Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 TheProgramer

TheProgramer

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 21 April 2012 - 10:45 AM

PROBLEM
When I click a link in GOOGLE I am reirected.

ATTEMPTE SOLUTIONS
  • I have had this problem before and the only solution was COMBOFIX. I tried it and after COMBOFIX was finished I was unable to start my computer. It would get part way-through then crash with a blue screen for less than 2 seconds then turn off. What I had to do was use SYSTEM RESTORE to get my computer to work again.
  • I have used MALAWAREBYTES in safe mode SEVERAL times and every time it finds stuff, then 'removes' them then when I scan again it finds stuff again.
  • I have used SPYBOT S&D and it never finds anything.
  • I have used TDSSKILLER and it found something and removed it. I restarted and ran it again. It found the same thing. I removed it again and restarted again. I ran it a third time and it no longer detectes it.

OTHER NOTES
  • I figured out it was because COMBOFIX was deleting this file: c:\windows\system32\consrv.dll
  • I manually deleted that file and my computer repeated its not starting behavior. So I restored again.
  • Everything I used was fully updated.
  • I know the folder C:\Windows\System64 is nothing but evil so I deleted it. It reappears every time I resart my computer (even if it's in safemode).
  • Logs attached.

Attached Files



BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 21 April 2012 - 02:21 PM

Hi TheProgramer,


:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

Please take note:

  • If you have since resolved the original problem you were having, I would appreciate you letting me know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
  • Please tell me if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 22 April 2012 - 12:29 AM

Hey Jason, thanks for taking the time to help me! I appreciate you voulenteering your time.

I do not have my original windows cd available.

Here is my log (you say not to post the log, or attach it bu then you say to follow the instructions that DDS provide and they say attach it, so here it is).

Note that every time I start my computer I delete the file: C:\Windows\System64 So the scan was done after I had deleted that folder.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Caleb at 1:20:12 on 2012-04-22
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2811 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Windows\system32\lxdxcoms.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.blizzard.com/en-us/
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [Steam] "D:\Program Files\Steam\steam.exe" -silent
uRun: [Akamai NetSession Interface] "C:\Users\Caleb\AppData\Local\Akamai\netsession_win.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{BB53ADB3-0DA4-4ABB-9F0B-B8926A61721E} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{BD274010-DC8C-4589-B83B-83026F15E9AA} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{BD274010-DC8C-4589-B83B-83026F15E9AA}\25564635F6872557C65633 : DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{BD274010-DC8C-4589-B83B-83026F15E9AA}\45865602741627F66616C6F6026416D696C697 : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{BD274010-DC8C-4589-B83B-83026F15E9AA}\631313 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BD274010-DC8C-4589-B83B-83026F15E9AA}\C696E6B6379737 : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {00000000-0000-0000-0000-000000000000} - No File
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-1-4 8704]
R2 lxdx_device;lxdx_device;C:\Windows\system32\lxdxcoms.exe -service --> C:\Windows\system32\lxdxcoms.exe -service [?]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
R3 TotRec8;Total Recorder WDM audio filter driver;\??\C:\Windows\system32\drivers\TotRec8.sys --> C:\Windows\system32\drivers\TotRec8.sys [?]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);C:\Windows\system32\DRIVERS\vcsvad.sys --> C:\Windows\system32\DRIVERS\vcsvad.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 acrosysbackup_exJ2rTliAtja;Acronis System Backup;C:\Windows\system32\wirepots.exe --> C:\Windows\system32\wirepots.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\lxdxserv.exe [2010-8-3 29184]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-1-31 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-2 253088]
S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SWDUMon;SWDUMon;C:\Windows\system32\DRIVERS\SWDUMon.sys --> C:\Windows\system32\DRIVERS\SWDUMon.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-7-10 47128]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-04-22 05:18:33 -------- d-----w- C:\Users\Caleb\AppData\Local\{AF99E0A6-5948-4318-9742-DA6AD1FFEE43}
2012-04-22 05:18:22 -------- d-----w- C:\Users\Caleb\AppData\Local\{67696A9D-58B4-4137-BED3-8A2EAAEF983C}
2012-04-22 05:16:36 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4EC89A51-3D29-485F-BE4B-C6540B98B654}\offreg.dll
2012-04-20 19:34:36 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4EC89A51-3D29-485F-BE4B-C6540B98B654}\mpengine.dll
2012-04-20 18:38:49 98816 ----a-w- C:\Windows\sed.exe
2012-04-20 18:38:49 518144 ----a-w- C:\Windows\SWREG.exe
2012-04-20 18:38:49 256000 ----a-w- C:\Windows\PEV.exe
2012-04-20 18:38:49 208896 ----a-w- C:\Windows\MBR.exe
2012-04-20 18:38:35 -------- d-s---w- C:\ComboFix
2012-04-20 06:58:54 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-04-20 05:52:22 -------- d-----w- C:\Users\Caleb\AppData\Local\{C1B5AA9D-700E-4E16-AF70-60A550EA568C}
2012-04-18 21:57:06 -------- d-----w- C:\Users\Caleb\AppData\Local\{4BF9294E-512C-44F6-AD3A-F898162AE26D}
2012-04-18 21:56:55 -------- d-----w- C:\Users\Caleb\AppData\Local\{FB0B8027-C3CC-45CC-85ED-5A87415225CD}
2012-04-18 00:59:47 -------- d-----w- C:\Users\Caleb\AppData\Local\{AAB56D53-4CA4-4B9C-91AE-EDB418D40190}
2012-04-18 00:59:36 -------- d-----w- C:\Users\Caleb\AppData\Local\{F6CBA245-2B4D-4A33-A999-3DB24E7E3DDF}
2012-04-17 14:29:41 -------- d-----w- C:\Users\Caleb\AppData\Local\{001D91DC-7553-42E1-B3A5-0B89BC30E608}
2012-04-15 03:55:11 -------- d-----w- C:\Users\Caleb\AppData\Local\{F025D07D-A864-4356-A0B0-DC2F2CC92213}
2012-04-15 03:55:00 -------- d-----w- C:\Users\Caleb\AppData\Local\{B5F7D970-ADCC-4894-AE5B-3F35BF1AA03B}
2012-04-14 11:30:58 -------- d-----w- C:\Users\Caleb\AppData\Local\{E61EB7F1-F402-4E3A-9A81-0E36116F2EF4}
2012-04-14 11:30:47 -------- d-----w- C:\Users\Caleb\AppData\Local\{8B75F9B2-F4A3-4F39-AC87-3BFE9BCD77B7}
2012-04-11 12:45:37 -------- d-----w- C:\Users\Caleb\AppData\Local\{27664A51-4315-4EC6-95F6-F2B817CDA96D}
2012-04-11 12:45:12 -------- d-----w- C:\Users\Caleb\AppData\Local\{8566D7C8-51B2-4B84-835F-CB8BE74C41D6}
2012-04-10 17:33:37 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-10 17:33:37 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-10 17:33:36 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-10 17:29:42 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-10 17:29:42 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-10 17:29:42 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-10 17:29:40 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-10 17:29:40 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-10 17:29:40 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-10 17:29:40 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-10 15:38:02 -------- d-----w- C:\Users\Caleb\AppData\Local\{FB66730E-764B-4C34-BE5C-A29B36E59491}
2012-04-10 15:37:50 -------- d-----w- C:\Users\Caleb\AppData\Local\{33127D64-FAAC-4EFD-8B27-284202E6F9FB}
2012-04-08 14:50:55 -------- d-----w- C:\Users\Caleb\AppData\Local\{103362D0-9D5A-49A4-8F6A-18B763F93DFB}
2012-04-08 14:50:45 -------- d-----w- C:\Users\Caleb\AppData\Local\{CBC24B69-70D6-4E48-9947-F65784889E5E}
2012-04-08 14:42:57 -------- d-----w- C:\Program Files\iTunes
2012-04-08 14:42:57 -------- d-----w- C:\Program Files\iPod
2012-04-08 03:06:10 -------- d-----w- C:\Users\Caleb\AppData\Local\{4A81A784-7E12-4895-A77B-D89D7CDE0979}
2012-04-07 06:29:26 -------- d-----w- C:\Users\Caleb\AppData\Local\{1351519B-BE2F-443A-86F0-63F39E121177}
2012-04-07 06:29:15 -------- d-----w- C:\Users\Caleb\AppData\Local\{ABAF41EE-47E0-4DE4-9AAD-3168AE0D83DE}
2012-04-07 06:28:01 -------- d-----w- C:\Windows\en
2012-04-07 06:21:52 89944 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\DSETUP.dll
2012-04-07 06:21:52 537432 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\DXSETUP.exe
2012-04-07 06:21:52 1801048 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\dsetup32.dll
2012-04-07 06:20:50 -------- d-----w- C:\Users\Caleb\AppData\Local\{B92EBD37-5DA3-49FD-B63E-A5B2D7400E92}
2012-04-07 06:20:39 -------- d-----w- C:\Users\Caleb\AppData\Local\{3E7034FC-8C6B-4A7D-B057-A72629D6438C}
2012-04-06 22:22:42 -------- d-----w- C:\Users\Caleb\AppData\Local\{18F7CE18-6BAD-49F6-B3DB-3A00CEC34D13}
2012-04-06 22:22:32 -------- d-----w- C:\Users\Caleb\AppData\Local\{B6079E04-AC53-411D-8896-F089B33C5FD4}
2012-04-06 18:18:58 -------- d-----w- C:\Users\Caleb\AppData\Local\{40C45008-69EA-4FE5-8C4F-EE1CB6962349}
2012-04-06 18:18:17 -------- d-----w- C:\Users\Caleb\AppData\Local\{000A181E-8DEB-4F86-B2CD-E2066AC6B13F}
2012-04-05 04:38:43 -------- d-----w- C:\Users\Caleb\AppData\Local\{743783A6-CAF4-41C7-B62B-C1B4D254027D}
2012-04-05 04:38:20 -------- d-----w- C:\Users\Caleb\AppData\Local\{8F867343-4454-4AE5-97EA-CB66B8CC300E}
2012-04-05 03:01:03 -------- d-----w- C:\Users\Caleb\AppData\Local\{63325AF5-C349-4B13-ABFC-73403447301E}
2012-04-05 02:47:00 -------- d-----w- C:\Users\Caleb\AppData\Local\{C231530C-0D36-4B38-9B09-E5B18AC7CA5B}
2012-04-04 08:14:03 -------- d-----w- C:\Users\Caleb\AppData\Local\{24532CAF-D2CD-4A6C-B4FD-B8549096DD16}
2012-04-03 23:24:16 -------- d-----w- C:\Users\Caleb\AppData\Local\{DDE45303-16E9-467C-AADE-A6EF8219A390}
2012-04-03 23:24:05 -------- d-----w- C:\Users\Caleb\AppData\Local\{FDD874D7-DA45-4AA4-9F0C-382A41C4C2EC}
2012-04-03 16:40:07 -------- d-----w- C:\Users\Caleb\AppData\Local\{5461D794-BB73-4853-BECC-93AC43AB911F}
2012-04-03 16:39:57 -------- d-----w- C:\Users\Caleb\AppData\Local\{A9EFEFBB-3B72-4739-8A25-C2C9CEAB31D9}
2012-04-03 04:09:41 -------- d-----w- C:\Users\Caleb\AppData\Local\{BC03DECB-9DB0-4786-9D9B-7F3A170347FA}
2012-04-03 04:09:25 -------- d-----w- C:\Users\Caleb\AppData\Local\{5B296E1C-7344-4311-AA80-869F588D3052}
2012-04-02 11:59:28 8741536 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-02 11:44:45 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-02 07:21:14 -------- d-----w- C:\Users\Caleb\AppData\Local\{9FDC32D8-9BE3-4B82-BAE3-643E862213F6}
2012-04-02 02:41:24 -------- d-----w- C:\Users\Caleb\AppData\Local\{CEBEE2A6-2CAB-43F7-B316-ECB4696464F6}
2012-04-02 02:41:12 -------- d-----w- C:\Users\Caleb\AppData\Local\{7BDABE43-D63C-478E-8215-5AA9027B50E5}
2012-04-01 21:30:28 -------- d-----w- C:\Users\Caleb\AppData\Local\{98360B09-AA61-4B3B-B779-2803BC9D7D99}
2012-04-01 21:30:05 -------- d-----w- C:\Users\Caleb\AppData\Local\{6A8A9DA9-9F3D-48FE-A1A7-1B2F9AEA71BC}
2012-04-01 21:00:04 -------- d-----w- C:\Users\Caleb\AppData\Local\{45253104-7437-495F-B1ED-A401D0A51633}
2012-04-01 20:59:52 -------- d-----w- C:\Users\Caleb\AppData\Local\{D4F8CBAB-48C1-4DC0-AB24-AF8088616EA7}
2012-04-01 18:03:59 -------- d-----w- C:\Users\Caleb\AppData\Local\{E62FCFE0-FEDA-4BA2-952D-DE19A1537C8C}
2012-04-01 18:03:25 -------- d-----w- C:\Users\Caleb\AppData\Local\{899546A1-0676-4949-888C-FEA6652B7514}
2012-03-31 05:02:32 -------- d-----w- C:\Users\Caleb\AppData\Local\{07D53A93-EF44-446A-9CCC-A6CD4564FC34}
2012-03-31 05:02:16 -------- d-----w- C:\Users\Caleb\AppData\Local\{C6CAFE9C-D6DF-4BC3-9446-71255A121CCB}
2012-03-30 15:16:25 -------- d-----w- C:\Users\Caleb\AppData\Local\{61EBEE71-37F9-46CA-998F-AAC0AE87111B}
2012-03-28 19:37:28 -------- d-----w- C:\Users\Caleb\AppData\Local\{63117794-EE6D-4820-BD7E-B657F80C65C0}
2012-03-28 19:37:18 -------- d-----w- C:\Users\Caleb\AppData\Local\{407230E5-55A3-4C8A-80BF-8BE30B0A4ED6}
2012-03-26 20:50:31 -------- d-----w- C:\Users\Caleb\AppData\Local\{D7E9140B-DF47-4C84-8A8B-35910302AE03}
2012-03-26 20:50:21 -------- d-----w- C:\Users\Caleb\AppData\Local\{54521E06-1AC3-4E20-96C2-4897FC2D8635}
2012-03-26 15:41:34 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
2012-03-25 21:53:29 -------- d-----w- C:\Users\Caleb\AppData\Local\{6FEDF100-5432-4190-B436-D41AA08795B0}
2012-03-25 21:53:18 -------- d-----w- C:\Users\Caleb\AppData\Local\{A481EDF3-2E58-4C86-ABD7-86C6E14F35B5}
2012-03-23 20:22:47 -------- d-----w- C:\Users\Caleb\AppData\Local\{E89B1DD6-49EE-4016-965D-B37374CDE176}
2012-03-23 20:22:35 -------- d-----w- C:\Users\Caleb\AppData\Local\{CD4AE716-22F3-4A37-BC3C-7CEEA62C029C}
.
==================== Find3M ====================
.
2012-04-14 04:59:08 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-08 22:37:20 302448 ----a-w- C:\Windows\WLXPGSS.SCR
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-15 15:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2012-02-15 15:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-07 15:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-25 06:38:39 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-01-25 06:38:38 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2010-06-17 21:31:57 388608 ----a-w- C:\Program Files (x86)\HijackThis.exe
.
============= FINISH: 1:23:25.39 ===============

