Jump to content

help with FBI virus removal can't get into safe mode


kkcc

Recommended Posts

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using the Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt.

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select Computer, find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to the disclaimer.

    [*]Press the Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

Link to post
Share on other sites

Here's my logs:

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02

Ran by SYSTEM at 22-01-2013 21:08:58

Running from H:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11895400 2011-06-24] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2735400 2011-03-31] (Synaptics Incorporated)

HKLM\...\Run: [HP LaserJet Professional CM1410 Series Fax] C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe "HP LaserJet Professional CM1410 Series Fax" [3706424 2010-08-24] (Hewlett-Packard Company)

HKLM-x32\...\Run: [ToolboxFX] "C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on [58936 2010-10-25] (Hewlett-Packard Company)

HKLM-x32\...\Run: [brMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [663552 2007-03-23] (Brother Industries, Ltd.)

HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [41944 2012-07-31] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640480 2012-07-30] (Adobe Systems Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [107112 2006-12-07] (Symantec Corporation)

HKLM-x32\...\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe [134808 2006-12-13] (Symantec Corporation)

HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-05-30] (RealNetworks, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

HKU\KC\...\Run: [Google Update] "C:\Users\KC\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-08] (Google Inc.)

HKU\KC\...\Run: [uploader] C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [x]

HKU\KC\...\Run: [svcml] rundll32.exe "C:\Users\KC\AppData\Roaming\svcml.dll",ARawDecodeDone [165888 2013-01-22] (Pmode)

HKU\KC\...\Winlogon: [shell] explorer.exe,C:\Users\KC\AppData\Roaming\skype.dat [110080 2011-11-16] ()

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$142c56b9109f7c097f172e3181ed74e3\n. ATTENTION! ====> ZeroAccess

Tcpip\Parameters: [DhcpNameServer] 75.153.176.9 75.153.176.1

AppInit_DLLs: C:\windows\system32\nvinitx.dll

Startup: C:\Users\KC\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-12-07] (Symantec Corporation)

2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-12-07] (Symantec Corporation)

2 DefWatch; "C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe" [30872 2006-12-13] (Symantec Corporation)

3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2541248 2006-10-31] (Symantec Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-05-31] ()

2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-05-31] (Symantec Corporation)

2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [244904 2009-11-30] ()

2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe" [1962136 2006-12-13] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-07-31] (Symantec Corporation)

3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130118.007\ENG64.SYS [126192 2012-12-20] (Symantec Corporation)

3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130118.007\EX64.SYS [2087664 2012-12-20] (Symantec Corporation)

3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2011-11-17] (Windows ® 2003 DDK 3790 provider)

1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [394600 2006-11-22] (Symantec Corporation)

3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [426392 2006-11-22] (Symantec Corporation)

1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [30104 2006-11-22] (Symantec Corporation)

3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [156008 2012-03-07] (Symantec Corporation)

3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-22 20:16 - 2013-01-22 20:34 - 00000004 ____A C:\Users\KC\AppData\Roaming\skype.ini

2013-01-22 20:10 - 2013-01-22 20:10 - 00165888 ____A (Pmode) C:\Users\KC\AppData\Roaming\svcml.dll

2013-01-21 21:10 - 2013-01-21 21:10 - 02350080 ____A C:\Users\KC\Desktop\2012_CHEP_Treatment_EN_Apr30.ppt

2013-01-21 21:10 - 2013-01-21 21:10 - 01930752 ____A C:\Users\KC\Desktop\2012_CHEP_WhatsNew_EN_Apr30.ppt

2013-01-21 19:51 - 2013-01-21 19:52 - 00000000 ____D C:\Users\KC\AppData\Local\{88683492-EE6A-494F-A6BA-962C2561D6F6}

2013-01-20 17:27 - 2013-01-20 17:39 - 00000000 ____D C:\Users\KC\Desktop\lupus proctitis

2013-01-20 16:21 - 2013-01-20 16:21 - 00038400 ____A C:\Users\KC\Desktop\CCU Block 9 Call Schedule.xls

2013-01-17 16:51 - 2013-01-17 17:01 - 00000000 ____D C:\Users\KC\Desktop\wegener

2013-01-15 22:06 - 2013-01-15 22:33 - 00000000 ____D C:\Users\KC\Desktop\cardio trials

2013-01-14 21:06 - 2013-01-14 21:06 - 00000000 ____D C:\Users\KC\AppData\Local\{02671147-CA77-45A0-A176-D5243F314F6E}

2013-01-14 20:05 - 2013-01-22 19:21 - 00000000 ____D C:\Users\KC\Desktop\email dump to sort

