Mandient Cyber Security Virus
- Thread starter pennie59
- Start date
- Mar 8, 2013
- 22,627
Hi, what is the version of your system?
Yes, you can download the tools on disk, but I cannot guarantee that we can do something. USB Flash is much better solution...
Yes, you can download the tools on disk, but I cannot guarantee that we can do something. USB Flash is much better solution...
- Mar 8, 2013
- 22,627
Ok, let's get rid of it 
Ok, let's try another way
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>
<li>For 32 bit systems download <>Farbar Recovery Scan Tool</> and save it to a USB/flash drive.
<li>Plug the flashdrive into the infected PC.</li>
<li>Enter <>System Recovery Options</>.</li>
<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
Ok, let's try another way
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>
<li>For 32 bit systems download <>Farbar Recovery Scan Tool</> and save it to a USB/flash drive.
<li>Plug the flashdrive into the infected PC.</li>
<li>Enter <>System Recovery Options</>.</li>
<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
Last edited by a moderator:
- Nov 11, 2013
- 21
TwinHeadedEagle said:Ok, let's get rid of it
Ok, let's try another way
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>
<li>For 32 bit systems download <>Farbar Recovery Scan Tool</> and save it to a USB/flash drive.
<li>Plug the flashdrive into the infected PC.</li>
<li>Enter <>System Recovery Options</>.</li>
<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
Many apologies TwinHeadedEagle, My laptop is not a 64-bit. I'm using my PC to work this and gave you that spec. My infected laptop is a Toshiba Satellite, L655-S515. I am running Windows 7, but I don't know what version it has. It's two years old.
In the meantime, I downloaded FRST and the other program (it saved as Setup) to my flashdrive, and the OTLPENet to a disk.
Last edited by a moderator:
- Mar 8, 2013
- 22,627
Download both versions in the links above, and try both of them. Only one will work
I gave you non Otlpe instruction, but it doesn't matter, just make the report in any way
I am going to sleep now, attach the report and look for my answer within 8 hours
I gave you non Otlpe instruction, but it doesn't matter, just make the report in any way
I am going to sleep now, attach the report and look for my answer within 8 hours
- Nov 11, 2013
- 21
TwinHeadedEagle said:Ok, let's get rid of it
Ok, let's try another way
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>
<li>For 32 bit systems download <>Farbar Recovery Scan Tool</> and save it to a USB/flash drive.
<li>Plug the flashdrive into the infected PC.</li>
<li>Enter <>System Recovery Options</>.</li>
<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
Many apologies TwinHeadedEagle, My laptop is not a 64-bit. I'm using my PC to work this and gave you that spec. My infected laptop is a Toshiba Satellite, L655-S515. I am running Windows 7, but I don't know what version it has. It's two years old.
In the meantime, I downloaded FRST and the other program (it saved as Setup) to my flashdrive, and the OTLPENet to a disk.
Last edited by a moderator:
- Mar 8, 2013
- 22,627
- Nov 11, 2013
- 21
I got the blue screen of death after I loaded the boot disk. I ran system repair to no avail and then check disk. I started the laptop and got to the home screen and just caught a glimpse of the check disk results (some errors were found) before CS took over my computer again. I'll try the boot disk again tonight after work and see what happens. I'm starting to fear wiping my hard drive.....
- Mar 8, 2013
- 22,627
No need to wipe, just follow my instructions. You do not need OTLPE disk, follow my instructions only with USB flash drive...
- Mar 8, 2013
- 22,627
Here is the complete instruction:
Please print these instruction out so that you know what you are doing
Please print these instruction out so that you know what you are doing
- Download OTLPENet.exe to your desktop
- Download Farbar Recovery Scan Tool and save it to a flash drive.