Attached Files


Edited by TheProgramer, 22 April 2012 - 12:32 AM.


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 23 April 2012 - 10:57 AM

Hi TheProgrammer,

It's fine that you attached the Attach.txt file (as the instructions said to do). :) Usually, we ask you copy and paste a log directly into your post, because it's easier to read. The exceptions to this are if instructions say otherwise, or a log is too large to fit in one post.


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Edited by jntkwx, 23 April 2012 - 11:05 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 23 April 2012 - 01:27 PM

Scan result of Farbar Recovery Scan Tool Version: 22-04-2012
Ran by SYSTEM at 23-04-2012 14:20:44
Running from G:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [x]
HKU\Caleb\...\Run: [Steam] "D:\Program Files\Steam\steam.exe" -silent [x]
HKU\Caleb\...\Run: [Akamai NetSession Interface] "C:\Users\Caleb\AppData\Local\Akamai\netsession_win.exe" [x]
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253088 2012-04-13] (Adobe Systems Incorporated)
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [8704 2012-02-20] (Hi-Rez Studios)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
2 lxdxCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
2 lxdx_device; C:\Windows\system32\lxdxcoms.exe -service [1039872 2009-10-16] ( )
2 lxdx_device; C:\Windows\SysWow64\lxdxcoms.exe -service [589824 2009-10-16] ( )
3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [64856 2009-02-26] (Microsoft Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [43010392 2009-03-29] (Microsoft Corporation)
4 MSSQLServerADHelper100; "C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [47128 2008-07-10] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4737024 2008-07-29] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [66872 2009-11-20] ()
2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [158856 2012-01-31] (Skype Technologies)
4 SQLAgent$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [366936 2009-03-29] (Microsoft Corporation)
4 SQLBrowser; "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [254808 2009-03-29] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [157720 2008-07-10] (Microsoft Corporation)
2 timounter; C:\Windows\System32\intelroam.dll [6656 2009-07-13] (Oak Technology Inc.)
2 acrosysbackup_exJ2rTliAtja; C:\Windows\system32\wirepots.exe [x]
2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [x]

========================== Drivers (Whitelisted) =============

3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 ivusb; C:\Windows\System32\Drivers\ivusb.sys [29720 2010-07-28] (Initio Corporation)
2 SecDrv; C:\Windows\SysWow64\Drivers\SecDrv.sys [11376 2003-09-08] ()
3 SWDUMon; C:\Windows\System32\Drivers\SWDUMon.sys [15672 2011-09-10] ()
3 TotRec8; C:\Windows\System32\Drivers\TotRec8.sys [122448 2010-11-23] (High Criteria inc.)
1 uiubjasm; C:\Windows\System32\Drivers\uiubjasm.sys [50000 2012-04-23] (Microsoft Corporation)
3 VCSVADHWSer; C:\Windows\System32\DRIVERS\vcsvad.sys [21504 2008-12-10] (Avnex)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 OpenLibSys; \??\C:\Windows.old\Program Files\NXP\FM Radio\OpenLibSysX64.sys [x]
1 SASDIFSV; \??\C:\Users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
1 SASKUTIL; \??\C:\Users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: timounter