2013-01-13 22:35 - 2013-01-17 19:14 - 00000000 ____D C:\Users\KC\Desktop\2013 Apr Edmonton EP electve

2013-01-13 22:35 - 2013-01-13 22:38 - 00000000 ____D C:\Users\KC\Desktop\cardiology case report

2013-01-13 22:34 - 2013-01-17 19:14 - 00000000 ____D C:\Users\KC\Desktop\2013 June Toronto CCU elective

2013-01-13 22:33 - 2013-01-13 22:33 - 00000000 ____D C:\Users\KC\Desktop\other CV reference

2013-01-13 22:32 - 2013-01-13 22:33 - 00000000 ____D C:\Users\KC\Desktop\2013 Apr ACP conference

2013-01-13 18:54 - 2013-01-13 18:54 - 00000000 ____D C:\Users\KC\AppData\Local\{F1FA01CA-1AB8-4BBF-AC58-CF3FC699ACE8}

2013-01-12 19:28 - 2013-01-12 19:28 - 00000000 ____D C:\Users\KC\AppData\Local\{2C0AF6F8-70CD-474E-9027-B69A4C4056E4}

2013-01-12 00:28 - 2013-01-12 00:28 - 00000000 ____D C:\Users\KC\AppData\Local\{AC9A9F47-D1FE-4D49-B9CD-AFA4D4DE9B55}

2013-01-11 23:04 - 2013-01-17 19:14 - 00000000 ____D C:\Users\KC\Desktop\DCIM

2013-01-10 21:50 - 2013-01-10 21:50 - 00000000 ____D C:\Users\KC\AppData\Roaming\Nero

2013-01-10 21:42 - 2013-01-12 21:33 - 00000000 ____D C:\Users\All Users\Seagate

2013-01-10 00:23 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

2013-01-10 00:23 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

2013-01-10 00:23 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll

2013-01-10 00:23 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll

2013-01-10 00:23 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

2013-01-10 00:23 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

2013-01-10 00:23 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

2013-01-10 00:23 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

2013-01-10 00:23 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

2013-01-10 00:23 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

2013-01-10 00:23 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

2013-01-10 00:23 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs

2013-01-10 00:23 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs

2013-01-10 00:23 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

2013-01-10 00:23 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

2013-01-10 00:23 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-10 00:23 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-10 00:23 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-10 00:23 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-10 00:23 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-10 00:23 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-10 00:23 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-10 00:23 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-10 00:22 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2013-01-10 00:22 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2013-01-10 00:22 - 2012-11-29 21:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-01-10 00:22 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2013-01-10 00:22 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2013-01-10 00:22 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-10 00:22 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-01-10 00:22 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2013-01-10 00:22 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2013-01-10 00:22 - 2012-11-29 18:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-01-10 00:22 - 2012-11-29 18:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-01-10 00:22 - 2012-11-29 18:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-01-10 00:22 - 2012-11-29 18:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-01-10 00:22 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2013-01-10 00:22 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls

2013-01-10 00:22 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls

2013-01-10 00:22 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-10 00:22 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

2013-01-06 22:41 - 2013-01-06 22:41 - 00000000 ____D C:\Users\KC\Desktop\2013 Jan - Nancy party

2013-01-06 14:05 - 2013-01-06 14:05 - 00000000 ____D C:\Users\KC\AppData\Local\{0B499AAD-290C-4C4B-BA93-EB36651D2724}

2013-01-06 01:14 - 2013-01-06 01:14 - 00077824 ____A C:\Users\KC\Desktop\Block 8 CC final version.xls

2013-01-05 21:34 - 2013-01-05 21:34 - 00744806 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2013-01-05 21:33 - 2013-01-05 21:33 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-01-05 21:32 - 2012-08-21 13:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys

2013-01-05 21:31 - 2013-01-05 21:32 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-05 21:31 - 2013-01-05 21:32 - 00000000 ____D C:\Program Files\iTunes

2013-01-05 21:31 - 2013-01-05 21:32 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-01-05 21:31 - 2013-01-05 21:31 - 00000000 ____D C:\Program Files\iPod

2013-01-05 17:46 - 2013-01-05 17:46 - 00000000 ____D C:\Users\KC\AppData\Local\{D26BE529-DA92-43EB-8645-BCDF9615491B}

2013-01-02 19:41 - 2013-01-02 19:41 - 00000000 ____D C:\Users\KC\AppData\Local\{1F999E70-EB46-4F6D-8AFF-BC211CA0E605}

