2013-01-29 12:01 - 2013-01-29 12:01 - 00082320 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\AntiLog32.sys

    2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Windows\System32\ZALSDK_uninst

    2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Users\Owner\AppData\Local\Zemana

    2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Program Files\KeyCryptSDK

    2013-01-29 12:01 - 2013-01-05 17:39 - 07369552 ____A (Zemana Ltd.) C:\Windows\System32\ZALSDKCore.dll

    2013-01-29 12:01 - 2013-01-05 17:39 - 00025936 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt32.sys

    2013-01-29 11:49 - 2013-01-30 08:45 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

    2013-01-29 11:45 - 2013-01-30 08:43 - 00006526 ____A C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx

    2013-01-29 11:45 - 2013-01-30 05:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

    2013-01-29 11:45 - 2013-01-29 12:08 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

    2013-01-29 11:45 - 2013-01-29 12:08 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

    2013-01-29 11:45 - 2013-01-29 11:45 - 00613888 ____A (Ray Hinchliffe) C:\Users\Owner\AppData\Roaming\winax.dll

    2013-01-29 11:45 - 2013-01-29 11:45 - 00333824 ____A (ALPS Electric Co., Ltd.) C:\Users\Owner\AppData\Roaming\watidl.dll

    2013-01-29 11:44 - 2013-01-29 11:44 - 00160768 ____A (Syntek Corporation) C:\Users\Owner\AppData\Roaming\osrsh.dll

    2013-01-09 05:25 - 2012-11-22 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    2013-01-09 05:25 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

    2013-01-09 05:25 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

    2013-01-09 05:24 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

    2013-01-09 05:24 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

    2013-01-09 05:24 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

    2013-01-09 05:24 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

    2013-01-09 05:24 - 2012-11-29 20:53 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

    2013-01-09 05:24 - 2012-11-29 20:47 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

    2013-01-09 05:24 - 2012-11-29 20:47 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 18:55 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

    2013-01-09 05:24 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

    2013-01-09 05:24 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\System32\locale.nls

    2013-01-09 05:24 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

    2013-01-09 05:23 - 2012-11-22 18:48 - 00049152 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

    2013-01-09 05:23 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

    ==================== One Month Modified Files and Folders ========

    2013-01-30 12:40 - 2013-01-30 12:40 - 00000000 ____D C:\FRST

    2013-01-30 09:31 - 2009-07-13 20:55 - 02095398 ____A C:\Windows\WindowsUpdate.log

    2013-01-30 09:31 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

    2013-01-30 09:31 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

    2013-01-30 09:24 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

    2013-01-30 09:24 - 2009-07-13 20:39 - 00029381 ____A C:\Windows\setupact.log

    2013-01-30 08:45 - 2013-01-29 11:49 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

    2013-01-30 08:45 - 2012-01-12 11:24 - 00000000 ____D C:\Users\Owner\AppData\Roaming\ID Vault

    2013-01-30 08:43 - 2013-01-29 11:45 - 00006526 ____A C:\Users\Owner\AppData\Local\914e708b-7721-4e0a-8f1a-4bb0306a8c84.crx

    2013-01-30 07:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles

    2013-01-30 05:07 - 2013-01-29 11:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

    2013-01-29 12:08 - 2013-01-29 11:45 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

    2013-01-29 12:08 - 2013-01-29 11:45 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

    2013-01-29 12:01 - 2013-01-29 12:01 - 00082320 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\AntiLog32.sys

    2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Windows\System32\ZALSDK_uninst

    2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Users\Owner\AppData\Local\Zemana

    2013-01-29 12:01 - 2013-01-29 12:01 - 00000000 ____D C:\Program Files\KeyCryptSDK

    2013-01-29 12:01 - 2012-04-12 04:01 - 00002137 ____A C:\Users\Public\Desktop\Constant Guard.lnk

    2013-01-29 12:01 - 2012-01-12 11:20 - 00000000 ____D C:\Program Files\Constant Guard Protection Suite

    2013-01-29 11:55 - 2010-12-16 11:23 - 00000000 ____D C:\Users\Owner\AppData\Roaming\SoftGrid Client

    2013-01-29 11:45 - 2013-01-29 11:45 - 00613888 ____A (Ray Hinchliffe) C:\Users\Owner\AppData\Roaming\winax.dll

