probo
-
Posts
3 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by probo
-
fbi virus... is there a way to save my files?
probo replied to probo's topic in Resolved Malware Removal Logs
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-05-2013 Ran by SYSTEM on 28-05-2013 09:08:56 Running from F:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet002 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [mwlDaemon] .EXE [x] HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060832 2010-02-08] (Realtek Semiconductor) HKLM\...\Run: [PLFSetI] DOWS\PLFSETI.EXE [x] HKLM\...\Run: [synTPEnh] H.EXE [x] HKLM\...\Run: [Acer ePower Management] T\EPOWERTRAY.EXE [x] HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation) HKLM\...\Winlogon: [shell] regsvr32 /n /i /s "C:\Users\kris\AppData\Local\lxctm.snr" [x ] () <=== ATTENTION HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated) HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.) HKLM-x32\...\Run: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k [260608 2010-03-08] (NewTech Infosystems, Inc.) HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation) HKLM-x32\...\Run: [suiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [337264 2010-02-01] (Egis Technology Inc.) HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201512 2009-12-24] (Egis Technology Inc.) HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [401192 2009-12-24] (Egis Technology Inc.) HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-01-22] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [908368 2010-04-08] (Dritek System Inc.) HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated) HKU\kris\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-01] (Google Inc.) HKU\kris\...\Run: [ctfmon.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\lbqewi.dat,FG00 [128000 2013-05-16] (Hilgraeve, Inc.) Startup: C:\ProgramData\Start Menu\Programs\Startup\ctfmon.lnk ShortcutTarget: ctfmon.lnk -> C:\Windows\System32\regsvr32.exe (Microsoft Corporation) Startup: C:\Users\kris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk ShortcutTarget: msconfig.lnk -> C:\PROGRA~3\lbqewi.dat (Hilgraeve, Inc.) ==================== Services (Whitelisted) ================= S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.) S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.) S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.) S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.) S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.) ==================== Drivers (Whitelisted) ==================== S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.) S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.) S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.) S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.) S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.) S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.) S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.) S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-05-28 09:08 - 2013-05-28 09:08 - 00000000 ____D C:\FRST 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\lxctm.snr 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\jtgfhmhp.lbb 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\ppnbva.smv 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\hkcajpz.xzw 2013-05-20 03:29 - 2013-05-20 03:29 - 01011316 ____A C:\Users\kris\Desktop\BUS172A - Chap07-S - BKMEss9e.pptx 2013-05-19 23:56 - 2013-05-19 23:56 - 02159586 ____A C:\Users\kris\Desktop\BUS172A - Chap06-S - BKMEss9e.pptx 2013-05-17 00:59 - 2013-05-17 00:59 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe 2013-05-17 00:46 - 2013-05-17 00:46 - 00002634 ____A C:\ProgramData\iweqbl.js 2013-05-16 14:08 - 2013-05-18 11:03 - 95023320 ___AT C:\ProgramData\iweqbl.pad 2013-05-16 14:08 - 2013-05-18 11:03 - 00000000 ____A C:\ProgramData\as98213.txt 2013-05-16 14:08 - 2013-05-16 14:08 - 00128000 ____A (Hilgraeve, Inc.) C:\ProgramData\lbqewi.dat 2013-05-16 14:08 - 2013-05-16 14:08 - 00000152 ____A C:\ProgramData\iweqbl.reg 2013-05-16 14:08 - 2013-05-16 14:08 - 00000056 ____A C:\ProgramData\iweqbl.bat 2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Users\kris\AppData\Roaming\Malwarebytes 2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2013-05-16 07:57 - 2013-04-04 13:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2013-05-16 07:55 - 2013-05-16 07:55 - 00000000 ____D C:\Users\kris\Desktop\rkill 2013-05-16 07:33 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-05-16 07:33 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-05-16 07:33 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-05-16 07:33 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-05-16 07:33 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-05-16 07:33 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-05-16 07:33 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-05-16 07:33 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-05-16 07:33 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-05-16 07:33 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-05-16 07:33 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-05-16 07:33 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-05-16 