2013-01-01 11:04 - 2013-01-01 11:04 - 00000000 ____D C:\Users\KC\AppData\Local\{C272D7BB-555C-4D67-A903-1192DCA102DC}

2012-12-31 21:34 - 2012-12-31 21:34 - 00000000 ____D C:\Users\KC\AppData\Local\{2823A759-4068-430B-B4E2-DB2EDE632073}

2012-12-30 23:08 - 2012-12-30 23:09 - 00000000 ____D C:\Users\KC\AppData\Local\{29D6C146-B8F9-4638-B27C-9FA761F85B47}

2012-12-30 09:46 - 2012-12-30 09:46 - 00000000 ____D C:\Users\KC\AppData\Local\{BB392596-FF44-43C7-8BB9-E6FD0B21E532}

2012-12-29 17:13 - 2012-12-29 17:13 - 00000000 ____D C:\Users\KC\AppData\Local\{C7FB466F-DE94-41E1-9FD7-D5CB70D45159}

2012-12-24 22:00 - 2012-12-24 22:00 - 00000000 ____D C:\Users\KC\AppData\Local\{F5B1F9BE-9FED-459D-A0B1-0A18DA3B4FEB}

==================== One Month Modified Files and Folders =======

2013-01-22 21:08 - 2013-01-22 21:08 - 00000000 ____D C:\FRST

2013-01-22 20:39 - 2009-07-13 20:51 - 00059570 ____A C:\Windows\setupact.log

2013-01-22 20:34 - 2013-01-22 20:16 - 00000004 ____A C:\Users\KC\AppData\Roaming\skype.ini

2013-01-22 20:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-22 20:28 - 2012-12-03 21:58 - 00555008 __ASH C:\Users\KC\Desktop\Thumbs.db

2013-01-22 20:18 - 2011-09-27 17:01 - 01368789 ____A C:\Windows\WindowsUpdate.log

2013-01-22 20:10 - 2013-01-22 20:10 - 00165888 ____A (Pmode) C:\Users\KC\AppData\Roaming\svcml.dll

2013-01-22 20:10 - 2012-02-02 23:14 - 00000000 ____D C:\Users\KC\AppData\Local\CrashDumps

2013-01-22 19:57 - 2012-01-08 13:51 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2989422500-999938887-3150858802-1001UA.job

2013-01-22 19:56 - 2012-02-27 20:42 - 00000000 ____D C:\Users\KC\Documents\Outlook Files

2013-01-22 19:21 - 2013-01-14 20:05 - 00000000 ____D C:\Users\KC\Desktop\email dump to sort

2013-01-22 19:11 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-22 19:11 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-22 18:56 - 2012-01-08 13:51 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2989422500-999938887-3150858802-1001Core.job

2013-01-21 23:11 - 2012-01-08 15:19 - 00000000 ____D C:\Data scanned

2013-01-21 21:10 - 2013-01-21 21:10 - 02350080 ____A C:\Users\KC\Desktop\2012_CHEP_Treatment_EN_Apr30.ppt

2013-01-21 21:10 - 2013-01-21 21:10 - 01930752 ____A C:\Users\KC\Desktop\2012_CHEP_WhatsNew_EN_Apr30.ppt

2013-01-21 19:52 - 2013-01-21 19:51 - 00000000 ____D C:\Users\KC\AppData\Local\{88683492-EE6A-494F-A6BA-962C2561D6F6}

2013-01-21 19:49 - 2009-07-13 21:13 - 00739612 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-20 17:39 - 2013-01-20 17:27 - 00000000 ____D C:\Users\KC\Desktop\lupus proctitis

2013-01-20 17:39 - 2012-07-26 15:46 - 00000000 ____D C:\Users\KC\Desktop\CAIR

2013-01-20 17:28 - 2012-03-04 13:01 - 00021504 ____A C:\Users\KC\Desktop\kcp.xlsx

2013-01-20 16:21 - 2013-01-20 16:21 - 00038400 ____A C:\Users\KC\Desktop\CCU Block 9 Call Schedule.xls

2013-01-17 19:14 - 2013-01-13 22:35 - 00000000 ____D C:\Users\KC\Desktop\2013 Apr Edmonton EP electve

2013-01-17 19:14 - 2013-01-13 22:34 - 00000000 ____D C:\Users\KC\Desktop\2013 June Toronto CCU elective

