probo
-
Posts
3 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by probo
-
-
Oh sorry! Windows 7 64bit
-
I currently have the fbi ransomware and its preventing me from getting on my computer at all. Obviously blocks me on normal startup, lock screen in safe mode, i cant even start in command prompt. I can get to command prompt if i go thru "repair your computer" however. I am completely willing and would like to reinitialize the hard drive and reinstall the OS, but there are some files that i need to get off the computer first. Would it even be possible to retrieve these files or would it require removal of the virus first?
fbi virus... is there a way to save my files?
in Resolved Malware Removal Logs
Posted
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-05-2013
Ran by SYSTEM on 28-05-2013 09:08:56
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [mwlDaemon] .EXE [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060832 2010-02-08] (Realtek Semiconductor)
HKLM\...\Run: [PLFSetI] DOWS\PLFSETI.EXE [x]
HKLM\...\Run: [synTPEnh] H.EXE [x]
HKLM\...\Run: [Acer ePower Management] T\EPOWERTRAY.EXE [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [shell] regsvr32 /n /i /s "C:\Users\kris\AppData\Local\lxctm.snr" [x ] () <=== ATTENTION
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k [260608 2010-03-08] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [588648 2009-07-24] (Symantec Corporation)
HKLM-x32\...\Run: [suiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [337264 2010-02-01] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-01-22] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [908368 2010-04-08] (Dritek System Inc.)
HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)
HKU\kris\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-01] (Google Inc.)
HKU\kris\...\Run: [ctfmon.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\lbqewi.dat,FG00 [128000 2013-05-16] (Hilgraeve, Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\Windows\System32\regsvr32.exe (Microsoft Corporation)
Startup: C:\Users\kris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~3\lbqewi.dat (Hilgraeve, Inc.)
==================== Services (Whitelisted) =================
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)
==================== Drivers (Whitelisted) ====================
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-05-28 09:08 - 2013-05-28 09:08 - 00000000 ____D C:\FRST
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\lxctm.snr
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\jtgfhmhp.lbb
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\ppnbva.smv
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\hkcajpz.xzw
2013-05-20 03:29 - 2013-05-20 03:29 - 01011316 ____A C:\Users\kris\Desktop\BUS172A - Chap07-S - BKMEss9e.pptx
2013-05-19 23:56 - 2013-05-19 23:56 - 02159586 ____A C:\Users\kris\Desktop\BUS172A - Chap06-S - BKMEss9e.pptx
2013-05-17 00:59 - 2013-05-17 00:59 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
2013-05-17 00:46 - 2013-05-17 00:46 - 00002634 ____A C:\ProgramData\iweqbl.js
2013-05-16 14:08 - 2013-05-18 11:03 - 95023320 ___AT C:\ProgramData\iweqbl.pad
2013-05-16 14:08 - 2013-05-18 11:03 - 00000000 ____A C:\ProgramData\as98213.txt
2013-05-16 14:08 - 2013-05-16 14:08 - 00128000 ____A (Hilgraeve, Inc.) C:\ProgramData\lbqewi.dat
2013-05-16 14:08 - 2013-05-16 14:08 - 00000152 ____A C:\ProgramData\iweqbl.reg
2013-05-16 14:08 - 2013-05-16 14:08 - 00000056 ____A C:\ProgramData\iweqbl.bat
2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Users\kris\AppData\Roaming\Malwarebytes
2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-16 07:57 - 2013-04-04 13:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-16 07:55 - 2013-05-16 07:55 - 00000000 ____D C:\Users\kris\Desktop\rkill
2013-05-16 07:33 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 07:33 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 07:33 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-16 07:33 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 07:33 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-16 07:33 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-16 07:33 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-16 07:33 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-05-16 07:33 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-16 07:33 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-16 07:33 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-16 07:33 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-05-16 07:32 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 07:32 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 07:32 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-16 07:32 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-16 07:30 - 2013-05-17 00:51 - 00003114 ____A C:\Users\kris\Desktop\Rkill.txt