============ One Month Created Files and Folders ==============

2012-04-23 10:11 - 2012-03-06 08:05 - 0000000 ____D C:\Users\Caleb\Desktop\New folder
2012-04-23 10:09 - 2010-11-20 01:26 - 0050000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uiubjasm.sys
2012-04-22 20:43 - 2011-11-04 20:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5AFFEAFD-1351-4995-BB21-85CD74B78590}
2012-04-22 20:43 - 2011-06-06 08:13 - 0000000 ____D C:\Users\Caleb\AppData\Local\{897F5E73-C430-48F5-B9BD-756638C5A8F2}
2012-04-21 21:18 - 2011-12-14 20:26 - 0000000 ____D C:\Users\Caleb\AppData\Local\{67696A9D-58B4-4137-BED3-8A2EAAEF983C}
2012-04-21 21:18 - 2011-08-31 05:10 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AF99E0A6-5948-4318-9742-DA6AD1FFEE43}
2012-04-21 21:08 - 2012-04-21 21:04 - 0128386 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_01.08.55_log.txt
2012-04-21 20:55 - 2012-04-21 01:35 - 0129908 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_00.55.14_log.txt
2012-04-21 01:32 - 2012-04-21 01:30 - 0128950 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.32.49_log.txt
2012-04-21 01:28 - 2012-04-21 01:23 - 0129886 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.28.11_log.txt
2012-04-21 01:15 - 2012-04-22 15:24 - 0131196 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.15.24_log.txt
2012-04-20 21:33 - 2012-03-26 10:45 - 2072624 ____A (Kaspersky Lab ZAO) C:\Users\Caleb\Desktop\TDSSKiller.exe
2012-04-20 15:15 - 2012-04-21 02:52 - 0017806 ____A C:\ComboFix.txt
2012-04-20 13:16 - 2012-01-04 10:40 - 0001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-20 10:38 - 2012-04-23 10:16 - 0000000 ____D C:\Qoobox
2012-04-20 10:38 - 2012-04-21 01:22 - 0000000 ___SD C:\32788R22FWJFW
2012-04-20 10:38 - 2011-05-06 09:07 - 0208896 ____A C:\Windows\MBR.exe
2012-04-20 10:38 - 2009-11-11 11:32 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-20 10:38 - 2009-11-11 00:43 - 0000000 ___SD C:\ComboFix
2012-04-20 10:38 - 2009-07-13 23:50 - 0080412 ____A C:\Windows\grep.exe
2012-04-20 10:38 - 2009-07-13 23:46 - 0098816 ____A C:\Windows\sed.exe
2012-04-20 10:38 - 2009-07-13 21:32 - 0256000 ____A C:\Windows\PEV.exe
2012-04-20 10:38 - 2009-07-13 17:39 - 0068096 ____A C:\Windows\zip.exe
2012-04-20 10:38 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-19 22:58 - 2009-07-13 17:40 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-19 21:52 - 2011-06-09 08:11 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C1B5AA9D-700E-4E16-AF70-60A550EA568C}
2012-04-18 13:57 - 2011-11-06 09:56 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4BF9294E-512C-44F6-AD3A-F898162AE26D}
2012-04-18 13:56 - 2011-09-16 04:56 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB0B8027-C3CC-45CC-85ED-5A87415225CD}
2012-04-17 16:59 - 2011-10-11 13:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AAB56D53-4CA4-4B9C-91AE-EDB418D40190}
2012-04-17 16:59 - 2011-05-15 18:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F6CBA245-2B4D-4A33-A999-3DB24E7E3DDF}
2012-04-17 06:29 - 2012-01-01 21:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{001D91DC-7553-42E1-B3A5-0B89BC30E608}
2012-04-14 19:55 - 2011-04-08 20:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B5F7D970-ADCC-4894-AE5B-3F35BF1AA03B}
2012-04-14 19:55 - 2011-04-07 06:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F025D07D-A864-4356-A0B0-DC2F2CC92213}
2012-04-14 03:30 - 2012-02-28 11:19 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8B75F9B2-F4A3-4F39-AC87-3BFE9BCD77B7}
2012-04-14 03:30 - 2011-09-14 19:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E61EB7F1-F402-4E3A-9A81-0E36116F2EF4}
2012-04-11 04:45 - 2011-11-26 22:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8566D7C8-51B2-4B84-835F-CB8BE74C41D6}
2012-04-11 04:45 - 2011-09-04 17:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{27664A51-4315-4EC6-95F6-F2B817CDA96D}
2012-04-10 09:34 - 2012-02-27 23:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-10 09:34 - 2012-02-27 22:56 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-10 09:34 - 2012-02-27 22:48 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-10 09:34 - 2012-02-27 22:45 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-10 09:34 - 2012-02-27 22:42 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-10 09:34 - 2012-02-27 17:52 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-10 09:34 - 2012-02-27 17:18 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-10 09:34 - 2012-02-27 17:09 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-10 09:34 - 2012-02-27 17:06 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-10 09:34 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-10 09:34 - 2011-05-02 21:29 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-10 09:34 - 2011-05-02 20:30 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-10 09:34 - 2010-11-20 05:27 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-10 09:34 - 2010-11-20 04:21 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-10 09:34 - 2009-07-13 17:41 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-10 09:34 - 2009-07-13 17:38 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-10 09:34 - 2009-07-13 17:16 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-10 09:34 - 2009-07-13 17:14 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-10 09:33 - 2009-07-13 17:41 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-10 09:33 - 2009-07-13 17:16 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-10 09:33 - 2009-07-13 17:16 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-10 09:29 - 2009-07-13 17:47 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-04-10 09:29 - 2009-07-13 17:41 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-04-10 09:29 - 2009-07-13 17:38 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-04-10 09:29 - 2009-07-13 17:33 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-04-10 09:29 - 2009-07-13 17:16 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-04-10 09:29 - 2009-07-13 17:14 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-04-10 09:29 - 2009-07-13 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-04-10 08:09 - 2012-04-08 06:55 - 0243824 ____A C:\Users\Caleb\Desktop\D1334074120.pdf
2012-04-10 07:38 - 2011-08-27 07:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB66730E-764B-4C34-BE5C-A29B36E59491}
2012-04-10 07:37 - 2009-11-11 11:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{33127D64-FAAC-4EFD-8B27-284202E6F9FB}
2012-04-08 06:55 - 2011-10-10 16:08 - 0011028 ____A C:\Users\Caleb\Desktop\Contract 2.docx
2012-04-08 06:50 - 2012-03-07 19:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CBC24B69-70D6-4E48-9947-F65784889E5E}
2012-04-08 06:50 - 2011-05-27 04:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{103362D0-9D5A-49A4-8F6A-18B763F93DFB}
2012-04-08 06:42 - 2012-04-10 10:44 - 0000000 ____D C:\Program Files\iPod
2012-04-08 06:42 - 2012-04-08 06:42 - 0000000 ____D C:\Program Files\iTunes
2012-04-07 19:06 - 2012-03-18 23:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4A81A784-7E12-4895-A77B-D89D7CDE0979}
2012-04-06 22:29 - 2011-12-11 07:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{1351519B-BE2F-443A-86F0-63F39E121177}
2012-04-06 22:29 - 2011-06-25 06:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{ABAF41EE-47E0-4DE4-9AAD-3168AE0D83DE}
2012-04-06 22:28 - 2012-01-11 20:08 - 0000000 ____D C:\Windows\en
2012-04-06 22:25 - 2011-03-09 12:51 - 0000000 ____D C:\Program Files\Windows Live
2012-04-06 22:20 - 2011-11-06 20:05 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B92EBD37-5DA3-49FD-B63E-A5B2D7400E92}
2012-04-06 22:20 - 2011-10-22 06:10 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3E7034FC-8C6B-4A7D-B057-A72629D6438C}
2012-04-06 14:22 - 2012-04-14 19:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B6079E04-AC53-411D-8896-F089B33C5FD4}
2012-04-06 14:22 - 2011-10-20 13:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{18F7CE18-6BAD-49F6-B3DB-3A00CEC34D13}
2012-04-06 10:18 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{40C45008-69EA-4FE5-8C4F-EE1CB6962349}
2012-04-06 10:18 - 2012-01-06 23:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{000A181E-8DEB-4F86-B2CD-E2066AC6B13F}
2012-04-04 20:38 - 2012-02-24 23:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8F867343-4454-4AE5-97EA-CB66B8CC300E}
2012-04-04 20:38 - 2011-06-24 05:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{743783A6-CAF4-41C7-B62B-C1B4D254027D}
2012-04-04 19:01 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63325AF5-C349-4B13-ABFC-73403447301E}
2012-04-04 18:47 - 2011-08-02 20:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C231530C-0D36-4B38-9B09-E5B18AC7CA5B}
2012-04-04 00:14 - 2011-05-18 20:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{24532CAF-D2CD-4A6C-B4FD-B8549096DD16}
2012-04-03 15:24 - 2011-12-29 04:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{DDE45303-16E9-467C-AADE-A6EF8219A390}
2012-04-03 15:24 - 2011-05-05 11:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FDD874D7-DA45-4AA4-9F0C-382A41C4C2EC}
2012-04-03 08:40 - 2012-03-26 12:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5461D794-BB73-4853-BECC-93AC43AB911F}
2012-04-03 08:39 - 2011-10-13 18:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A9EFEFBB-3B72-4739-8A25-C2C9CEAB31D9}
2012-04-02 20:09 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5B296E1C-7344-4311-AA80-869F588D3052}
2012-04-02 20:09 - 2011-06-20 18:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{BC03DECB-9DB0-4786-9D9B-7F3A170347FA}
2012-04-02 03:59 - 2012-04-13 20:59 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-02 03:45 - - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-02 03:44 - 2009-07-13 17:14 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-01 23:21 - 2011-10-03 10:54 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9FDC32D8-9BE3-4B82-BAE3-643E862213F6}
2012-04-01 18:41 - 2012-03-02 14:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7BDABE43-D63C-478E-8215-5AA9027B50E5}
2012-04-01 18:41 - 2011-10-21 06:00 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CEBEE2A6-2CAB-43F7-B316-ECB4696464F6}
2012-04-01 13:30 - 2011-06-15 19:52 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A8A9DA9-9F3D-48FE-A1A7-1B2F9AEA71BC}
2012-04-01 13:30 - 2011-05-16 06:23 - 0000000 ____D C:\Users\Caleb\AppData\Local\{98360B09-AA61-4B3B-B779-2803BC9D7D99}
2012-04-01 13:00 - 2011-12-30 22:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{45253104-7437-495F-B1ED-A401D0A51633}
2012-04-01 12:59 - 2011-11-30 18:05 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D4F8CBAB-48C1-4DC0-AB24-AF8088616EA7}
2012-04-01 10:03 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{899546A1-0676-4949-888C-FEA6652B7514}
2012-04-01 10:03 - 2012-04-14 03:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E62FCFE0-FEDA-4BA2-952D-DE19A1537C8C}
2012-03-30 21:02 - 2012-03-15 11:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{07D53A93-EF44-446A-9CCC-A6CD4564FC34}
2012-03-30 21:02 - 2011-12-20 06:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C6CAFE9C-D6DF-4BC3-9446-71255A121CCB}
2012-03-30 07:16 - 2011-11-22 14:48 - 0000000 ____D C:\Users\Caleb\AppData\Local\{61EBEE71-37F9-46CA-998F-AAC0AE87111B}
2012-03-28 11:37 - 2012-01-29 14:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{407230E5-55A3-4C8A-80BF-8BE30B0A4ED6}
2012-03-28 11:37 - 2011-12-18 05:54 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63117794-EE6D-4820-BD7E-B657F80C65C0}
2012-03-26 12:50 - 2012-02-14 05:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{54521E06-1AC3-4E20-96C2-4897FC2D8635}
2012-03-26 12:50 - 2011-12-20 18:49 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D7E9140B-DF47-4C84-8A8B-35910302AE03}
2012-03-26 10:45 - 2011-10-10 15:13 - 24417978 ____A C:\Users\Caleb\Desktop\stupid comments.mp3
2012-03-25 13:53 - 2012-01-21 09:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A481EDF3-2E58-4C86-ABD7-86C6E14F35B5}
2012-03-25 13:53 - 2011-12-27 13:11 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6FEDF100-5432-4190-B436-D41AA08795B0}