07:32 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-05-16 07:32 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-05-16 07:32 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-05-16 07:32 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-05-16 07:30 - 2013-05-17 00:51 - 00003114 ____A C:\Users\kris\Desktop\Rkill.txt 2013-05-16 07:30 - 2013-05-16 07:30 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-4300.exe 2013-05-15 21:54 - 2013-05-15 21:54 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\kris\Desktop\mbam-setup-1.75.0.1300.exe 2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22644.exe 2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22595.exe 2013-05-15 21:52 - 2013-05-15 21:54 - 00000948 ____A C:\Users\kris\Desktop\lsass.exe.txt 2013-05-15 21:52 - 2013-05-15 21:52 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64.exe 2013-05-15 21:51 - 2013-05-15 21:51 - 01761408 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe.exe 2013-05-15 21:03 - 2013-05-15 21:03 - 00002052 ____A C:\Users\kris\Desktop\System Care Antivirus.lnk 2013-05-15 11:25 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys 2013-05-15 11:25 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys 2013-05-15 11:25 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll 2013-05-15 11:24 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-05-15 11:24 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll 2013-05-15 11:24 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll 2013-05-15 11:24 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe 2013-05-15 11:24 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2013-05-15 11:24 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll 2013-05-15 11:24 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll 2013-05-15 11:24 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll 2013-05-15 11:24 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-05-15 11:24 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll 2013-05-15 11:24 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll 2013-05-13 23:36 - 2013-05-13 23:36 - 01052552 ____A C:\Windows\Minidump\051413-24928-01.dmp 2013-05-13 15:11 - 2013-05-13 15:11 - 00000013 ____A C:\Users\kris\Documents\hgcdy.txt 2013-05-13 08:48 - 2013-05-13 08:48 - 00001175 ____A C:\Users\kris\Desktop\url.htm 2013-05-12 19:29 - 2013-05-13 01:28 - 00045376 ____A C:\Users\kris\Desktop\F-F_Research_Data_Factors.txt 2013-05-11 13:51 - 2013-05-11 13:51 - 00000000 ___SD C:\Users\kris\Documents\My Data Sources 2013-05-11 10:51 - 2013-05-13 08:54 - 00000000 ____D C:\Users\kris\Documents\intestment analysis 2013-05-11 10:38 - 2013-05-11 10:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework 2013-05-10 14:35 - 2013-05-10 14:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8 2013-05-10 14:11 - 2013-05-11 10:31 - 681867016 ____A (Microsoft Corporation) C:\Users\kris\Downloads\X16-32250.exe 2013-04-28 22:25 - 2013-04-28 22:25 - 00000000 ____D C:\Users\kris\Documents\Magic, Science, Religion ==================== One Month Modified Files and Folders ======= 2013-05-28 09:08 - 2013-05-28 09:08 - 00000000 ____D C:\FRST 2013-05-25 10:34 - 2009-07-27 12:26 - 00000000 ___DC C:\elements 2013-05-25 09:46 - 2010-04-01 10:22 - 01869092 ____A C:\Windows\PFRO.log 2013-05-25 09:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-05-25 09:46 - 2009-07-13 20:51 - 00067967 ____A C:\Windows\setupact.log 2013-05-25 09:41 - 2012-11-26 13:21 - 01309449 ____A C:\Windows\WindowsUpdate.log 2013-05-25 09:41 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-05-25 09:41 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\lxctm.snr 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\jtgfhmhp.lbb 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\ppnbva.smv 2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\hkcajpz.xzw 2013-05-22 14:48 - 2012-11-27 23:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-05-20 03:29 - 2013-05-20 03:29 - 01011316 ____A C:\Users\kris\Desktop\BUS172A - Chap07-S - BKMEss9e.pptx 2013-05-19 23:56 - 2013-05-19 23:56 - 02159586 ____A C:\Users\kris\Desktop\BUS172A - Chap06-S - BKMEss9e.pptx 2013-05-18 11:03 - 2013-05-16 14:08 - 95023320 ___AT C:\ProgramData\iweqbl.pad 2013-05-18 11:03 - 2013-05-16 14:08 - 00000000 ____A C:\ProgramData\as98213.txt 2013-05-17 03:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache 2013-05-17 02:23 - 2009-07-13 20:45 - 00426720 ____A C:\Windows\System32\FNTCACHE.DAT 2013-05-17 00:59 - 2013-05-17 00:59 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe 2013-05-17 00:51 - 2013-05-16 07:30 - 00003114 ____A C:\Users\kris\Desktop\Rkill.txt 2013-05-17 00:46 - 2013-05-17 00:46 - 00002634 ____A C:\ProgramData\iweqbl.js 2013-05-16 14:08 - 2013-05-16 14:08 - 00128000 ____A (Hilgraeve, Inc.) C:\ProgramData\lbqewi.dat 2013-05-16 14:08 - 2013-05-16 14:08 - 00000152 ____A C:\ProgramData\iweqbl.reg 2013-05-16 14:08 - 2013-05-16 14:08 - 00000056 ____A C:\ProgramData\iweqbl.bat 2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Users\kris\AppData\Roaming\Malwarebytes 2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2013-05-16 07:55 - 2013-05-16 07:55 - 00000000 ____D C:\Users\kris\Desktop\rkill 2013-05-16 07:42 - 