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here - Wait for the CD to detect your hardware and load the operating system
- Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy - Insert the USB with FRST
- Locate the flash drive with FRST and double click
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
- Mar 8, 2013
- 22,627
- Nov 11, 2013
- 21
Here it is:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-11-2013 01
Ran by SYSTEM on MININT-G8RTUGR on 12-11-2013 16:56:10
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [] - [x]
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1483776 2010-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [SmoothView] - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [SmartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2010-04-28] ()
HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [IntelliType Pro] - C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1464944 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2076272 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [TWebCamera] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\TOSHIBA\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe [3218792 2010-08-17] (Toshiba)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2013-09-22] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Photo Downloader] - C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\apdproxy.exe [67752 2006-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\Will\...\Winlogon: [Shell] explorer.exe,C:\Users\Will\AppData\Roaming\cache.dat [99328 2013-11-10] () <==== ATTENTION
AppInit_DLLs: [0 ] ()
==================== Services (Whitelisted) =================
S2 AdobeActiveFileMonitor5.0; C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [108712 2006-12-22] ()
S2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)
S2 avgfws; C:\Program Files (x86)\AVG\AVG2013\avgfws.exe [1432080 2013-09-04] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe [126392 2009-08-24] (Symantec Corporation)
S2 Winmgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [50296 2012-09-04] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-19] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206648 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-06-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-09-04] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-11-12 16:56 - 2013-11-12 16:56 - 00000000 ____D C:\FRST
2013-11-11 14:21 - 2013-11-11 14:21 - 00000000 __SHD C:\found.000
2013-11-10 20:50 - 2013-11-10 12:50 - 00099328 ____R C:\Users\Will\AppData\Roaming\cache.dat
2013-11-10 17:48 - 2013-11-10 17:48 - 00000000 _____ C:\Windows\System32\startmenu
2013-11-10 12:55 - 2013-11-11 16:45 - 00001042 _____ C:\Windows\setupact.log
2013-11-10 12:55 - 2013-11-10 12:55 - 00000000 _____ C:\Windows\setuperr.log
2013-11-10 12:54 - 2013-11-10 12:54 - 00023932 _____ C:\Windows\PFRO.log
2013-11-10 12:51 - 2013-11-12 00:36 - 00000004 _____ C:\Users\Will\AppData\Roaming\cache.ini
2013-11-10 08:59 - 2013-11-10 08:59 - 00000000 ____D C:\Users\Will\AppData\Local\{ADFC733B-A2B4-4B54-81B2-51C3E0F0F477}
2013-11-09 18:38 - 2013-11-09 18:38 - 00001514 _____ C:\Users\Will\Desktop\VP-6150 - Shortcut.lnk
2013-11-09 16:08 - 2013-11-09 16:08 - 00000000 ____D C:\Users\Will\AppData\Local\{9BE74857-C16E-48A1-9C09-C2A5E76BC15A}
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6066 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6064 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6060 - Shortcut.lnk
2013-10-27 06:03 - 2013-10-27 06:03 - 00000000 ____D C:\Users\Will\AppData\Local\{B4750301-9965-45CB-8D72-B0E4E61247B1}
2013-10-25 06:04 - 2013-10-25 06:04 - 00000000 ____D C:\Users\Will\AppData\Local\{D0C3B92C-83E8-4CB7-9AB0-6D7B4E6260F8}
2013-10-24 15:23 - 2013-10-24 15:23 - 00000000 ____D C:\Users\Will\AppData\Local\{8DB9A031-6834-4805-A82D-BC3AB544EB84}
2013-10-16 14:51 - 2013-10-16 14:51 - 00000000 ____D C:\Users\Will\AppData\Local\{F04691BB-C1B0-4A29-85E0-886EDE601867}
==================== One Month Modified Files and Folders =======