============ 3 Months Modified Files and Folders =============

2012-04-23 14:21 - 2012-04-23 14:20 - 0000000 ____D C:\FRST
2012-04-23 10:17 - 2009-11-11 00:47 - 1207947 ____A C:\Windows\WindowsUpdate.log
2012-04-23 10:16 - 2010-08-03 10:18 - 0000000 ____D C:\Users\All Users\Lx_cats
2012-04-23 10:16 - 2010-08-03 10:18 - 0000000 ____D C:\ProgramData\Lx_cats
2012-04-23 10:12 - 2009-07-13 21:13 - 0822284 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-23 10:11 - 2012-04-23 10:11 - 0000000 ____D C:\Users\Caleb\Desktop\New folder
2012-04-23 10:09 - 2012-04-23 10:09 - 0050000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uiubjasm.sys
2012-04-23 10:02 - 2009-07-13 20:45 - 0013472 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-23 10:02 - 2009-07-13 20:45 - 0013472 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-23 09:59 - 2012-04-02 03:45 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-23 09:56 - 2012-04-19 22:58 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-23 09:55 - 2009-11-11 00:44 - 3219988480 __ASH C:\hiberfil.sys
2012-04-23 09:55 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-23 09:55 - 2009-07-13 20:51 - 0227724 ____A C:\Windows\setupact.log
2012-04-22 20:43 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{897F5E73-C430-48F5-B9BD-756638C5A8F2}
2012-04-22 20:43 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5AFFEAFD-1351-4995-BB21-85CD74B78590}
2012-04-22 20:43 - 2010-10-21 08:19 - 0000000 ____D C:\Users\Caleb\AppData\Local\Windows Live
2012-04-22 20:29 - 2010-06-05 07:23 - 0000000 ____D C:\Users\Caleb\AppData\Roaming\Skype
2012-04-21 21:18 - 2012-04-21 21:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AF99E0A6-5948-4318-9742-DA6AD1FFEE43}
2012-04-21 21:18 - 2012-04-21 21:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{67696A9D-58B4-4137-BED3-8A2EAAEF983C}
2012-04-21 21:14 - 2009-11-11 09:27 - 0104716 ____A C:\Windows\PFRO.log
2012-04-21 21:11 - 2012-04-21 21:08 - 0128386 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_01.08.55_log.txt
2012-04-21 21:04 - 2012-04-21 20:55 - 0129908 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_00.55.14_log.txt
2012-04-21 20:59 - 2012-03-21 20:22 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-04-21 07:13 - 2010-02-08 17:28 - 136523982 ____A C:\Windows\ntbtlog.txt
2012-04-21 02:54 - 2009-11-11 05:23 - 0000000 ____D C:\users\Caleb
2012-04-21 02:52 - 2012-04-20 10:38 - 0000000 ___SD C:\ComboFix
2012-04-21 02:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-04-21 01:35 - 2012-04-21 01:32 - 0128950 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.32.49_log.txt
2012-04-21 01:30 - 2012-04-21 01:28 - 0129886 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.28.11_log.txt
2012-04-21 01:23 - 2012-04-21 01:15 - 0131196 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.15.24_log.txt
2012-04-21 01:22 - 2012-04-20 10:38 - 0000000 ___SD C:\32788R22FWJFW
2012-04-21 01:22 - 2012-03-21 20:49 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-21 01:22 - 2011-12-27 16:09 - 0000000 ____D C:\Windows\ERDNT
2012-04-21 01:22 - 2011-11-25 14:56 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-21 01:22 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-04-20 22:56 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-20 15:50 - 2012-04-20 21:33 - 2072624 ____A (Kaspersky Lab ZAO) C:\Users\Caleb\Desktop\TDSSKiller.exe
2012-04-20 15:21 - 2009-07-13 23:45 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-04-20 15:15 - 2012-04-20 15:15 - 0017806 ____A C:\ComboFix.txt
2012-04-20 15:15 - 2012-04-20 10:38 - 0000000 ____D C:\Qoobox
2012-04-20 15:06 - 2009-07-13 18:34 - 80740352 ____A C:\Windows\System32\config\software.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 20185088 ____A C:\Windows\System32\config\system.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 0282624 ____A C:\Windows\System32\config\default.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 0065536 ____A C:\Windows\System32\config\sam.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 0028672 ____A C:\Windows\System32\config\security.bak
2012-04-20 13:16 - 2012-04-20 13:16 - 0001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-19 21:52 - 2012-04-19 21:52 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C1B5AA9D-700E-4E16-AF70-60A550EA568C}
2012-04-18 16:17 - 2011-06-12 13:08 - 0000000 ____D C:\Users\Caleb\AppData\Roaming\Mumble
2012-04-18 13:57 - 2012-04-18 13:57 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4BF9294E-512C-44F6-AD3A-F898162AE26D}
2012-04-18 13:57 - 2012-04-18 13:56 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB0B8027-C3CC-45CC-85ED-5A87415225CD}
2012-04-17 16:59 - 2012-04-17 16:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F6CBA245-2B4D-4A33-A999-3DB24E7E3DDF}
2012-04-17 16:59 - 2012-04-17 16:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AAB56D53-4CA4-4B9C-91AE-EDB418D40190}
2012-04-17 06:29 - 2012-04-17 06:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{001D91DC-7553-42E1-B3A5-0B89BC30E608}
2012-04-14 19:55 - 2012-04-14 19:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F025D07D-A864-4356-A0B0-DC2F2CC92213}
2012-04-14 19:55 - 2012-04-14 19:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B5F7D970-ADCC-4894-AE5B-3F35BF1AA03B}
2012-04-14 03:31 - 2012-04-14 03:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E61EB7F1-F402-4E3A-9A81-0E36116F2EF4}
2012-04-14 03:30 - 2012-04-14 03:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8B75F9B2-F4A3-4F39-AC87-3BFE9BCD77B7}
2012-04-13 20:59 - 2012-04-02 03:59 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-13 20:59 - 2012-04-02 03:44 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-13 20:59 - 2011-05-19 08:13 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-11 04:45 - 2012-04-11 04:45 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8566D7C8-51B2-4B84-835F-CB8BE74C41D6}
2012-04-11 04:45 - 2012-04-11 04:45 - 0000000 ____D C:\Users\Caleb\AppData\Local\{27664A51-4315-4EC6-95F6-F2B817CDA96D}
2012-04-10 09:36 - 2009-11-11 19:33 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-10 09:36 - 2009-11-11 19:33 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-10 09:30 - 2009-11-11 05:31 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-10 08:09 - 2012-04-10 08:09 - 0243824 ____A C:\Users\Caleb\Desktop\D1334074120.pdf
2012-04-10 07:38 - 2012-04-10 07:38 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB66730E-764B-4C34-BE5C-A29B36E59491}
2012-04-10 07:38 - 2012-04-10 07:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{33127D64-FAAC-4EFD-8B27-284202E6F9FB}
2012-04-08 06:55 - 2012-04-08 06:55 - 0011028 ____A C:\Users\Caleb\Desktop\Contract 2.docx
2012-04-08 06:51 - 2012-04-08 06:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{103362D0-9D5A-49A4-8F6A-18B763F93DFB}
2012-04-08 06:50 - 2012-04-08 06:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CBC24B69-70D6-4E48-9947-F65784889E5E}
2012-04-08 06:43 - 2012-04-08 06:42 - 0000000 ____D C:\Program Files\iTunes
2012-04-08 06:42 - 2012-04-08 06:42 - 0000000 ____D C:\Program Files\iPod
2012-04-07 19:06 - 2012-04-07 19:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4A81A784-7E12-4895-A77B-D89D7CDE0979}
2012-04-06 22:29 - 2012-04-06 22:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{ABAF41EE-47E0-4DE4-9AAD-3168AE0D83DE}
2012-04-06 22:29 - 2012-04-06 22:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{1351519B-BE2F-443A-86F0-63F39E121177}
2012-04-06 22:28 - 2012-04-06 22:28 - 0000000 ____D C:\Windows\en
2012-04-06 22:26 - 2009-11-11 07:49 - 0000000 ____D C:\Program Files (x86)\Windows Live
2012-04-06 22:25 - 2012-04-06 22:25 - 0000000 ____D C:\Program Files\Windows Live
2012-04-06 22:23 - 2009-11-11 06:57 - 0372793 ____A C:\Windows\DirectX.log
2012-04-06 22:20 - 2012-04-06 22:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B92EBD37-5DA3-49FD-B63E-A5B2D7400E92}
2012-04-06 22:20 - 2012-04-06 22:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3E7034FC-8C6B-4A7D-B057-A72629D6438C}
2012-04-06 14:22 - 2012-04-06 14:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B6079E04-AC53-411D-8896-F089B33C5FD4}
2012-04-06 14:22 - 2012-04-06 14:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{18F7CE18-6BAD-49F6-B3DB-3A00CEC34D13}
2012-04-06 10:19 - 2012-04-06 10:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{40C45008-69EA-4FE5-8C4F-EE1CB6962349}
2012-04-06 10:18 - 2012-04-06 10:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{000A181E-8DEB-4F86-B2CD-E2066AC6B13F}
2012-04-04 20:38 - 2012-04-04 20:38 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8F867343-4454-4AE5-97EA-CB66B8CC300E}
2012-04-04 20:38 - 2012-04-04 20:38 - 0000000 ____D C:\Users\Caleb\AppData\Local\{743783A6-CAF4-41C7-B62B-C1B4D254027D}
2012-04-04 19:01 - 2012-04-04 19:01 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63325AF5-C349-4B13-ABFC-73403447301E}
2012-04-04 18:47 - 2012-04-04 18:47 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C231530C-0D36-4B38-9B09-E5B18AC7CA5B}
2012-04-04 11:56 - 2010-02-08 17:39 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-04 00:14 - 2012-04-04 00:14 - 0000000 ____D C:\Users\Caleb\AppData\Local\{24532CAF-D2CD-4A6C-B4FD-B8549096DD16}
2012-04-03 15:24 - 2012-04-03 15:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FDD874D7-DA45-4AA4-9F0C-382A41C4C2EC}
2012-04-03 15:24 - 2012-04-03 15:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{DDE45303-16E9-467C-AADE-A6EF8219A390}
2012-04-03 08:40 - 2012-04-03 08:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5461D794-BB73-4853-BECC-93AC43AB911F}
2012-04-03 08:40 - 2012-04-03 08:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A9EFEFBB-3B72-4739-8A25-C2C9CEAB31D9}
2012-04-02 20:09 - 2012-04-02 20:09 - 0000000 ____D C:\Users\Caleb\AppData\Local\{BC03DECB-9DB0-4786-9D9B-7F3A170347FA}
2012-04-02 20:09 - 2012-04-02 20:09 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5B296E1C-7344-4311-AA80-869F588D3052}
2012-04-01 23:21 - 2012-04-01 23:21 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9FDC32D8-9BE3-4B82-BAE3-643E862213F6}
2012-04-01 18:41 - 2012-04-01 18:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CEBEE2A6-2CAB-43F7-B316-ECB4696464F6}
2012-04-01 18:41 - 2012-04-01 18:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7BDABE43-D63C-478E-8215-5AA9027B50E5}
2012-04-01 13:30 - 2012-04-01 13:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{98360B09-AA61-4B3B-B779-2803BC9D7D99}
2012-04-01 13:30 - 2012-04-01 13:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A8A9DA9-9F3D-48FE-A1A7-1B2F9AEA71BC}
2012-04-01 13:00 - 2012-04-01 13:00 - 0000000 ____D C:\Users\Caleb\AppData\Local\{45253104-7437-495F-B1ED-A401D0A51633}
2012-04-01 13:00 - 2012-04-01 12:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D4F8CBAB-48C1-4DC0-AB24-AF8088616EA7}
2012-04-01 10:04 - 2012-04-01 10:03 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E62FCFE0-FEDA-4BA2-952D-DE19A1537C8C}
2012-04-01 10:03 - 2012-04-01 10:03 - 0000000 ____D C:\Users\Caleb\AppData\Local\{899546A1-0676-4949-888C-FEA6652B7514}
2012-03-30 21:02 - 2012-03-30 21:02 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C6CAFE9C-D6DF-4BC3-9446-71255A121CCB}
2012-03-30 21:02 - 2012-03-30 21:02 - 0000000 ____D C:\Users\Caleb\AppData\Local\{07D53A93-EF44-446A-9CCC-A6CD4564FC34}
2012-03-30 20:57 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-03-30 07:16 - 2012-03-30 07:16 - 0000000 ____D C:\Users\Caleb\AppData\Local\{61EBEE71-37F9-46CA-998F-AAC0AE87111B}
2012-03-29 19:54 - 2011-08-13 09:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\Fallout3
2012-03-28 11:37 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63117794-EE6D-4820-BD7E-B657F80C65C0}
2012-03-28 11:37 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{407230E5-55A3-4C8A-80BF-8BE30B0A4ED6}
2012-03-27 10:10 - 2011-08-24 07:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\dxhr
2012-03-26 12:50 - 2012-03-26 12:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D7E9140B-DF47-4C84-8A8B-35910302AE03}
2012-03-26 12:50 - 2012-03-26 12:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{54521E06-1AC3-4E20-96C2-4897FC2D8635}
2012-03-26 10:45 - 2012-03-26 10:45 - 24417978 ____A C:\Users\Caleb\Desktop\stupid comments.mp3
2012-03-25 13:53 - 2012-03-25 13:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A481EDF3-2E58-4C86-ABD7-86C6E14F35B5}
2012-03-25 13:53 - 2012-03-25 13:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6FEDF100-5432-4190-B436-D41AA08795B0}
2012-03-23 12:22 - 2012-03-23 12:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E89B1DD6-49EE-4016-965D-B37374CDE176}
2012-03-23 12:22 - 2012-03-23 12:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CD4AE716-22F3-4A37-BC3C-7CEEA62C029C}
2012-03-22 16:15 - 2009-07-13 21:08 - 0032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-22 06:13 - 2012-03-22 06:13 - 0000000 ____D C:\Users\Caleb\AppData\Local\{994A7B38-BD07-473B-9761-0B064A0B43CD}
2012-03-21 20:44 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-03-21 20:27 - 2010-06-11 05:57 - 0000000 ____D C:\Users\Caleb\AppData\Local\ElevatedDiagnostics
2012-03-21 20:11 - 2010-02-08 17:28 - 0000000 ____D C:\Windows\Minidump
2012-03-21 20:10 - 2010-02-08 17:28 - 549705721 ____A C:\Windows\MEMORY.DMP
2012-03-21 20:09 - 2012-01-11 12:10 - 0000000 ____D C:\RBin
2012-03-21 19:41 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-03-21 10:10 - 2010-07-28 21:34 - 0000000 ____D C:\Program Files (x86)\StarCraft II
2012-03-20 12:32 - 2012-03-20 12:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{00CC2DF1-D7B6-4080-B347-7F594D9B2A56}
2012-03-20 12:32 - 2012-03-20 12:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0A74C6B7-ABAA-4935-8DDA-496FD781928F}
2012-03-19 18:08 - 2012-03-19 18:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{454416DA-6615-474D-BDD8-05EC0D1BBCF1}
2012-03-19 18:08 - 2012-03-19 18:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3FF35D8A-C029-45A3-BD55-9B35B4E6A9FC}
2012-03-19 08:09 - 2012-01-09 12:47 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-03-18 23:24 - 2012-03-18 23:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4AA5734C-38F6-492F-96A5-4B267378708E}
2012-03-18 23:24 - 2012-03-18 23:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{49D032E5-D248-4434-9DBB-58580DD684D6}
2012-03-18 09:10 - 2012-03-18 09:10 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E3502CDE-8340-47EC-9324-12CA54503929}
2012-03-16 08:56 - 2012-03-16 08:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3B498582-386B-41A4-9F89-A95AD5EE2702}
2012-03-16 08:55 - 2012-03-16 08:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0DDB115F-6D15-4F27-BE14-4CB48A00023D}
2012-03-15 11:34 - 2012-03-15 11:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{07CD6C18-F8D7-4179-98D7-73622B17DD6B}
2012-03-14 12:58 - 2012-02-28 10:49 - 0000000 ____D C:\Users\Caleb\AppData\Roaming\FileZilla
2012-03-14 12:08 - 2012-03-14 12:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5FAE2935-5013-4462-9B0D-2181F05236E5}
2012-03-14 12:07 - 2012-03-14 12:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5CC54FB2-8127-4E17-BFE7-01EB80E8466F}