2010-04-01 10:14 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-05-16 07:38 - 2009-07-13 21:13 - 00740374 ____A C:\Windows\System32\PerfStringBackup.INI 2013-05-16 07:30 - 2013-05-16 07:30 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-4300.exe 2013-05-15 21:54 - 2013-05-15 21:54 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\kris\Desktop\mbam-setup-1.75.0.1300.exe 2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22644.exe 2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22595.exe 2013-05-15 21:54 - 2013-05-15 21:52 - 00000948 ____A C:\Users\kris\Desktop\lsass.exe.txt 2013-05-15 21:52 - 2013-05-15 21:52 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64.exe 2013-05-15 21:51 - 2013-05-15 21:51 - 01761408 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe.exe 2013-05-15 21:03 - 2013-05-15 21:03 - 00002052 ____A C:\Users\kris\Desktop\System Care Antivirus.lnk 2013-05-14 20:41 - 2012-11-27 23:30 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-05-14 20:41 - 2012-11-27 23:30 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-05-13 23:36 - 2013-05-13 23:36 - 01052552 ____A C:\Windows\Minidump\051413-24928-01.dmp 2013-05-13 23:36 - 2012-11-28 02:53 - 00000000 ____D C:\Windows\Minidump 2013-05-13 23:35 - 2012-11-28 02:53 - 240148356 ____A C:\Windows\MEMORY.DMP 2013-05-13 15:11 - 2013-05-13 15:11 - 00000013 ____A C:\Users\kris\Documents\hgcdy.txt 2013-05-13 14:04 - 2012-11-28 01:45 - 00005552 ____A C:\Users\kris\AppData\Roaming\wklnhst.dat 2013-05-13 14:04 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp 2013-05-13 09:07 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini 2013-05-13 08:54 - 2013-05-11 10:51 - 00000000 ____D C:\Users\kris\Documents\intestment analysis 2013-05-13 08:48 - 2013-05-13 08:48 - 00001175 ____A C:\Users\kris\Desktop\url.htm 2013-05-13 01:28 - 2013-05-12 19:29 - 00045376 ____A C:\Users\kris\Desktop\F-F_Research_Data_Factors.txt 2013-05-12 13:42 - 2012-11-29 15:24 - 00000000 ____D C:\Users\kris\AppData\Local\Microsoft Help 2013-05-11 23:41 - 2012-11-26 13:25 - 00111288 ____A C:\Users\kris\AppData\Local\GDIPFONTCACHEV1.DAT 2013-05-11 13:51 - 2013-05-11 13:51 - 00000000 ___SD C:\Users\kris\Documents\My Data Sources 2013-05-11 10:40 - 2010-04-01 10:56 - 00000000 ____D C:\Windows\ShellNew 2013-05-11 10:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild 2013-05-11 10:38 - 2013-05-11 10:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework 2013-05-11 10:38 - 2010-04-01 10:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Office 2013-05-11 10:31 - 2013-05-10 14:11 - 681867016 ____A (Microsoft Corporation) C:\Users\kris\Downloads\X16-32250.exe 2013-05-10 14:35 - 2013-05-10 14:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8 2013-04-30 23:48 - 2013-02-13 01:17 - 00000000 ____D C:\Users\kris\Documents\Business Ethics 2013-04-28 22:25 - 2013-04-28 22:25 - 00000000 ____D C:\Users\kris\Documents\Magic, Science, Religion Other Malware: =========== C:\ProgramData\rundll32.exe C:\Users\kris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk C:\ProgramData\iweqbl.bat C:\ProgramData\iweqbl.pad C:\ProgramData\iweqbl.reg C:\ProgramData\lbqewi.dat ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-05-10 14:32:29 Restore point made on: 2013-05-10 15:03:32 Restore point made on: 2013-05-11 10:33:51 Restore point made on: 2013-05-11 14:11:01 Restore point made on: 2013-05-12 09:38:54 Restore point made on: 2013-05-12 12:16:08 Restore point made on: 2013-05-13 09:05:33 Restore point made on: 2013-05-16 07:29:19 Restore point made on: 2013-05-17 02:00:51 ==================== Memory info =========================== Percentage of memory in use: 33% Total physical RAM: 1790.17 MB Available physical RAM: 1189.21 MB Total Pagefile: 1790.17 MB Available Pagefile: 1175.11 MB Total Virtual: 8192 MB Available Virtual: 8191.86 MB ==================== Drives ================================ Drive c: (ACER) (Fixed) (Total:220.09 GB) (Free:167.68 GB) NTFS (Disk=0 Partition=3) Drive e: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:1.71 GB) NTFS (Disk=0 Partition=1) Drive f: () (Removable) (Total:0.98 GB) (Free:0.97 GB) FAT (Disk=1 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows Vista) (Size: 233 GB) (Disk ID: 494B494A) Partition 1: (Not Active) - (Size=13 GB) - (Type=27) Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=220 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 1000 MB) (Disk ID: 91F72D24) Partition 1: (Active) - (Size=1000 MB) - (Type=06) Last Boot: 2013-05-25 09:23 ==================== End Of Log ============================ -
fbi virus... is there a way to save my files?
probo replied to probo's topic in Resolved Malware Removal Logs
Oh sorry! Windows 7 64bit -
I currently have the fbi ransomware and its preventing me from getting on my computer at all. Obviously blocks me on normal startup, lock screen in safe mode, i cant even start in command prompt. I can get to command prompt if i go thru "repair your computer" however. I am completely willing and would like to reinitialize the hard drive and reinstall the OS, but there are some files that i need to get off the computer first. Would it even be possible to retrieve these files or would it require removal of the virus first?