    2013-01-29 11:45 - 2013-01-29 11:45 - 00333824 ____A (ALPS Electric Co., Ltd.) C:\Users\Owner\AppData\Roaming\watidl.dll

    2013-01-29 11:44 - 2013-01-29 11:44 - 00160768 ____A (Syntek Corporation) C:\Users\Owner\AppData\Roaming\osrsh.dll

    2013-01-29 06:31 - 2012-06-27 07:35 - 00000000 ____D C:\Users\Owner\Desktop\Important

    2013-01-28 14:16 - 2010-09-30 20:06 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI

    2013-01-28 14:00 - 2012-10-18 12:47 - 00000000 ____D C:\Users\Owner\Desktop\Data Backup

    2013-01-24 05:07 - 2010-12-09 12:58 - 00000000 ____D C:\EagleSoft Autobackups

    2013-01-21 06:09 - 2010-12-13 09:23 - 00000000 ____D C:\Users\Owner\Desktop\New Patient Forms

    2013-01-17 08:47 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF

    2013-01-10 00:30 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET

    2013-01-10 00:21 - 2009-07-13 20:33 - 00268128 ____A C:\Windows\System32\FNTCACHE.DAT

    2013-01-10 00:00 - 2010-12-09 12:32 - 65273848 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

    2013-01-05 17:39 - 2013-01-29 12:01 - 07369552 ____A (Zemana Ltd.) C:\Windows\System32\ZALSDKCore.dll

    2013-01-05 17:39 - 2013-01-29 12:01 - 00025936 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt32.sys

    ZeroAccess:

    C:\$Recycle.Bin\S-1-5-21-302394131-1905736877-2128619648-1000\$47948b2fda6c8a44705b1405ef19b4b1

    ZeroAccess:

    C:\$Recycle.Bin\S-1-5-18\$47948b2fda6c8a44705b1405ef19b4b1

    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\System32\svchost.exe => MD5 is legit

    C:\Windows\System32\services.exe => MD5 is legit

    C:\Windows\System32\User32.dll => MD5 is legit

    C:\Windows\System32\userinit.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK

    HKLM\...\exefile\DefaultIcon: %1 => OK

    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-01-30 05:31:27

    Restore point made on: 2013-01-30 05:32:36

    Restore point made on: 2013-01-30 05:32:42

    Restore point made on: 2013-01-30 05:32:46

    Restore point made on: 2013-01-30 05:32:50

    ==================== Memory info ===========================

    Percentage of memory in use: 20%

    Total physical RAM: 1995.59 MB

    Available physical RAM: 1587.83 MB

    Total Pagefile: 1995.59 MB

    Available Pagefile: 1591.28 MB

    Total Virtual: 2047.88 MB

    Available Virtual: 1948.7 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:139.31 GB) (Free:0.96 GB) NTFS

    3 Drive f: (USB20FD) (Removable) (Total:15.22 GB) (Free:15.2 GB) FAT32

    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    5 Drive y: (RECOVERY) (Fixed) (Total:9.59 GB) (Free:4.85 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt

    -------- ------------- ------- ------- --- ---

    Disk 0 Online 149 GB 0 B

    Disk 1 Online 15 GB 0 B

    Partitions of Disk 0:

    ===============

    Disk ID: 08000000

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 OEM 109 MB 31 KB

    Partition 2 Primary 9 GB 110 MB

    Partition 3 Primary 139 GB 9 GB

    =========================================================

    Disk: 0

    Partition 1

    Type : DE

    Hidden: Yes

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 4 FAT Partition 109 MB Healthy Hidden

    =========================================================

    Disk: 0

    Partition 2

    Type : 07

    Hidden: No

    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

    =========================================================

    Disk: 0

    Partition 3

    Type : 07

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 2 C OS NTFS Partition 139 GB Healthy

    =========================================================

    Partitions of Disk 1:

    ===============

    Disk ID: C3072E18

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 Primary 15 GB 24 KB

    =========================================================

    Disk: 1

    Partition 1

    Type : 0C

    Hidden: No

    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 3 F USB20FD FAT32 Removable 15 GB Healthy

    =========================================================

    Last Boot: 2013-01-24 05:53

    ==================== End Of Log ============================

    Farbar Recovery Scan Tool (x86) Version: 28-01-2013 02

    Ran by SYSTEM at 2013-01-30 12:42:07

    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe

    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    === End Of Search ===

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.