2012-03-14 09:29 - 2009-07-13 20:45 - 0413312 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-13 13:57 - 2012-03-13 13:57 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C8DBB023-F936-4D3A-83FB-181CFCAFA26B}
2012-03-12 05:08 - 2012-03-12 05:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E57DD82D-2F0B-44D8-B0E4-8D1624F169BE}
2012-03-12 05:08 - 2012-03-12 05:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{832AF57D-90FF-41C2-A317-36E33CC27436}
2012-03-11 09:36 - 2012-03-11 09:36 - 0000000 ____D C:\Users\Caleb\AppData\Local\{665E9097-5F42-4B8B-BC54-2ABD11BACD1C}
2012-03-11 09:36 - 2012-03-11 09:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8FB53FE3-056B-49EA-A860-C51918BAF0AB}
2012-03-10 08:59 - 2012-03-10 08:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D8B26965-E1CF-4424-9307-5235925309C9}
2012-03-10 08:59 - 2012-03-10 08:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{700C2071-1158-4335-8330-4EDD8009F839}
2012-03-09 09:50 - 2012-03-09 09:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C8844FA0-E205-4FA1-BE42-4FBCA078DBC4}
2012-03-09 09:50 - 2012-03-09 09:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6D49C98E-F542-4562-9D20-5BB4673D2F0E}
2012-03-08 14:45 - 2012-03-08 14:45 - 0000000 ____D C:\Users\Caleb\AppData\Local\{86BC0CA9-CB4D-4706-8D7E-0EE891E7F1E9}
2012-03-08 14:45 - 2012-03-08 14:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{2F68171D-1989-4692-BF12-D8B3466D8854}
2012-03-08 14:37 - 2012-03-08 14:37 - 0302448 ____A (Microsoft Corporation) C:\Windows\WLXPGSS.SCR
2012-03-07 19:51 - 2012-03-07 19:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{48FBF54E-2BD2-4417-8C0A-E244A423E94D}
2012-03-07 19:50 - 2012-03-07 19:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CB42AA3B-357F-411D-8A70-37F4B3C40724}
2012-03-07 07:41 - 2012-03-07 07:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{458C1E8D-91DD-4CBF-AB0F-69E0A2797221}
2012-03-06 08:05 - 2012-03-06 08:05 - 0011348 ____A C:\Users\Caleb\Desktop\Drink Receipes.docx
2012-03-05 22:53 - 2012-04-10 09:33 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-10 09:33 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-10 09:33 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-05 13:37 - 2012-03-05 13:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{2C2EFBB1-E77C-4035-8817-E7DD301DA8B3}
2012-03-05 13:37 - 2012-03-05 13:36 - 0000000 ____D C:\Users\Caleb\AppData\Local\{99A842D5-25FC-4E8E-893E-E9673664FC06}
2012-03-05 08:27 - 2012-03-05 08:27 - 0000000 ____D C:\Users\Caleb\AppData\Local\{035C0F5E-4025-4450-9DCD-B7B7D1D17415}
2012-03-03 08:40 - 2012-03-03 08:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{502C534C-23AA-4ACF-9BCA-58E1E5B4DD2E}
2012-03-02 14:35 - 2012-03-02 14:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7B291BD5-B96B-4E80-A01D-9A82A393D8D7}
2012-03-02 14:35 - 2012-03-02 14:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{25E0BD72-A269-4833-B90D-C0EC81831D44}
2012-02-29 22:46 - 2012-04-10 09:29 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-10 09:29 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-10 09:29 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-10 09:29 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-10 09:29 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-10 09:29 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-10 09:29 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-28 11:19 - 2012-02-28 11:19 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8B3F767D-09EB-41D5-8933-E4220808AE50}
2012-02-28 11:19 - 2012-02-28 11:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C5E5EDC5-73EE-4A80-B76F-352B0BD14F00}
2012-02-28 10:49 - 2012-02-28 10:49 - 0002008 ____A C:\Users\Public\Desktop\FileZilla Client.lnk
2012-02-28 10:49 - 2012-02-28 10:49 - 0000000 ____D C:\Program Files (x86)\FileZilla FTP Client
2012-02-27 23:34 - 2012-04-10 09:34 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-10 09:34 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-10 09:34 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-10 09:34 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-10 09:34 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-10 09:34 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-10 09:34 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-10 09:34 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-10 09:34 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-10 09:34 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-10 09:34 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-10 09:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-10 09:34 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 19:58 - 2012-02-27 19:58 - 0000000 ____D C:\Users\Caleb\AppData\Local\{BDCEE914-642C-472B-9173-8D28303BA761}
2012-02-27 17:52 - 2012-04-10 09:34 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-10 09:34 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-10 09:34 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-10 09:34 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-10 09:34 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-10 09:34 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-10 09:34 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-10 09:34 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-10 09:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-10 09:34 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-10 09:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-10 09:34 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-10 09:34 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-27 11:00 - 2012-02-27 11:00 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CA8F30F8-5D26-4B81-87CF-6F12F9D75CF7}
2012-02-26 20:17 - 2012-02-26 20:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D389DED9-8831-47E1-A3B2-5BA82397213B}
2012-02-26 20:17 - 2012-02-26 20:16 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4F788C5C-CD34-4F17-B486-ED7D1AE402C9}
2012-02-26 07:12 - 2012-02-26 07:12 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A6C6BA1-70D5-47C9-ADFD-1F17EF7DC7F3}
2012-02-25 21:32 - 2012-02-25 21:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{415565AA-2BC0-4C1D-9520-B97E0E148CEE}
2012-02-25 21:32 - 2012-02-25 21:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4D97CF7E-93D7-4A7E-8EC5-B2A073F8EBB6}
2012-02-24 23:54 - 2012-02-24 23:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E310CDA3-2F74-4D88-9F47-55854B1EC8E0}
2012-02-24 23:53 - 2012-02-24 23:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8EF5EB5B-FAC6-43AF-AE93-A6F333F185B1}
2012-02-24 15:25 - 2012-02-24 15:25 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5518FB77-6263-401C-992E-EEAC93486528}
2012-02-23 22:31 - 2012-02-23 22:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9B269811-77A2-400C-A50D-75A78D1CEC89}
2012-02-23 22:30 - 2012-02-23 22:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{73AB4424-56DE-45DD-84EF-16A2BDA34F33}
2012-02-23 06:18 - 2009-11-11 05:31 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 09:08 - 2012-02-22 09:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3499590D-BF9B-4A96-81FD-4B394DFAF017}
2012-02-22 09:08 - 2012-02-22 09:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F5D01D62-A121-4180-9A3E-4D85147C48F6}
2012-02-22 09:05 - 2012-01-17 10:26 - 0000003 ____A C:\Windows\System32\HRUPPROG.TXT
2012-02-22 09:05 - 2012-01-04 10:39 - 0000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2012-02-21 16:48 - 2012-02-21 16:48 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A7E2CC87-34B8-445A-9B2B-F3212D8B1D3D}
2012-02-21 16:48 - 2012-02-21 16:48 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A1481DD1-8631-4BF8-8FB4-C3C3D854E5C5}
2012-02-21 09:46 - 2012-02-21 09:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FCAB3F42-A8FF-4C3E-AB4E-12D356565462}
2012-02-21 09:46 - 2012-02-21 09:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9CE3876E-3188-444B-884D-F20953994433}
2012-02-20 11:46 - 2012-02-20 11:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E39D2C17-6DE6-45D9-A1B3-BF84870786E1}
2012-02-20 11:46 - 2012-02-20 11:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{DB400641-4192-41A0-AE5B-3F2778B6E5FB}
2012-02-19 16:51 - 2012-02-19 16:51 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7CDF5775-B81D-4446-ACB8-46007FC5E54B}
2012-02-19 16:51 - 2012-02-19 16:51 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3352E7B3-7FC1-4A80-97AC-7399DCF138EC}
2012-02-18 20:34 - 2012-02-18 20:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F1A175BA-3759-4C06-B7A3-0E4709D73C4B}
2012-02-18 20:34 - 2012-02-18 20:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A7BC8E3F-BA28-459F-96C4-AF16E2835788}
2012-02-18 05:28 - 2012-02-18 05:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D2EC24E8-881D-42D0-8693-E9ECC6B4FD94}
2012-02-18 05:28 - 2012-02-18 05:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4DEF3D0D-F5C6-490F-91B6-0C86CD564F26}
2012-02-18 05:21 - 2010-06-05 07:23 - 0000000 ____D C:\Users\All Users\Skype
2012-02-18 05:21 - 2010-06-05 07:23 - 0000000 ____D C:\ProgramData\Skype
2012-02-17 21:49 - 2012-02-17 21:49 - 0000000 ____D C:\Users\Caleb\AppData\Local\{732F6CB6-88FC-4DEC-B5B5-FEE4F2AF2D84}
2012-02-17 09:50 - 2012-02-17 09:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A8EDA8C1-9450-4E53-9C20-40C558C62624}
2012-02-16 22:38 - 2012-03-14 06:50 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-14 06:50 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-14 06:50 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-14 06:50 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 05:28 - 2009-11-11 05:23 - 0000174 ___SH C:\Users\Caleb\Start Menu\Programs\Startup\desktop.ini
2012-02-16 05:28 - 2009-11-11 05:23 - 0000174 ___SH C:\Users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-15 21:25 - 2009-12-02 20:12 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-15 20:15 - 2012-02-15 20:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0FDB4584-5004-436A-9457-0615D1AFEEB3}
2012-02-15 07:01 - 2012-02-15 07:01 - 4547944 ____A (Apple, Inc.) C:\Windows\System32\usbaaplrc.dll
2012-02-15 07:01 - 2012-02-15 07:01 - 0052736 ____A (Apple, Inc.) C:\Windows\System32\Drivers\usbaapl64.sys
2012-02-14 05:15 - 2012-02-14 05:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F64A9700-26F1-4FA4-BFA8-F7BCD8952B04}
2012-02-14 05:15 - 2012-02-14 05:14 - 0000000 ____D C:\Users\Caleb\AppData\Local\{530E57E2-A658-4CA2-BEC8-8C0EEEC06799}
2012-02-10 21:37 - 2012-02-10 21:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{50460B86-AA3A-4980-A4E6-2531A83496BC}
2012-02-10 21:37 - 2012-02-10 21:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0DDC3D27-E1F5-4ED6-A446-DB9002E62594}
2012-02-09 22:36 - 2012-03-14 06:51 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-14 06:51 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-08 08:53 - 2012-02-08 08:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C4989C0B-B6D0-4ED3-9476-CCCA0827EC25}
2012-02-08 08:53 - 2012-02-08 08:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A9FD91B1-E575-4435-83DD-7D9083BEA1D1}
2012-02-07 10:39 - 2012-02-07 10:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E8F68DB0-6984-423C-AD07-1DF70764C6EE}
2012-02-07 10:39 - 2012-02-07 10:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B41D7352-B8F8-430E-A832-47BBED4E5426}
2012-02-07 07:02 - 2012-02-07 07:02 - 1070352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-02-06 20:31 - 2012-02-06 20:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6D93DB27-F02B-4948-AC78-F849260EF1D3}
2012-02-06 20:31 - 2012-02-06 20:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{13804897-162D-4046-B990-F8A072FA29BC}
2012-02-06 11:57 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-06 07:15 - 2012-02-06 07:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0193E0CD-C141-479C-A37F-838DE529C714}
2012-02-04 20:17 - 2012-02-04 20:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{424BEAB5-37CC-4916-9BA2-E00A689E124A}
2012-02-03 11:44 - 2012-02-03 11:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D56A7151-EFFA-44D0-8CF5-362A067453FD}
2012-02-03 11:44 - 2012-02-03 11:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7832198E-42B3-4679-9273-5E466B35A1B4}
2012-02-02 20:34 - 2012-03-14 06:51 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-01 12:17 - 2012-02-01 12:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{EE41CF8F-F009-4B13-A877-CD84639EFEB8}
2012-02-01 12:17 - 2012-02-01 12:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{36390932-558D-45B0-99A1-D1DD4BF4C76E}
2012-01-31 19:33 - 2012-01-31 19:33 - 0000000 ____D C:\Users\Caleb\Documents\Electronic Arts
2012-01-31 19:33 - 2012-01-31 19:33 - 0000000 ____D C:\Users\Caleb\AppData\Local\Electronic Arts
2012-01-31 19:31 - 2012-01-31 19:31 - 0000000 ____D C:\Users\Caleb\Documents\Electrontic Arts
2012-01-31 08:25 - 2012-01-31 08:25 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C4F19734-C7D7-4D45-ABA6-FCBE82AD8FAB}
2012-01-31 08:25 - 2012-01-31 08:25 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A1BD776-6912-4213-A33D-97CA598DF3F2}
2012-01-30 13:06 - 2012-01-30 13:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9A30D9AB-6B8F-480F-9770-2A993E38CE7F}
2012-01-30 13:06 - 2012-01-30 13:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5108FBF8-678E-41C1-9290-C221F0F76498}
2012-01-29 14:40 - 2012-01-29 14:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FFAA5885-2B34-4996-B6BD-315CAF418093}
2012-01-29 14:40 - 2012-01-29 14:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{404AA8F1-E90B-4786-A08E-B3953765D62B}
2012-01-29 14:23 - 2012-01-29 14:23 - 0000000 ____D C:\Users\Caleb\AppData\Local\{725A164A-66B6-4BA5-8F65-BB2478FDA677}
2012-01-29 07:22 - 2012-01-29 07:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B26DB58F-7353-4C7C-87C4-31E118B81DC2}
2012-01-28 20:42 - 2012-01-28 20:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E5C8CD2A-2271-4CF7-A887-2C67428DC585}
2012-01-28 08:42 - 2012-01-28 08:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{88C92A1A-083B-4ECC-BA77-B36242E677E6}
2012-01-28 08:42 - 2012-01-28 08:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{72B8612E-345A-4AB6-841E-8D7983650B1A}
2012-01-27 12:07 - 2010-08-03 10:10 - 0089049 ____A C:\Windows\System32\LexFiles.ulf
2012-01-27 12:03 - 2012-01-27 12:03 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9AEB290E-2684-42FC-9AE4-A8AD809193B4}
2012-01-27 12:03 - 2012-01-27 12:02 - 0000000 ____D C:\Users\Caleb\AppData\Local\{ED7EAB0F-97A3-4B46-BABA-6651F25A307B}
2012-01-27 07:58 - 2012-01-27 07:58 - 0000000 ____D C:\Users\Caleb\AppData\Local\{477688AE-4384-4D1C-A521-05DCC36F7EB7}
2012-01-26 19:33 - 2012-01-26 19:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AFAB27CE-4152-4F49-891F-9C3109BF39CF}
2012-01-26 19:32 - 2012-01-26 19:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3FBF0D63-7ED5-4736-8596-8345E333271B}
2012-01-26 15:08 - 2012-01-26 15:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{43707FB3-6F4C-4532-93A1-8BE4B94813EF}
2012-01-25 19:33 - 2012-01-25 19:33 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A6AE65B1-106B-4835-95E5-7FF06C26C41B}
2012-01-25 11:59 - 2011-06-05 17:16 - 0000000 ____D C:\Program Files (x86)\Mumble