2013-05-16 07:30 - 2013-05-16 07:30 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-4300.exe
2013-05-15 21:54 - 2013-05-15 21:54 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\kris\Desktop\mbam-setup-1.75.0.1300.exe
2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22644.exe
2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22595.exe
2013-05-15 21:52 - 2013-05-15 21:54 - 00000948 ____A C:\Users\kris\Desktop\lsass.exe.txt
2013-05-15 21:52 - 2013-05-15 21:52 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64.exe
2013-05-15 21:51 - 2013-05-15 21:51 - 01761408 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe.exe
2013-05-15 21:03 - 2013-05-15 21:03 - 00002052 ____A C:\Users\kris\Desktop\System Care Antivirus.lnk
2013-05-15 11:25 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 11:25 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 11:25 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-15 11:24 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-15 11:24 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 11:24 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-15 11:24 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 11:24 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 11:24 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 11:24 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 11:24 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-15 11:24 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-15 11:24 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-15 11:24 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-13 23:36 - 2013-05-13 23:36 - 01052552 ____A C:\Windows\Minidump\051413-24928-01.dmp
2013-05-13 15:11 - 2013-05-13 15:11 - 00000013 ____A C:\Users\kris\Documents\hgcdy.txt
2013-05-13 08:48 - 2013-05-13 08:48 - 00001175 ____A C:\Users\kris\Desktop\url.htm
2013-05-12 19:29 - 2013-05-13 01:28 - 00045376 ____A C:\Users\kris\Desktop\F-F_Research_Data_Factors.txt
2013-05-11 13:51 - 2013-05-11 13:51 - 00000000 ___SD C:\Users\kris\Documents\My Data Sources
2013-05-11 10:51 - 2013-05-13 08:54 - 00000000 ____D C:\Users\kris\Documents\intestment analysis
2013-05-11 10:38 - 2013-05-11 10:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework
2013-05-10 14:35 - 2013-05-10 14:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2013-05-10 14:11 - 2013-05-11 10:31 - 681867016 ____A (Microsoft Corporation) C:\Users\kris\Downloads\X16-32250.exe
2013-04-28 22:25 - 2013-04-28 22:25 - 00000000 ____D C:\Users\kris\Documents\Magic, Science, Religion
==================== One Month Modified Files and Folders =======
2013-05-28 09:08 - 2013-05-28 09:08 - 00000000 ____D C:\FRST
2013-05-25 10:34 - 2009-07-27 12:26 - 00000000 ___DC C:\elements
2013-05-25 09:46 - 2010-04-01 10:22 - 01869092 ____A C:\Windows\PFRO.log
2013-05-25 09:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-25 09:46 - 2009-07-13 20:51 - 00067967 ____A C:\Windows\setupact.log
2013-05-25 09:41 - 2012-11-26 13:21 - 01309449 ____A C:\Windows\WindowsUpdate.log
2013-05-25 09:41 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-25 09:41 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\lxctm.snr
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\Users\kris\AppData\Local\jtgfhmhp.lbb
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\ppnbva.smv
2013-05-25 01:52 - 2013-05-25 01:52 - 00057856 ____A C:\ProgramData\hkcajpz.xzw
2013-05-22 14:48 - 2012-11-27 23:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-20 03:29 - 2013-05-20 03:29 - 01011316 ____A C:\Users\kris\Desktop\BUS172A - Chap07-S - BKMEss9e.pptx
2013-05-19 23:56 - 2013-05-19 23:56 - 02159586 ____A C:\Users\kris\Desktop\BUS172A - Chap06-S - BKMEss9e.pptx
2013-05-18 11:03 - 2013-05-16 14:08 - 95023320 ___AT C:\ProgramData\iweqbl.pad
2013-05-18 11:03 - 2013-05-16 14:08 - 00000000 ____A C:\ProgramData\as98213.txt
2013-05-17 03:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-05-17 02:23 - 2009-07-13 20:45 - 00426720 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-17 00:59 - 2013-05-17 00:59 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
2013-05-17 00:51 - 2013-05-16 07:30 - 00003114 ____A C:\Users\kris\Desktop\Rkill.txt
2013-05-17 00:46 - 2013-05-17 00:46 - 00002634 ____A C:\ProgramData\iweqbl.js
2013-05-16 14:08 - 2013-05-16 14:08 - 00128000 ____A (Hilgraeve, Inc.) C:\ProgramData\lbqewi.dat
2013-05-16 14:08 - 2013-05-16 14:08 - 00000152 ____A C:\ProgramData\iweqbl.reg
2013-05-16 14:08 - 2013-05-16 14:08 - 00000056 ____A C:\ProgramData\iweqbl.bat
2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Users\kris\AppData\Roaming\Malwarebytes