2013-11-12 16:56 - 2013-11-12 16:56 - 00000000 ____D C:\FRST
2013-11-12 00:38 - 2011-09-30 07:28 - 01102296 _____ C:\Windows\WindowsUpdate.log
2013-11-12 00:36 - 2013-11-10 12:51 - 00000004 _____ C:\Users\Will\AppData\Roaming\cache.ini
2013-11-12 00:36 - 2011-10-08 14:17 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-12 00:35 - 2011-10-08 14:17 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-12 00:24 - 2011-10-06 12:58 - 00000000 ____D C:\ProgramData\MFAData
2013-11-12 00:10 - 2012-04-03 14:34 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-11 16:53 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-11 16:53 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-11 16:45 - 2013-11-10 12:55 - 00001042 _____ C:\Windows\setupact.log
2013-11-11 16:45 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-11 14:21 - 2013-11-11 14:21 - 00000000 __SHD C:\found.000
2013-11-10 18:16 - 2013-09-24 15:46 - 00000000 ____D C:\Windows\pss
2013-11-10 17:48 - 2013-11-10 17:48 - 00000000 _____ C:\Windows\System32\startmenu
2013-11-10 12:55 - 2013-11-10 12:55 - 00000000 _____ C:\Windows\setuperr.log
2013-11-10 12:54 - 2013-11-10 12:54 - 00023932 _____ C:\Windows\PFRO.log
2013-11-10 12:50 - 2013-11-10 20:50 - 00099328 ____R C:\Users\Will\AppData\Roaming\cache.dat
2013-11-10 08:59 - 2013-11-10 08:59 - 00000000 ____D C:\Users\Will\AppData\Local\{ADFC733B-A2B4-4B54-81B2-51C3E0F0F477}
2013-11-10 08:29 - 2013-07-20 16:54 - 00000000 ____D C:\Users\Will\Desktop\Desktop Files
2013-11-09 18:38 - 2013-11-09 18:38 - 00001514 _____ C:\Users\Will\Desktop\VP-6150 - Shortcut.lnk
2013-11-09 16:08 - 2013-11-09 16:08 - 00000000 ____D C:\Users\Will\AppData\Local\{9BE74857-C16E-48A1-9C09-C2A5E76BC15A}
2013-11-08 20:31 - 2011-10-06 13:06 - 00000000 ____D C:\Users\Will\Documents\Outlook Files
2013-11-08 20:14 - 2012-09-22 17:37 - 00000000 ____D C:\Users\Will\AppData\Local\DFE3E515-0A23-4D06-A2A7-1FC162D3F453.aplzod
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6066 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6064 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6060 - Shortcut.lnk
2013-11-08 15:35 - 2011-10-05 14:26 - 00000000 ____D C:\users\Will
2013-10-27 06:03 - 2013-10-27 06:03 - 00000000 ____D C:\Users\Will\AppData\Local\{B4750301-9965-45CB-8D72-B0E4E61247B1}
2013-10-25 06:04 - 2013-10-25 06:04 - 00000000 ____D C:\Users\Will\AppData\Local\{D0C3B92C-83E8-4CB7-9AB0-6D7B4E6260F8}
2013-10-24 15:23 - 2013-10-24 15:23 - 00000000 ____D C:\Users\Will\AppData\Local\{8DB9A031-6834-4805-A82D-BC3AB544EB84}
2013-10-16 14:51 - 2013-10-16 14:51 - 00000000 ____D C:\Users\Will\AppData\Local\{F04691BB-C1B0-4A29-85E0-886EDE601867}
2013-10-13 10:30 - 2011-10-08 14:17 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-13 10:30 - 2011-10-08 14:17 - 00003638 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
Files to move or delete:
====================
C:\Users\Will\AppData\Roaming\cache.dat
C:\Users\Will\AppData\Roaming\cache.ini
C:\ProgramData\brgldb.ctrl
C:\ProgramData\brgldb.pff
C:\ProgramData\rljw9to.ctrl
C:\ProgramData\rljw9to.pff
Some content of TEMP:
====================
C:\Users\Will\AppData\Local\Temp\advanced-systemcare.exe
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
13
Restore point made on: 2013-10-31 18:51:35
Restore point made on: 2013-11-01 18:33:48
Restore point made on: 2013-11-02 19:17:50
Restore point made on: 2013-11-03 16:20:49
Restore point made on: 2013-11-04 16:05:04
Restore point made on: 2013-11-05 16:32:29
Restore point made on: 2013-11-06 16:55:14
Restore point made on: 2013-11-08 00:00:20
Restore point made on: 2013-11-09 06:32:30
Restore point made on: 2013-11-10 00:00:23
Restore point made on: 2013-11-11 16:52:45
Restore point made on: 2013-11-12 00:00:20
Restore point made on: 2013-11-12 00:38:36
==================== Memory info ===========================
Percentage of memory in use: 14%
Total physical RAM: 3893.86 MB
Available physical RAM: 3324.71 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3307.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