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4094.43 MB
Available physical RAM: 3509.37 MB
Total Pagefile: 4092.58 MB
Available Pagefile: 3498.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (C: Drive) (Fixed) (Total:184.84 GB) (Free:13.94 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (D: Games & Music) (Fixed) (Total:186.31 GB) (Free:37.27 GB) NTFS
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.31 GB) NTFS
5 Drive g: (VICTORIA'S) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 186 GB 0 B
Disk 1 Online 186 GB 0 B
Disk 2 Online 62 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 184 GB 1501 MB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C C: Drive NTFS Partition 184 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 186 GB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D D: Games & NTFS Partition 186 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 62 MB 0 B

======================================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

======================================================================================================

==========================================================

Last Boot: 2012-04-20 15:33

======================= End Of Log ==========================

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 23 April 2012 - 04:13 PM

TheProgrammer,

Did you create this?

2012-04-23 10:11 - 2012-04-23 10:11 - 0000000 ____D C:\Users\Caleb\Desktop\New folder
2012-04-23 10:09 - 2012-04-23 10:09 - 0050000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uiubjasm.sys


Copy the contents of the code box below and paste it into a notepad document. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess
2 timounter; C:\Windows\System32\intelroam.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\intelroam.dll
NETSVC: timounter
Folder: C:\32788R22FWJFW
2012-04-20 06:58:54	0	--sha-w-	C:\Windows\System32\dds_trash_log.cmd

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options, as we did previously.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Edited by thcbytes, 23 April 2012 - 04:31 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 23 April 2012 - 11:13 PM

I created this:

2012-04-23 10:11 - 2012-04-23 10:11 - 0000000 ____D C:\Users\Caleb\Desktop\New folder


I did not create this:

2012-04-23 10:09 - 2012-04-23 10:09 - 0050000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uiubjasm.sys

I did install a game via a program called Steam, not sure if that created it.