2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-16 07:57 - 2013-05-16 07:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-16 07:55 - 2013-05-16 07:55 - 00000000 ____D C:\Users\kris\Desktop\rkill
2013-05-16 07:42 - 2010-04-01 10:14 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-05-16 07:38 - 2009-07-13 21:13 - 00740374 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-16 07:30 - 2013-05-16 07:30 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-4300.exe
2013-05-15 21:54 - 2013-05-15 21:54 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\kris\Desktop\mbam-setup-1.75.0.1300.exe
2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22644.exe
2013-05-15 21:54 - 2013-05-15 21:54 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64-22595.exe
2013-05-15 21:54 - 2013-05-15 21:52 - 00000948 ____A C:\Users\kris\Desktop\lsass.exe.txt
2013-05-15 21:52 - 2013-05-15 21:52 - 00963200 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe64.exe
2013-05-15 21:51 - 2013-05-15 21:51 - 01761408 ____A (Bleeping Computer, LLC) C:\Users\kris\Desktop\lsass.exe.exe
2013-05-15 21:03 - 2013-05-15 21:03 - 00002052 ____A C:\Users\kris\Desktop\System Care Antivirus.lnk
2013-05-14 20:41 - 2012-11-27 23:30 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 20:41 - 2012-11-27 23:30 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-13 23:36 - 2013-05-13 23:36 - 01052552 ____A C:\Windows\Minidump\051413-24928-01.dmp
2013-05-13 23:36 - 2012-11-28 02:53 - 00000000 ____D C:\Windows\Minidump
2013-05-13 23:35 - 2012-11-28 02:53 - 240148356 ____A C:\Windows\MEMORY.DMP
2013-05-13 15:11 - 2013-05-13 15:11 - 00000013 ____A C:\Users\kris\Documents\hgcdy.txt
2013-05-13 14:04 - 2012-11-28 01:45 - 00005552 ____A C:\Users\kris\AppData\Roaming\wklnhst.dat
2013-05-13 14:04 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-05-13 09:07 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2013-05-13 08:54 - 2013-05-11 10:51 - 00000000 ____D C:\Users\kris\Documents\intestment analysis
2013-05-13 08:48 - 2013-05-13 08:48 - 00001175 ____A C:\Users\kris\Desktop\url.htm
2013-05-13 01:28 - 2013-05-12 19:29 - 00045376 ____A C:\Users\kris\Desktop\F-F_Research_Data_Factors.txt
2013-05-12 13:42 - 2012-11-29 15:24 - 00000000 ____D C:\Users\kris\AppData\Local\Microsoft Help
2013-05-11 23:41 - 2012-11-26 13:25 - 00111288 ____A C:\Users\kris\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-11 13:51 - 2013-05-11 13:51 - 00000000 ___SD C:\Users\kris\Documents\My Data Sources
2013-05-11 10:40 - 2010-04-01 10:56 - 00000000 ____D C:\Windows\ShellNew
2013-05-11 10:39 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2013-05-11 10:38 - 2013-05-11 10:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework
2013-05-11 10:38 - 2010-04-01 10:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2013-05-11 10:31 - 2013-05-10 14:11 - 681867016 ____A (Microsoft Corporation) C:\Users\kris\Downloads\X16-32250.exe
2013-05-10 14:35 - 2013-05-10 14:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2013-04-30 23:48 - 2013-02-13 01:17 - 00000000 ____D C:\Users\kris\Documents\Business Ethics
2013-04-28 22:25 - 2013-04-28 22:25 - 00000000 ____D C:\Users\kris\Documents\Magic, Science, Religion
Other Malware:
===========
C:\ProgramData\rundll32.exe
C:\Users\kris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
C:\ProgramData\iweqbl.bat
C:\ProgramData\iweqbl.pad
C:\ProgramData\iweqbl.reg
C:\ProgramData\lbqewi.dat
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-05-10 14:32:29
Restore point made on: 2013-05-10 15:03:32
Restore point made on: 2013-05-11 10:33:51
Restore point made on: 2013-05-11 14:11:01
Restore point made on: 2013-05-12 09:38:54
Restore point made on: 2013-05-12 12:16:08
Restore point made on: 2013-05-13 09:05:33
Restore point made on: 2013-05-16 07:29:19
Restore point made on: 2013-05-17 02:00:51
==================== Memory info ===========================
Percentage of memory in use: 33%
Total physical RAM: 1790.17 MB
Available physical RAM: 1189.21 MB
Total Pagefile: 1790.17 MB
Available Pagefile: 1175.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB
==================== Drives ================================
Drive c: (ACER) (Fixed) (Total:220.09 GB) (Free:167.68 GB) NTFS (Disk=0 Partition=3)
Drive e: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:1.71 GB) NTFS (Disk=0 Partition=1)
Drive f: () (Removable) (Total:0.98 GB) (Free:0.97 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 233 GB) (Disk ID: 494B494A)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=220 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 1000 MB) (Disk ID: 91F72D24)
Partition 1: (Active) - (Size=1000 MB) - (Type=06)
Last Boot: 2013-05-25 09:23
==================== End Of Log ============================