==================== Drives ================================
Drive c: (TI106033W0C) (Fixed) (Total:278.32 GB) (Free:151.64 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (TOSHIBA System Volume) (Fixed) (Total:1.46 GB) (Free:1.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:14.53 GB) (Free:14.52 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: EF6DE949)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=278 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=18 GB) - (Type=17)
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)
LastRegBack: 2013-11-09 21:24
==================== End Of Log ============================
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-11-2013 01
Ran by SYSTEM on MININT-G8RTUGR on 12-11-2013 16:56:10
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [] - [x]
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] - C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] - C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] - C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] - C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] - C:\Program Files\TOSHIBA\TECO\Teco.exe [1483776 2010-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [SmoothView] - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [SmartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2010-04-28] ()
HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [IntelliType Pro] - C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1464944 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2076272 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [TWebCamera] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] - C:\Program Files (x86)\TOSHIBA\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe [3218792 2010-08-17] (Toshiba)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe [150016 2008-08-20] (Hewlett-Packard)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2013-09-22] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Photo Downloader] - C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\apdproxy.exe [67752 2006-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\Will\...\Winlogon: [Shell] explorer.exe,C:\Users\Will\AppData\Roaming\cache.dat [99328 2013-11-10] () <==== ATTENTION
AppInit_DLLs: [0 ] ()
==================== Services (Whitelisted) =================
S2 AdobeActiveFileMonitor5.0; C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [108712 2006-12-22] ()
S2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [574272 2013-04-18] (IObit)
S2 avgfws; C:\Program Files (x86)\AVG\AVG2013\avgfws.exe [1432080 2013-09-04] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe [126392 2009-08-24] (Symantec Corporation)
S2 Winmgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [50296 2012-09-04] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-19] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206648 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-19] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-06-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-09-04] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-11-12 16:56 - 2013-11-12 16:56 - 00000000 ____D C:\FRST
2013-11-11 14:21 - 2013-11-11 14:21 - 00000000 __SHD C:\found.000
2013-11-10 20:50 - 2013-11-10 12:50 - 00099328 ____R C:\Users\Will\AppData\Roaming\cache.dat
2013-11-10 17:48 - 2013-11-10 17:48 - 00000000 _____ C:\Windows\System32\startmenu
2013-11-10 12:55 - 2013-11-11 16:45 - 00001042 _____ C:\Windows\setupact.log
2013-11-10 12:55 - 2013-11-10 12:55 - 00000000 _____ C:\Windows\setuperr.log
2013-11-10 12:54 - 2013-11-10 12:54 - 00023932 _____ C:\Windows\PFRO.log
2013-11-10 12:51 - 2013-11-12 00:36 - 00000004 _____ C:\Users\Will\AppData\Roaming\cache.ini
2013-11-10 08:59 - 2013-11-10 08:59 - 00000000 ____D C:\Users\Will\AppData\Local\{ADFC733B-A2B4-4B54-81B2-51C3E0F0F477}
2013-11-09 18:38 - 2013-11-09 18:38 - 00001514 _____ C:\Users\Will\Desktop\VP-6150 - Shortcut.lnk
2013-11-09 16:08 - 2013-11-09 16:08 - 00000000 ____D C:\Users\Will\AppData\Local\{9BE74857-C16E-48A1-9C09-C2A5E76BC15A}