I ran the fix as you suggested, but it did nothing but display this:

Fixing started:
Scanning C:\32788R22FWJFW : C:\32788R22FWJFW\License \iexplore.exe

and the \iexplore.exe kept blinking.

The fix only showed that and the blinking. I left it running for 20 min and it did nothing else so I figured it wasnt working and restarted it.
So I went to delete C:\Windows\System64 like I do every time I start my computer. It wasn't there.

A log was created I would have attached it but even zipped the forum wont let me attach it. So here it is.

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 22-04-2012
Ran by SYSTEM at 2012-04-23 23:38:48 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
timounter service deleted successfully.
C:\Windows\System32\intelroam.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs timounter Deleted successfully.

========================= Folder: C:\32788R22FWJFW ========================

2012-04-20 10:38 - 2012-04-21 01:22 - 0000000 ____D () C:\32788R22FWJFW\License
2011-06-25 22:45 - 2011-06-25 22:45 - 0256000 ____A () C:\32788R22FWJFW\License\iexplore.exe
====== End of Folder: ======
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs timounter not found.


This section:

========================= Folder: C:\32788R22FWJFW ========================

2012-04-20 10:38 - 2012-04-21 01:22 - 0000000 ____D () C:\32788R22FWJFW\License
2011-06-25 22:45 - 2011-06-25 22:45 - 0256000 ____A () C:\32788R22FWJFW\License\iexplore.exe
====== End of Folder: ======
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs timounter not found.[/

repeates too many times to count. It ends with this:

========================= Folder: C:\32788R22FWJFW ========================

====== End of Folder: ======
timounter service not found.
C:\Windows\System32\intelroam.dll not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs timounter not found.

========================= Folder: C:\32788R22FWJFW ========================


Should I run it again and let it run overnight?

Edited by TheProgramer, 23 April 2012 - 11:28 PM.


#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 24 April 2012 - 07:12 PM

TheProgrammer,

We've removed most of the infection, which is why you no longer see the system64 folder. I'm not sure why you saw weird behavior with FRST. It shouldn't take more than a minute or two to scan.

Please download a new version of Combofix from one of these links.
Link 1
Link 2
Link 3
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
  • Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 24 April 2012 - 08:02 PM

Log attached.

So far everything seems normal. Google no-longer re-directs! I did notice this process running though, which I don't rember seeing untill the virus happened.

FlashUtil32_11_2_202_233_ActiveX.exe *32



Aside from that things seem cool. I'll post if anything else seems odd.

Can I run Spybot S&D and Malwarebytes whenever I want now, didn't want to run them while we were workign through your steps.

Can I change my passwords with this computer now? Is it 100% clean now?

Also a BIG thanks to you for taking the time to help me! I was wondering how I can do the same for others? Do you guys have some sort of aprentiship thing online where you guys take sm1 under your wing and teach them how to help others with this stuff?

THANKS!

ComboFix 12-04-24.05 - Caleb 04/24/2012 20:27:11.5.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2701 [GMT -4:00]
Running from: c:\users\Caleb\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-03-25 to 2012-04-25 )))))))))))))))))))))))))))))))
.
.
2012-04-25 00:42 . 2012-04-25 00:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-04-25 00:42 . 2012-04-25 00:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-23 22:20 . 2012-04-24 08:04 -------- d-----w- C:\FRST
2012-04-10 17:33 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-10 17:33 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-10 17:33 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-10 17:29 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 17:29 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-10 17:29 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-10 17:29 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-10 17:29 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-10 17:29 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-10 17:29 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-08 14:42 . 2012-04-08 14:43 -------- d-----w- c:\program files\iTunes
2012-04-08 14:42 . 2012-04-08 14:42 -------- d-----w- c:\program files\iPod
2012-04-07 06:28 . 2012-04-07 06:28 -------- d-----w- c:\windows\en
2012-04-07 06:25 . 2012-04-07 06:25 -------- d-----w- c:\program files\Windows Live
2012-04-07 06:21 . 2012-04-07 06:21 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\DSETUP.dll
2012-04-07 06:21 . 2012-04-07 06:21 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\DXSETUP.exe
2012-04-07 06:21 . 2012-04-07 06:21 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\dsetup32.dll
2012-04-02 11:59 . 2012-04-14 04:59 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-02 11:44 . 2012-04-14 04:59 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 04:59 . 2011-05-19 16:13 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2012-04-25 00:01 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{275F3820-D056-48C3-94CE-5D1B8744CE26}\mpengine.dll
2012-04-04 19:56 . 2010-02-09 01:39 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 17:41 . 2011-11-25 22:35 2068016 ----a-w- c:\users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy\TDSSKiller.exe
2012-03-08 22:37 . 2012-03-08 22:37 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-02-23 14:18 . 2009-11-11 13:31 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-14 14:50 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 14:50 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 14:50 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 14:50 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 15:01 . 2012-02-15 15:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 15:01 . 2012-02-15 15:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-10 06:36 . 2012-03-14 14:51 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 14:51 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 14:51 3145728 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 21:31 . 2010-06-17 21:31 388608 ----a-w- c:\program files (x86)\HijackThis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\program files\Steam\steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 SASDIFSV;SASDIFSV;c:\users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]
R2 acrosysbackup_exJ2rTliAtja;Acronis System Backup;c:\windows\system32\wirepots.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2009-10-16 29184]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-01-31 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 OpenLibSys;OpenLibSys;c:\windows.old\Program Files\NXP\FM Radio\OpenLibSysX64.sys [x]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-02-21 8704]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 1039872]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
S3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [x]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 04:59]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://us.blizzard.com/en-us/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\Caleb\AppData\Local\Akamai\netsession_win.exe
SafeBoot-33335919.sys
SafeBoot-42592890.sys
SafeBoot-81531387.sys
SafeBoot-89216977.sys
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\S-1-5-21-43541578-2147765598-3109653096-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{94943081-4B4A-993C-75CC-FC74C4D1DCF7}*]
"oajccjkbcbldfijnhhifniepgkofhg"=hex:6a,61,6f,66,65,64,6d,6c,67,6f,6e,68,6e,6d,
6b,6b,70,67,64,63,00,00
"nadcimofbniponkogpafpfnilhaa"=hex:6a,61,6f,66,65,64,6d,6c,67,6f,6e,68,6e,6d,
6b,6b,70,67,64,63,00,00
.
[HKEY_USERS\S-1-5-21-43541578-2147765598-3109653096-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,33,67,16,90,8f,0f,fb,58,bb,16,d7,ae,9e,65,ea,b5,73,81,7c,75,ec,e6,
79,6c,a6,4f,b3,a9,42,6f,86,a5,de,ab,b6,51,b4,e8,3e,c1,1c,57,8f,90,4c,47,fa,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38
.
[HKEY_USERS\S-1-5-21-43541578-2147765598-3109653096-1001\Software\SecuROM\License information*]
"datasecu"=hex:22,fb,d6,f1,8c,36,6d,dc,df,4e,23,0c,a8,24,54,ba,4b,0b,86,d8,40,
54,ab,3c,f4,b4,b1,30,62,98,e2,53,1d,98,50,f9,36,62,49,4e,a3,bd,c5,8f,3b,07,\
"rkeysecu"=hex:b3,2c,77,a2,6f,cb,62,cb,72,88,11,47,a3,44,38,09
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-04-24 20:52:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-25 00:52
ComboFix2.txt 2012-04-20 23:15
ComboFix3.txt 2012-04-20 19:05
ComboFix4.txt 2012-03-22 04:47
.
Pre-Run: 12,538,703,872 bytes free
Post-Run: 12,524,486,656 bytes free
.
- - End Of File - - 587F492F31013561BF09C26C808C9B65

Attached Files


Edited by thcbytes, 24 April 2012 - 08:03 PM.


#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 24 April 2012 - 08:38 PM

TheProgrammer,

We're not quite done removing malware from your computer. As I stated previously, one or more of the identified infections (ZeroAccess in this case) is a backdoor trojan and password stealer. This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge. Yes, you should change your passwords. I actually recommend regularly changing the password to both your computer, and any other websites you access (particularly ones with sensitive information, like banks).

After we've removed all the malware, I'll outline several recommendations regarding other malware scanners, however I can't guarantee that your computer will be 100% secure afterwards. Thank you for following my instructions and not running anything not asked for! :)

You're welcome, I'm glad to help! :) BleepingComputer does have a Malware Removal Training program, which I'm actually currently part of. For more information, see here: http://www.bleepingcomputer.com/forums/topic86678.html


Please open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic450881.html

Collect::
C:\Windows\System32\Drivers\uiubjasm.sys

Driver::
uiubjasm

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>


Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 24 April 2012 - 09:46 PM

Thanks for letting me know. I'll definatley join that program after we finish cleaning up this computer.

There was no message box asking me to submit files for analysis, combofix didn't behave any different than normal.

Log is too big to be attached (even zipped) so here it is:

