Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI ransomware in safe mode (can't run)


  • This topic is locked This topic is locked
7 replies to this topic

#1 saathi

saathi

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 19 January 2013 - 02:03 AM

So grateful this site exists... like many others, I have this FBI ransomware on my computer and I cannot open in safe mode.

I followed the first couple of steps that Gringo suggested to others... here are my FRST and Services reports

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-01-2013
Ran by SYSTEM at 19-01-2013 00:57:38
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [568888 2010-01-18] ()
HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED [3331944 2009-12-03] (Symantec Corporation)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [115560 2009-05-04] (Symantec Corporation)
HKLM-x32\...\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe [136080 2009-09-16] (Symantec Corporation)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [624056 2011-08-30] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [x]
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
HKU\Christopher Butler\...\Run: [Google Update] "C:\Users\Christopher Butler\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-08] (Google Inc.)
HKU\Christopher Butler\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Christopher Butler\...\Run: [Spotify] "C:\Users\Christopher Butler\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [7880664 2013-01-08] (Spotify Ltd)
HKU\Christopher Butler\...\Run: [Spotify Web Helper] "C:\Users\Christopher Butler\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2013-01-08] (Spotify Ltd)
HKU\Christopher Butler\...\Run: [ieodjrzotp] C:\Users\Christopher Butler\AppData\Roaming\phxzbypky [x]
HKU\Christopher Butler\...\Policies\system: [DisableTaskMgr] 1
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Guest\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Guest\...\Run: [ieodjrzotp] C:\Users\Guest\AppData\Roaming\phxzbypky [x]
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\phxzbypky [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.10.1
Startup: C:\Users\Christopher Butler\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-05-04] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-05-04] (Symantec Corporation)
2 DefWatch; "C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe" [31120 2009-09-16] (Symantec Corporation)
2 FlipShare Service; "C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe" [460144 2011-05-06] ()
2 FlipShareServer; "C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe" [1085440 2011-05-06] ()
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093872 2008-09-18] (Symantec Corporation)
2 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [517632 2010-05-04] (Alcatel-Lucent)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\diMaster.dll" /prefetch:1 [132984 2009-08-28] (Symantec Corporation)
2 Relay Uploader Service; "C:\Program Files (x86)\TechSmith\Camtasia Relay\Uploader\UploaderService.exe" /service [581976 2009-09-23] ()
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe" [1961768 2009-09-16] (Symantec Corporation)
3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [x]