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6066 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6064 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6060 - Shortcut.lnk
2013-10-27 06:03 - 2013-10-27 06:03 - 00000000 ____D C:\Users\Will\AppData\Local\{B4750301-9965-45CB-8D72-B0E4E61247B1}
2013-10-25 06:04 - 2013-10-25 06:04 - 00000000 ____D C:\Users\Will\AppData\Local\{D0C3B92C-83E8-4CB7-9AB0-6D7B4E6260F8}
2013-10-24 15:23 - 2013-10-24 15:23 - 00000000 ____D C:\Users\Will\AppData\Local\{8DB9A031-6834-4805-A82D-BC3AB544EB84}
2013-10-16 14:51 - 2013-10-16 14:51 - 00000000 ____D C:\Users\Will\AppData\Local\{F04691BB-C1B0-4A29-85E0-886EDE601867}
==================== One Month Modified Files and Folders =======
2013-11-12 16:56 - 2013-11-12 16:56 - 00000000 ____D C:\FRST
2013-11-12 00:38 - 2011-09-30 07:28 - 01102296 _____ C:\Windows\WindowsUpdate.log
2013-11-12 00:36 - 2013-11-10 12:51 - 00000004 _____ C:\Users\Will\AppData\Roaming\cache.ini
2013-11-12 00:36 - 2011-10-08 14:17 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-12 00:35 - 2011-10-08 14:17 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-12 00:24 - 2011-10-06 12:58 - 00000000 ____D C:\ProgramData\MFAData
2013-11-12 00:10 - 2012-04-03 14:34 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-11 16:53 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-11 16:53 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-11 16:45 - 2013-11-10 12:55 - 00001042 _____ C:\Windows\setupact.log
2013-11-11 16:45 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-11 14:21 - 2013-11-11 14:21 - 00000000 __SHD C:\found.000
2013-11-10 18:16 - 2013-09-24 15:46 - 00000000 ____D C:\Windows\pss
2013-11-10 17:48 - 2013-11-10 17:48 - 00000000 _____ C:\Windows\System32\startmenu
2013-11-10 12:55 - 2013-11-10 12:55 - 00000000 _____ C:\Windows\setuperr.log
2013-11-10 12:54 - 2013-11-10 12:54 - 00023932 _____ C:\Windows\PFRO.log
2013-11-10 12:50 - 2013-11-10 20:50 - 00099328 ____R C:\Users\Will\AppData\Roaming\cache.dat
2013-11-10 08:59 - 2013-11-10 08:59 - 00000000 ____D C:\Users\Will\AppData\Local\{ADFC733B-A2B4-4B54-81B2-51C3E0F0F477}
2013-11-10 08:29 - 2013-07-20 16:54 - 00000000 ____D C:\Users\Will\Desktop\Desktop Files
2013-11-09 18:38 - 2013-11-09 18:38 - 00001514 _____ C:\Users\Will\Desktop\VP-6150 - Shortcut.lnk
2013-11-09 16:08 - 2013-11-09 16:08 - 00000000 ____D C:\Users\Will\AppData\Local\{9BE74857-C16E-48A1-9C09-C2A5E76BC15A}
2013-11-08 20:31 - 2011-10-06 13:06 - 00000000 ____D C:\Users\Will\Documents\Outlook Files
2013-11-08 20:14 - 2012-09-22 17:37 - 00000000 ____D C:\Users\Will\AppData\Local\DFE3E515-0A23-4D06-A2A7-1FC162D3F453.aplzod
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6066 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6064 - Shortcut.lnk
2013-11-08 16:17 - 2013-11-08 16:17 - 00004021 _____ C:\Users\Will\Desktop\VP-6060 - Shortcut.lnk
2013-11-08 15:35 - 2011-10-05 14:26 - 00000000 ____D C:\users\Will
2013-10-27 06:03 - 2013-10-27 06:03 - 00000000 ____D C:\Users\Will\AppData\Local\{B4750301-9965-45CB-8D72-B0E4E61247B1}
2013-10-25 06:04 - 2013-10-25 06:04 - 00000000 ____D C:\Users\Will\AppData\Local\{D0C3B92C-83E8-4CB7-9AB0-6D7B4E6260F8}
2013-10-24 15:23 - 2013-10-24 15:23 - 00000000 ____D C:\Users\Will\AppData\Local\{8DB9A031-6834-4805-A82D-BC3AB544EB84}
2013-10-16 14:51 - 2013-10-16 14:51 - 00000000 ____D C:\Users\Will\AppData\Local\{F04691BB-C1B0-4A29-85E0-886EDE601867}
2013-10-13 10:30 - 2011-10-08 14:17 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-13 10:30 - 2011-10-08 14:17 - 00003638 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
Files to move or delete:
====================
C:\Users\Will\AppData\Roaming\cache.dat
C:\Users\Will\AppData\Roaming\cache.ini
C:\ProgramData\brgldb.ctrl
C:\ProgramData\brgldb.pff
C:\ProgramData\rljw9to.ctrl
C:\ProgramData\rljw9to.pff
Some content of TEMP:
====================
C:\Users\Will\AppData\Local\Temp\advanced-systemcare.exe
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
13
Restore point made on: 2013-10-31 18:51:35