2013-01-17 19:14 - 2013-01-11 23:04 - 00000000 ____D C:\Users\KC\Desktop\DCIM

2013-01-17 19:14 - 2012-06-02 16:03 - 00000000 ____D C:\Users\KC\Desktop\notes

2013-01-17 17:01 - 2013-01-17 16:51 - 00000000 ____D C:\Users\KC\Desktop\wegener

2013-01-15 22:33 - 2013-01-15 22:06 - 00000000 ____D C:\Users\KC\Desktop\cardio trials

2013-01-15 21:55 - 2012-12-10 19:48 - 00000000 ____D C:\Users\KC\Desktop\pulmonary artery aneurysm

2013-01-15 17:52 - 2012-01-08 13:53 - 00002351 ____A C:\Users\KC\Desktop\Google Chrome.lnk

2013-01-14 21:06 - 2013-01-14 21:06 - 00000000 ____D C:\Users\KC\AppData\Local\{02671147-CA77-45A0-A176-D5243F314F6E}

2013-01-14 17:45 - 2010-11-20 19:47 - 00326070 ____A C:\Windows\PFRO.log

2013-01-13 22:38 - 2013-01-13 22:35 - 00000000 ____D C:\Users\KC\Desktop\cardiology case report

2013-01-13 22:33 - 2013-01-13 22:33 - 00000000 ____D C:\Users\KC\Desktop\other CV reference

2013-01-13 22:33 - 2013-01-13 22:32 - 00000000 ____D C:\Users\KC\Desktop\2013 Apr ACP conference

2013-01-13 18:54 - 2013-01-13 18:54 - 00000000 ____D C:\Users\KC\AppData\Local\{F1FA01CA-1AB8-4BBF-AC58-CF3FC699ACE8}

2013-01-12 23:10 - 2012-01-08 22:23 - 00000000 ____D C:\Users\KC\AppData\Roaming\Skype

2013-01-12 21:33 - 2013-01-10 21:42 - 00000000 ____D C:\Users\All Users\Seagate

2013-01-12 21:33 - 2012-04-15 17:14 - 00000000 ____D C:\Users\KC\AppData\Roaming\Seagate

2013-01-12 21:33 - 2012-04-15 17:12 - 00000000 ____D C:\Program Files (x86)\Seagate

2013-01-12 19:28 - 2013-01-12 19:28 - 00000000 ____D C:\Users\KC\AppData\Local\{2C0AF6F8-70CD-474E-9027-B69A4C4056E4}

2013-01-12 04:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-01-12 03:20 - 2009-07-13 20:45 - 00431672 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-12 00:28 - 2013-01-12 00:28 - 00000000 ____D C:\Users\KC\AppData\Local\{AC9A9F47-D1FE-4D49-B9CD-AFA4D4DE9B55}

2013-01-12 00:24 - 2012-01-09 21:10 - 00000000 ____D C:\Users\KC\AppData\Roaming\Apple Computer

2013-01-11 23:20 - 2012-02-17 20:10 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-01-11 23:18 - 2012-01-09 00:04 - 00000000 ____D C:\Users\All Users\Microsoft Help

2013-01-10 21:50 - 2013-01-10 21:50 - 00000000 ____D C:\Users\KC\AppData\Roaming\Nero

2013-01-10 21:50 - 2012-01-08 21:29 - 00000000 ____D C:\users\KC

2013-01-08 22:52 - 2012-05-23 21:20 - 00000000 ____D C:\Users\KC\Desktop\New folder

2013-01-07 21:42 - 2012-01-08 22:00 - 00000000 ____D C:\Users\KC\AppData\Roaming\Adobe

2013-01-06 22:41 - 2013-01-06 22:41 - 00000000 ____D C:\Users\KC\Desktop\2013 Jan - Nancy party

2013-01-06 14:05 - 2013-01-06 14:05 - 00000000 ____D C:\Users\KC\AppData\Local\{0B499AAD-290C-4C4B-BA93-EB36651D2724}

2013-01-06 01:14 - 2013-01-06 01:14 - 00077824 ____A C:\Users\KC\Desktop\Block 8 CC final version.xls

2013-01-05 21:34 - 2013-01-05 21:34 - 00744806 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2013-01-05 21:33 - 2013-01-05 21:33 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-01-05 21:32 - 2013-01-05 21:31 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-05 21:32 - 2013-01-05 21:31 - 00000000 ____D C:\Program Files\iTunes

2013-01-05 21:32 - 2013-01-05 21:31 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-01-05 21:31 - 2013-01-05 21:31 - 00000000 ____D C:\Program Files\iPod

2013-01-05 17:46 - 2013-01-05 17:46 - 00000000 ____D C:\Users\KC\AppData\Local\{D26BE529-DA92-43EB-8645-BCDF9615491B}