==================== Drivers (Whitelisted) =====================

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-07-31] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-07-31] (Symantec Corporation)
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130111.003\ENG64.SYS [126112 2012-09-17] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130111.003\EX64.SYS [2084000 2012-09-17] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [441904 2009-03-04] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [480304 2009-03-04] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2009-03-04] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172080 2010-09-29] (Symantec Corporation)
3 EraserUtilDrvI7; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [x]
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-19 00:49 - 2013-01-19 00:49 - 00000000 ___DC C:\FRST
2013-01-18 21:41 - 2013-01-18 21:41 - 00003198 ____A C:\Users\Christopher Butler\Desktop\Rkill.txt
2013-01-18 21:41 - 2013-01-18 21:41 - 00000000 ____D C:\Users\Christopher Butler\Desktop\rkill
2013-01-18 07:33 - 2013-01-18 07:33 - 00118784 ____A (Ukok) C:\Users\Guest\AppData\Roaming\phxzbypky.exe
2013-01-18 07:33 - 2013-01-18 07:33 - 00118784 ____A (Ukok) C:\Users\Guest\AppData\Local\phxzbypky.exe
2013-01-18 07:33 - 2013-01-18 07:33 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Macromedia
2013-01-18 07:33 - 2013-01-18 07:33 - 00000000 ____D C:\Users\Guest\AppData\Local\Macromedia
2013-01-18 07:32 - 2013-01-18 07:32 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Mozilla
2013-01-18 07:32 - 2013-01-18 07:32 - 00000000 ____D C:\Users\Guest\AppData\Local\Mozilla
2013-01-18 07:29 - 2013-01-18 07:33 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Hewlett-Packard
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Local\VirtualStore
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Local\Symantec
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Local\Adobe
2013-01-18 07:28 - 2013-01-18 07:29 - 00000000 ____D C:\users\Guest
2013-01-18 07:28 - 2013-01-18 07:28 - 00000020 __ASH C:\Users\Guest\ntuser.ini
2013-01-18 07:28 - 2011-10-04 06:31 - 00000000 ____D C:\Users\Guest\AppData\Local\Microsoft Help
2013-01-18 07:22 - 2013-01-18 22:39 - 00118784 ____A (Ukok) C:\Users\Christopher Butler\AppData\Roaming\phxzbypky.exe
2013-01-18 07:17 - 2013-01-18 22:39 - 00118784 ____A (Ukok) C:\Users\Christopher Butler\AppData\Local\phxzbypky.exe
2013-01-16 06:20 - 2013-01-17 19:54 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{67F6B298-6ED9-4F48-BEE4-151E4957F0BA}
2013-01-15 07:02 - 2013-01-04 07:53 - 09060864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-01-15 07:02 - 2013-01-04 07:32 - 06029824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-01-14 07:50 - 2013-01-14 07:50 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{3FF173F4-9E37-47C7-8CC9-E83576F3DE76}
2013-01-13 12:43 - 2013-01-13 16:19 - 00000000 ____D C:\Users\Christopher Butler\Desktop\Sam's House
2013-01-12 12:34 - 2013-01-12 12:34 - 00002261 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-01-12 12:32 - 2013-01-18 22:40 - 00000918 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-12 12:32 - 2013-01-18 06:47 - 00000922 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-12 12:32 - 2013-01-12 12:34 - 00000000 ___DC C:\Program Files (x86)\Google
2013-01-12 09:13 - 2012-11-28 08:35 - 00095184 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-01-12 09:13 - 2012-11-28 08:31 - 00174000 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-01-12 09:13 - 2012-11-28 08:31 - 00173992 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-01-12 09:12 - 2013-01-12 09:13 - 00004424 ____A C:\Windows\SysWOW64\jupdate-1.7.0_10-b18.log
2013-01-10 20:36 - 2013-01-10 20:36 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{35AF64E7-0EA4-4D7B-A34A-1A5FC6A37579}
2013-01-10 20:23 - 2013-01-10 20:23 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-10 13:25 - 2013-01-10 13:25 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\EndNote
2013-01-10 13:19 - 2013-01-10 13:19 - 00000000 ____D C:\Users\Public\Documents\EndNote
2013-01-10 13:18 - 2013-01-10 13:19 - 00000000 ___DC C:\Program Files (x86)\EndNote X6
2013-01-10 13:16 - 2012-08-14 13:34 - 00000792 ____A C:\Users\Christopher Butler\Desktop\License.dat
2013-01-10 13:15 - 2013-01-10 13:15 - 71518314 ____A (Igor Pavlov) C:\Users\Christopher Butler\Desktop\endnote.exe
2013-01-10 08:54 - 2013-01-10 08:54 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{8277D755-6F01-4F45-9D95-2D236758FAAF}
2013-01-09 14:40 - 2013-01-10 08:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-01-09 11:49 - 2013-01-09 11:49 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{685A63EC-24DD-47DD-BCFE-DB8F7D205B14}
2013-01-09 07:20 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-01-09 07:20 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-01-09 07:19 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll
2013-01-09 07:19 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll
2013-01-09 07:19 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll
2013-01-09 07:19 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll
2013-01-09 07:19 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs
2013-01-09 07:19 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs
2013-01-09 07:19 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs
2013-01-09 07:19 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs
2013-01-09 07:19 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs
2013-01-09 07:19 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs
2013-01-09 07:19 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs
2013-01-09 07:19 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs
2013-01-09 07:19 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs
2013-01-09 07:19 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll
2013-01-09 07:19 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2013-01-09 07:19 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-01-09 07:19 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-01-09 07:19 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-01-09 07:19 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2013-01-09 07:19 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2013-01-09 07:19 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2013-01-09 07:17 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-01-09 07:17 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-01-09 07:17 - 2012-11-29 21:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-01-09 07:17 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-01-09 07:17 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-01-09 07:17 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-01-09 07:17 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-01-09 07:17 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-01-09 07:17 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-01-09 07:17 - 2012-11-29 18:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-01-09 07:17 - 2012-11-29 18:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-01-09 07:17 - 2012-11-29 18:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-01-09 07:17 - 2012-11-29 18:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-01-09 07:17 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-01-09 07:17 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls
2013-01-09 07:17 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls
2013-01-09 07:15 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-09 07:15 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-01-08 15:18 - 2013-01-08 16:35 - 16369160 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-01-08 14:18 - 2013-01-08 14:20 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{C5F45A16-B416-4258-A13E-2E3A2C08A191}
2013-01-08 07:55 - 2013-01-10 08:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird.bak
2013-01-08 07:36 - 2013-01-18 22:40 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\Spotify
2013-01-08 07:36 - 2013-01-08 07:36 - 00001879 ____A C:\Users\Christopher Butler\Desktop\Spotify.lnk
2013-01-08 07:35 - 2013-01-18 22:41 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\Spotify
2013-01-04 13:14 - 2013-01-04 13:14 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{FB9E0574-68A3-4FB1-9956-7AFF2CE2539F}
2013-01-04 12:48 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-01-04 12:48 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-01-04 12:48 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-01-04 12:48 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