Restore point made on: 2013-11-01 18:33:48
Restore point made on: 2013-11-02 19:17:50
Restore point made on: 2013-11-03 16:20:49
Restore point made on: 2013-11-04 16:05:04
Restore point made on: 2013-11-05 16:32:29
Restore point made on: 2013-11-06 16:55:14
Restore point made on: 2013-11-08 00:00:20
Restore point made on: 2013-11-09 06:32:30
Restore point made on: 2013-11-10 00:00:23
Restore point made on: 2013-11-11 16:52:45
Restore point made on: 2013-11-12 00:00:20
Restore point made on: 2013-11-12 00:38:36
==================== Memory info ===========================
Percentage of memory in use: 14%
Total physical RAM: 3893.86 MB
Available physical RAM: 3324.71 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3307.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
==================== Drives ================================
Drive c: (TI106033W0C) (Fixed) (Total:278.32 GB) (Free:151.64 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (TOSHIBA System Volume) (Fixed) (Total:1.46 GB) (Free:1.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:14.53 GB) (Free:14.52 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: EF6DE949)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=278 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=18 GB) - (Type=17)
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)
LastRegBack: 2013-11-09 21:24
==================== End Of Log ============================
- Mar 8, 2013
- 22,627
On your clean PC, download the following file by right-clicking it and select save as
[attachment=6215]
and save it onto your flash drive.
Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.
Attempt to boot normally.
[attachment=6215]
and save it onto your flash drive.
Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.
Attempt to boot normally.
- Mar 8, 2013
- 22,627
The same process as when you did scan, now just press fix button. Downloaded file must be on the same location as FRST
- Nov 11, 2013
- 21
I had a Duh moment:
Here's the log:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-11-2013 01
Ran by SYSTEM at 2013-11-12 17:41:42 Run:1
Running from F:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
HKU\Will\...\Winlogon: [Shell] explorer.exe,C:\Users\Will\AppData\Roaming\cache.dat [99328 2013-11-10] () <==== ATTENTION
AppInit_DLLs: [0 ] ()
C:\Users\Will\AppData\Roaming\cache.dat
C:\Users\Will\AppData\Roaming\cache.ini
C:\ProgramData\brgldb.ctrl
C:\ProgramData\brgldb.pff
C:\ProgramData\rljw9to.ctrl
C:\ProgramData\rljw9to.pff
C:\Users\Will\AppData\Local\Temp
*****************
HKU\Will\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
C:\Users\Will\AppData\Roaming\cache.dat => Moved successfully.
C:\Users\Will\AppData\Roaming\cache.ini => Moved successfully.
C:\ProgramData\brgldb.ctrl => Moved successfully.
C:\ProgramData\brgldb.pff => Moved successfully.
C:\ProgramData\rljw9to.ctrl => Moved successfully.
C:\ProgramData\rljw9to.pff => Moved successfully.
C:\Users\Will\AppData\Local\Temp => Moved successfully.
==== End of Fixlog ====
Here's the log:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-11-2013 01
Ran by SYSTEM at 2013-11-12 17:41:42 Run:1
Running from F:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
HKU\Will\...\Winlogon: [Shell] explorer.exe,C:\Users\Will\AppData\Roaming\cache.dat [99328 2013-11-10] () <==== ATTENTION
AppInit_DLLs: [0 ] ()
C:\Users\Will\AppData\Roaming\cache.dat
C:\Users\Will\AppData\Roaming\cache.ini
C:\ProgramData\brgldb.ctrl
C:\ProgramData\brgldb.pff
C:\ProgramData\rljw9to.ctrl
C:\ProgramData\rljw9to.pff
C:\Users\Will\AppData\Local\Temp
*****************
HKU\Will\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
C:\Users\Will\AppData\Roaming\cache.dat => Moved successfully.
C:\Users\Will\AppData\Roaming\cache.ini => Moved successfully.
C:\ProgramData\brgldb.ctrl => Moved successfully.
C:\ProgramData\brgldb.pff => Moved successfully.
C:\ProgramData\rljw9to.ctrl => Moved successfully.
C:\ProgramData\rljw9to.pff => Moved successfully.
C:\Users\Will\AppData\Local\Temp => Moved successfully.
==== End of Fixlog ====
Similar threads