2013-01-05 16:59 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-01-02 19:41 - 2013-01-02 19:41 - 00000000 ____D C:\Users\KC\AppData\Local\{1F999E70-EB46-4F6D-8AFF-BC211CA0E605}

2013-01-01 11:04 - 2013-01-01 11:04 - 00000000 ____D C:\Users\KC\AppData\Local\{C272D7BB-555C-4D67-A903-1192DCA102DC}

2012-12-31 21:34 - 2012-12-31 21:34 - 00000000 ____D C:\Users\KC\AppData\Local\{2823A759-4068-430B-B4E2-DB2EDE632073}

2012-12-30 23:09 - 2012-12-30 23:08 - 00000000 ____D C:\Users\KC\AppData\Local\{29D6C146-B8F9-4638-B27C-9FA761F85B47}

2012-12-30 09:46 - 2012-12-30 09:46 - 00000000 ____D C:\Users\KC\AppData\Local\{BB392596-FF44-43C7-8BB9-E6FD0B21E532}

2012-12-29 17:13 - 2012-12-29 17:13 - 00000000 ____D C:\Users\KC\AppData\Local\{C7FB466F-DE94-41E1-9FD7-D5CB70D45159}

2012-12-24 22:00 - 2012-12-24 22:00 - 00000000 ____D C:\Users\KC\AppData\Local\{F5B1F9BE-9FED-459D-A0B1-0A18DA3B4FEB}

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2989422500-999938887-3150858802-1001\$142c56b9109f7c097f172e3181ed74e3

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$142c56b9109f7c097f172e3181ed74e3

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-10 21:40:29

Restore point made on: 2013-01-10 21:46:59

Restore point made on: 2013-01-10 21:54:42

Restore point made on: 2013-01-10 21:58:41

Restore point made on: 2013-01-10 22:01:12

Restore point made on: 2013-01-11 23:16:22

Restore point made on: 2013-01-12 03:00:21

Restore point made on: 2013-01-12 21:29:55

Restore point made on: 2013-01-12 21:30:46

Restore point made on: 2013-01-15 18:01:57

Restore point made on: 2013-01-18 22:25:13

Restore point made on: 2013-01-20 11:56:12

Restore point made on: 2013-01-20 18:41:24

Restore point made on: 2013-01-20 19:00:43

Restore point made on: 2013-01-22 19:08:19

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 6057.55 MB

Available physical RAM: 5332.25 MB

Total Pagefile: 6055.75 MB

Available Pagefile: 5314.23 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:211 GB) (Free:83.98 GB) NTFS

2 Drive d: () (Fixed) (Total:363.39 GB) (Free:316.76 GB) NTFS

3 Drive f: (SAMSUNG_REC) (Fixed) (Total:21.68 GB) (Free:1.01 GB) NTFS ==>[system with boot components (obtained from reading drive)]

5 Drive h: () (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 596 GB 1024 KB

Disk 1 Online 977 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 3DB2A4BB

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 211 GB 101 MB

Partition 0 Extended 363 GB 211 GB

Partition 4 Logical 363 GB 211 GB

Partition 3 Recovery 21 GB 574 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 211 GB Healthy

=========================================================

Disk: 0

Partition 4

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D NTFS Partition 363 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F SAMSUNG_REC NTFS Partition 21 GB Healthy Hidden

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000001

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 977 MB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

=========================================================

Last Boot: 2013-01-14 18:05

==================== End Of Log =============================

Link to post
Share on other sites

search

Farbar Recovery Scan Tool (x64) Version: 21-01-2013 02

Ran by SYSTEM at 2013-01-22 21:10:54

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

Howdy kkcc,

Do you use something called Pmode?

Please do the following to re-run FRST:

Please download the attached fixlist.txt.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

On Windows XP: Now please boot into the BartPE CD.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). Please post it in your reply.

fixlist.txt

Link to post
Share on other sites

Thanks TheDarkKnight for all your help and quick responses!!

I don't know what Pmode is.

Here is fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-01-2013 02

Ran by SYSTEM at 2013-01-22 22:16:50 Run:1

Running from H:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\\DhcpNameServer Value deleted successfully.

C:\$Recycle.Bin\S-1-5-21-2989422500-999938887-3150858802-1001\$142c56b9109f7c097f172e3181ed74e3 moved successfully.

C:\$Recycle.Bin\S-1-5-18\$142c56b9109f7c097f172e3181ed74e3 moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Hey kkcc,

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

Once ComboFix runs we can look at Pmode. Is the issue gone now?

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.