==================== One Month Modified Files and Folders =======

2013-01-19 00:49 - 2013-01-19 00:49 - 00000000 ___DC C:\FRST
2013-01-18 22:41 - 2013-01-08 07:35 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\Spotify
2013-01-18 22:41 - 2012-04-05 05:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-18 22:41 - 2011-10-26 22:23 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\Dropbox
2013-01-18 22:40 - 2013-01-12 12:32 - 00000918 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-18 22:40 - 2013-01-08 07:36 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\Spotify
2013-01-18 22:40 - 2012-08-11 07:34 - 00000000 ____D C:\Users\Christopher Butler\Tracing
2013-01-18 22:40 - 2011-10-26 22:25 - 00000000 ___RD C:\Users\Christopher Butler\Dropbox
2013-01-18 22:39 - 2013-01-18 07:22 - 00118784 ____A (Ukok) C:\Users\Christopher Butler\AppData\Roaming\phxzbypky.exe
2013-01-18 22:39 - 2013-01-18 07:17 - 00118784 ____A (Ukok) C:\Users\Christopher Butler\AppData\Local\phxzbypky.exe
2013-01-18 22:38 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-18 22:38 - 2009-07-13 20:51 - 00061853 ____A C:\Windows\setupact.log
2013-01-18 21:50 - 2010-09-16 23:04 - 01057126 ____A C:\Windows\WindowsUpdate.log
2013-01-18 21:50 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-18 21:50 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-18 21:41 - 2013-01-18 21:41 - 00003198 ____A C:\Users\Christopher Butler\Desktop\Rkill.txt
2013-01-18 21:41 - 2013-01-18 21:41 - 00000000 ____D C:\Users\Christopher Butler\Desktop\rkill
2013-01-18 21:33 - 2011-01-13 12:50 - 00000000 ____D C:\Windows\Minidump
2013-01-18 21:33 - 2010-09-29 17:49 - 00270037 ____N C:\Windows\Minidump\011813-26130-01.dmp
2013-01-18 07:33 - 2013-01-18 07:33 - 00118784 ____A (Ukok) C:\Users\Guest\AppData\Roaming\phxzbypky.exe
2013-01-18 07:33 - 2013-01-18 07:33 - 00118784 ____A (Ukok) C:\Users\Guest\AppData\Local\phxzbypky.exe
2013-01-18 07:33 - 2013-01-18 07:33 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Macromedia
2013-01-18 07:33 - 2013-01-18 07:33 - 00000000 ____D C:\Users\Guest\AppData\Local\Macromedia
2013-01-18 07:33 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
2013-01-18 07:32 - 2013-01-18 07:32 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Mozilla
2013-01-18 07:32 - 2013-01-18 07:32 - 00000000 ____D C:\Users\Guest\AppData\Local\Mozilla
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Hewlett-Packard
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Local\VirtualStore
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Local\Symantec
2013-01-18 07:29 - 2013-01-18 07:29 - 00000000 ____D C:\Users\Guest\AppData\Local\Adobe
2013-01-18 07:29 - 2013-01-18 07:28 - 00000000 ____D C:\users\Guest
2013-01-18 07:28 - 2013-01-18 07:28 - 00000020 __ASH C:\Users\Guest\ntuser.ini
2013-01-18 06:56 - 2012-03-08 08:36 - 00000960 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1435301549-4058634163-3032101080-1000UA.job
2013-01-18 06:47 - 2013-01-12 12:32 - 00000922 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-17 19:54 - 2013-01-16 06:20 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{67F6B298-6ED9-4F48-BEE4-151E4957F0BA}
2013-01-17 12:15 - 2012-03-08 08:36 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1435301549-4058634163-3032101080-1000Core.job
2013-01-15 13:54 - 2010-10-12 22:14 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-01-15 13:53 - 2010-10-12 22:12 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\HP Support Assistant
2013-01-15 13:53 - 2010-09-30 22:16 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\HpUpdate
2013-01-14 07:50 - 2013-01-14 07:50 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{3FF173F4-9E37-47C7-8CC9-E83576F3DE76}
2013-01-14 07:46 - 2012-05-04 22:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-14 07:46 - 2010-09-29 17:49 - 00094760 ____A C:\Windows\PFRO.log
2013-01-13 16:19 - 2013-01-13 12:43 - 00000000 ____D C:\Users\Christopher Butler\Desktop\Sam's House
2013-01-12 12:34 - 2013-01-12 12:34 - 00002261 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-01-12 12:34 - 2013-01-12 12:32 - 00000000 ___DC C:\Program Files (x86)\Google
2013-01-12 09:13 - 2013-01-12 09:12 - 00004424 ____A C:\Windows\SysWOW64\jupdate-1.7.0_10-b18.log
2013-01-12 09:13 - 2010-11-27 19:19 - 00000000 ___DC C:\Program Files (x86)\Java
2013-01-10 20:36 - 2013-01-10 20:36 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{35AF64E7-0EA4-4D7B-A34A-1A5FC6A37579}
2013-01-10 20:23 - 2013-01-10 20:23 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-10 13:25 - 2013-01-10 13:25 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\EndNote
2013-01-10 13:20 - 2010-09-29 16:55 - 00000000 ____D C:\users\Christopher Butler
2013-01-10 13:19 - 2013-01-10 13:19 - 00000000 ____D C:\Users\Public\Documents\EndNote
2013-01-10 13:19 - 2013-01-10 13:18 - 00000000 ___DC C:\Program Files (x86)\EndNote X6
2013-01-10 13:15 - 2013-01-10 13:15 - 71518314 ____A (Igor Pavlov) C:\Users\Christopher Butler\Desktop\endnote.exe
2013-01-10 08:54 - 2013-01-10 08:54 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{8277D755-6F01-4F45-9D95-2D236758FAAF}
2013-01-10 08:47 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-01-10 08:04 - 2013-01-09 14:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-01-10 08:04 - 2013-01-08 07:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird.bak
2013-01-09 15:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-01-09 11:49 - 2013-01-09 11:49 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{685A63EC-24DD-47DD-BCFE-DB8F7D205B14}
2013-01-09 11:45 - 2009-07-13 20:45 - 02356552 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-09 09:49 - 2009-07-13 21:13 - 00741188 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-09 09:43 - 2010-09-30 16:59 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-01-08 17:52 - 2011-01-05 13:06 - 00018432 ____A C:\Users\Christopher Butler\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-08 16:35 - 2013-01-08 15:18 - 16369160 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-01-08 16:35 - 2012-04-05 05:53 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-08 16:35 - 2011-05-20 08:04 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-08 14:20 - 2013-01-08 14:18 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{C5F45A16-B416-4258-A13E-2E3A2C08A191}
2013-01-08 14:15 - 2012-03-06 21:23 - 00000384 ____A C:\Windows\Tasks\HPCeeScheduleForChristopher Butler.job
2013-01-08 13:28 - 2011-11-01 19:14 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-01-08 07:59 - 2011-02-05 10:27 - 06515200 __ASH C:\Users\Christopher Butler\Desktop\Thumbs.db
2013-01-08 07:36 - 2013-01-08 07:36 - 00001879 ____A C:\Users\Christopher Butler\Desktop\Spotify.lnk
2013-01-05 12:45 - 2010-11-10 22:10 - 00000000 ____D C:\Users\Christopher Butler\AppData\Roaming\Skype
2013-01-04 13:14 - 2013-01-04 13:14 - 00000000 ____D C:\Users\Christopher Butler\AppData\Local\{FB9E0574-68A3-4FB1-9956-7AFF2CE2539F}
2013-01-04 07:53 - 2013-01-15 07:02 - 09060864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-01-04 07:32 - 2013-01-15 07:02 - 06029824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-12 09:11:37
Restore point made on: 2013-01-15 19:26:17

==================== Memory info ===========================

Percentage of memory in use: 32%
Total physical RAM: 3037.24 MB
Available physical RAM: 2063.05 MB
Total Pagefile: 3035.39 MB
Available Pagefile: 2166.51 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:584.87 GB) (Free:277.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:11.2 GB) (Free:1.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: (STORE N GO) (Removable) (Total:3.83 GB) (Free:2.2 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 3934 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 584 GB 101 MB
Partition 3 Primary 11 GB 584 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 584 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 11 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3930 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G STORE N GO FAT32 Removable 3930 MB Healthy

=========================================================

Last Boot: 2013-01-04 13:35

==================== End Of Log =============================


Farbar Recovery Scan Tool (x64) Version: 15-01-2013
Ran by SYSTEM at 2013-01-19 00:53:43
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======


Deep gratitude and thanks in advance for any help.

CB

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 AM

Posted 19 January 2013 - 03:55 AM

Hello saathi ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



Please download the enclosed file to the USB drive. Attached File  fixlist.txt   777bytes   14 downloads

You should now have both fixlist.txt and FRST.exe on your flash drive.

Now please enter System Recovery Options as you did before.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Regards,
Georgi

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif


#3 saathi

saathi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 19 January 2013 - 09:57 AM

Thank you so much, Georgi... here is my fixlog text

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2013
Ran by SYSTEM at 2013-01-19 08:54:35 Run:1
Running from G:\

==============================================

HKEY_USERS\Christopher Butler\Software\Microsoft\Windows\CurrentVersion\Run\\ieodjrzotp Value deleted successfully.
HKEY_USERS\Christopher Butler\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_USERS\Guest\Software\Microsoft\Windows\CurrentVersion\Run\\ieodjrzotp Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
C:\Users\Guest\AppData\Roaming\phxzbypky.exe moved successfully.
C:\Users\Guest\AppData\Local\phxzbypky.exe moved successfully.
C:\Users\Christopher Butler\AppData\Roaming\phxzbypky.exe moved successfully.
C:\Users\Christopher Butler\AppData\Local\phxzbypky.exe moved successfully.

==== End of Fixlog ====

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 AM

Posted 19 January 2013 - 10:04 AM

Hi,


Can you boot normally now?


If so can you please go to C:\FRST\Quarantine and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.
Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
After that please delete the zip files you just created.



Regards,
Georgi

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif


#5 saathi

saathi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 19 January 2013 - 10:45 AM

I can boot normally. Thank you so much. You guys are awesome. I've submitted the zip.

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 AM

Posted 19 January 2013 - 10:49 AM

Hi,


I am glad to hear the issue is solved. :)


Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.
You can run these scans at night when you are not there and the computer is idle.



STEP 1


  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.


STEP 2



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 3


  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 4



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


STEP 5



Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


STEP 6



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 AM

Posted 21 January 2013 - 06:02 AM

Hi,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.


Regards,
Georgi

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 AM

Posted 23 January 2013 - 06:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users