ComboFix 12-04-24.05 - Caleb 04/24/2012 22:15:46.6.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.3007 [GMT -4:00]
Running from: c:\users\Caleb\Desktop\ComboFix.exe
Command switches used :: c:\users\Caleb\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-25 to 2012-04-25 )))))))))))))))))))))))))))))))
.
.
2012-04-25 02:27 . 2012-04-25 02:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-04-25 02:27 . 2012-04-25 02:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-23 22:20 . 2012-04-24 08:04 -------- d-----w- C:\FRST
2012-04-10 17:33 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-10 17:33 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-10 17:33 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-10 17:29 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 17:29 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-10 17:29 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-10 17:29 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-10 17:29 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-10 17:29 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-10 17:29 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-08 14:42 . 2012-04-08 14:43 -------- d-----w- c:\program files\iTunes
2012-04-08 14:42 . 2012-04-08 14:42 -------- d-----w- c:\program files\iPod
2012-04-07 06:28 . 2012-04-07 06:28 -------- d-----w- c:\windows\en
2012-04-07 06:25 . 2012-04-07 06:25 -------- d-----w- c:\program files\Windows Live
2012-04-07 06:21 . 2012-04-07 06:21 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\DSETUP.dll
2012-04-07 06:21 . 2012-04-07 06:21 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\DXSETUP.exe
2012-04-07 06:21 . 2012-04-07 06:21 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\b87773e11cd148601\dsetup32.dll
2012-04-02 11:59 . 2012-04-14 04:59 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-02 11:44 . 2012-04-14 04:59 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 04:59 . 2011-05-19 16:13 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2012-04-25 00:01 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{275F3820-D056-48C3-94CE-5D1B8744CE26}\mpengine.dll
2012-04-04 19:56 . 2010-02-09 01:39 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 17:41 . 2011-11-25 22:35 2068016 ----a-w- c:\users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy\TDSSKiller.exe
2012-03-08 22:37 . 2012-03-08 22:37 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-02-23 14:18 . 2009-11-11 13:31 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-14 14:50 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 14:50 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 14:50 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 14:50 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 15:01 . 2012-02-15 15:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 15:01 . 2012-02-15 15:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-10 06:36 . 2012-03-14 14:51 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 14:51 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 14:51 3145728 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 21:31 . 2010-06-17 21:31 388608 ----a-w- c:\program files (x86)\HijackThis.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-25_00.45.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 15:06 . 2012-04-25 02:30 69854 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-04-25 00:46 48930 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-25 02:30 48930 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-11 13:37 . 2012-04-25 02:30 19994 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-43541578-2147765598-3109653096-1001_UserData.bin
- 2009-11-11 09:05 . 2012-04-24 23:14 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-11 09:05 . 2012-04-25 02:10 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-22 04:53 . 2012-04-24 23:14 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-22 04:53 . 2012-04-25 02:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-24 23:14 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-25 02:10 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-25 02:28 . 2012-04-25 02:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-25 00:44 . 2012-04-25 00:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-25 02:28 . 2012-04-25 02:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-25 00:44 . 2012-04-25 00:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-26 06:03 . 2012-04-25 00:43 4326976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-43541578-2147765598-3109653096-1001-8192.dat
+ 2011-11-26 06:03 . 2012-04-25 02:27 4326976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-43541578-2147765598-3109653096-1001-8192.dat
+ 2011-11-26 06:03 . 2012-04-25 02:27 43140788 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-43541578-2147765598-3109653096-1001-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\program files\Steam\steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 SASDIFSV;SASDIFSV;c:\users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]
R2 acrosysbackup_exJ2rTliAtja;Acronis System Backup;c:\windows\system32\wirepots.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2009-10-16 29184]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-01-31 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 OpenLibSys;OpenLibSys;c:\windows.old\Program Files\NXP\FM Radio\OpenLibSysX64.sys [x]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-02-21 8704]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 1039872]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
S3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [x]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 04:59]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://us.blizzard.com/en-us/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\S-1-5-21-43541578-2147765598-3109653096-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{94943081-4B4A-993C-75CC-FC74C4D1DCF7}*]
"oajccjkbcbldfijnhhifniepgkofhg"=hex:6a,61,6f,66,65,64,6d,6c,67,6f,6e,68,6e,6d,
6b,6b,70,67,64,63,00,00
"nadcimofbniponkogpafpfnilhaa"=hex:6a,61,6f,66,65,64,6d,6c,67,6f,6e,68,6e,6d,
6b,6b,70,67,64,63,00,00
.
[HKEY_USERS\S-1-5-21-43541578-2147765598-3109653096-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,33,67,16,90,8f,0f,fb,58,bb,16,d7,ae,9e,65,ea,b5,73,81,7c,75,ec,e6,
79,6c,a6,4f,b3,a9,42,6f,86,a5,de,ab,b6,51,b4,e8,3e,c1,1c,57,8f,90,4c,47,fa,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38
.
[HKEY_USERS\S-1-5-21-43541578-2147765598-3109653096-1001\Software\SecuROM\License information*]
"datasecu"=hex:22,fb,d6,f1,8c,36,6d,dc,df,4e,23,0c,a8,24,54,ba,4b,0b,86,d8,40,
54,ab,3c,f4,b4,b1,30,62,98,e2,53,1d,98,50,f9,36,62,49,4e,a3,bd,c5,8f,3b,07,\
"rkeysecu"=hex:b3,2c,77,a2,6f,cb,62,cb,72,88,11,47,a3,44,38,09
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-04-24 22:36:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-25 02:36
ComboFix2.txt 2012-04-25 00:52
ComboFix3.txt 2012-04-20 23:15
ComboFix4.txt 2012-04-20 19:05
ComboFix5.txt 2012-04-25 02:14
.
Pre-Run: 12,581,203,968 bytes free
Post-Run: 12,512,088,064 bytes free
.
- - End Of File - - 34897EFD750990544374DB7F55BB4918


Edited by TheProgramer, 24 April 2012 - 09:48 PM.


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 24 April 2012 - 10:07 PM

Please rerun FRST.

Plug your USB flash drive with FRST on it into your computer.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 25 April 2012 - 01:04 AM

Here is the log (forum wont let me attach, even when zipped, says it's too big).

Scan result of Farbar Recovery Scan Tool Version: 22-04-2012
Ran by SYSTEM at 25-04-2012 01:58:03
Running from G:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [x]
HKU\Caleb\...\Run: [Steam] "D:\Program Files\Steam\steam.exe" -silent [x]
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

==================== Services (Whitelisted) ======

3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253088 2012-04-13] (Adobe Systems Incorporated)
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [8704 2012-02-20] (Hi-Rez Studios)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
2 lxdxCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
2 lxdx_device; C:\Windows\system32\lxdxcoms.exe -service [1039872 2009-10-16] ( )
2 lxdx_device; C:\Windows\SysWow64\lxdxcoms.exe -service [589824 2009-10-16] ( )
3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [64856 2009-02-26] (Microsoft Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [43010392 2009-03-29] (Microsoft Corporation)
4 MSSQLServerADHelper100; "C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [47128 2008-07-10] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4737024 2008-07-29] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [66872 2009-11-20] ()
2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [158856 2012-01-31] (Skype Technologies)
4 SQLAgent$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [366936 2009-03-29] (Microsoft Corporation)
4 SQLBrowser; "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [254808 2009-03-29] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [157720 2008-07-10] (Microsoft Corporation)
2 acrosysbackup_exJ2rTliAtja; C:\Windows\system32\wirepots.exe [x]
2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [x]

========================== Drivers (Whitelisted) =============

3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 ivusb; C:\Windows\System32\Drivers\ivusb.sys [29720 2010-07-28] (Initio Corporation)
2 SecDrv; C:\Windows\SysWow64\Drivers\SecDrv.sys [11376 2003-09-08] ()
3 SWDUMon; C:\Windows\System32\Drivers\SWDUMon.sys [15672 2011-09-10] ()
3 TotRec8; C:\Windows\System32\Drivers\TotRec8.sys [122448 2010-11-23] (High Criteria inc.)
3 VCSVADHWSer; C:\Windows\System32\DRIVERS\vcsvad.sys [21504 2008-12-10] (Avnex)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 OpenLibSys; \??\C:\Windows.old\Program Files\NXP\FM Radio\OpenLibSysX64.sys [x]
1 SASDIFSV; \??\C:\Users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
1 SASKUTIL; \??\C:\Users\Caleb\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-24 18:45 - 2012-04-24 16:21 - 0018690 ____A C:\Users\Caleb\Desktop\ComboFix.txt
2012-04-24 18:36 - 2009-11-11 00:43 - 0018690 ____A C:\ComboFix.txt
2012-04-24 18:29 - - 0000000 ____D C:\$RECYCLE.BIN
2012-04-24 16:42 - - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-04-24 16:22 - 2011-10-10 16:08 - 4475037 ____R (Swearware) C:\Users\Caleb\Desktop\ComboFix.exe
2012-04-23 14:20 - 2012-01-17 15:41 - 0000000 ____D C:\FRST
2012-04-23 10:11 - 2012-03-06 08:05 - 0000000 ____D C:\Users\Caleb\Desktop\New folder
2012-04-22 20:43 - 2011-11-04 20:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5AFFEAFD-1351-4995-BB21-85CD74B78590}
2012-04-22 20:43 - 2011-06-06 08:13 - 0000000 ____D C:\Users\Caleb\AppData\Local\{897F5E73-C430-48F5-B9BD-756638C5A8F2}
2012-04-21 21:18 - 2011-12-14 20:26 - 0000000 ____D C:\Users\Caleb\AppData\Local\{67696A9D-58B4-4137-BED3-8A2EAAEF983C}
2012-04-21 21:18 - 2011-08-31 05:10 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AF99E0A6-5948-4318-9742-DA6AD1FFEE43}
2012-04-21 21:08 - 2012-04-21 21:04 - 0128386 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_01.08.55_log.txt
2012-04-21 20:55 - 2012-04-21 01:35 - 0129908 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_00.55.14_log.txt
2012-04-21 01:32 - 2012-04-21 01:30 - 0128950 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.32.49_log.txt
2012-04-21 01:28 - 2012-04-21 01:23 - 0129886 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.28.11_log.txt
2012-04-21 01:15 - 2012-04-24 16:23 - 0131196 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.15.24_log.txt
2012-04-20 21:33 - 2012-03-26 10:45 - 2072624 ____A (Kaspersky Lab ZAO) C:\Users\Caleb\Desktop\TDSSKiller.exe
2012-04-20 13:16 - 2012-01-04 10:40 - 0001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-20 10:38 - 2012-04-23 10:16 - 0000000 ____D C:\Qoobox
2012-04-20 10:38 - 2011-05-06 09:07 - 0208896 ____A C:\Windows\MBR.exe
2012-04-20 10:38 - 2009-11-11 11:32 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-20 10:38 - 2009-07-13 23:50 - 0080412 ____A C:\Windows\grep.exe
2012-04-20 10:38 - 2009-07-13 23:46 - 0098816 ____A C:\Windows\sed.exe
2012-04-20 10:38 - 2009-07-13 21:32 - 0256000 ____A C:\Windows\PEV.exe
2012-04-20 10:38 - 2009-07-13 17:39 - 0068096 ____A C:\Windows\zip.exe
2012-04-20 10:38 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-19 21:52 - 2011-06-09 08:11 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C1B5AA9D-700E-4E16-AF70-60A550EA568C}
2012-04-18 13:57 - 2011-11-06 09:56 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4BF9294E-512C-44F6-AD3A-F898162AE26D}
2012-04-18 13:56 - 2011-09-16 04:56 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB0B8027-C3CC-45CC-85ED-5A87415225CD}
2012-04-17 16:59 - 2011-10-11 13:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AAB56D53-4CA4-4B9C-91AE-EDB418D40190}
2012-04-17 16:59 - 2011-05-15 18:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F6CBA245-2B4D-4A33-A999-3DB24E7E3DDF}
2012-04-17 06:29 - 2012-01-01 21:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{001D91DC-7553-42E1-B3A5-0B89BC30E608}
2012-04-14 19:55 - 2011-04-08 20:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B5F7D970-ADCC-4894-AE5B-3F35BF1AA03B}
2012-04-14 19:55 - 2011-04-07 06:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F025D07D-A864-4356-A0B0-DC2F2CC92213}
2012-04-14 03:30 - 2012-02-28 11:19 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8B75F9B2-F4A3-4F39-AC87-3BFE9BCD77B7}
2012-04-14 03:30 - 2011-09-14 19:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E61EB7F1-F402-4E3A-9A81-0E36116F2EF4}
2012-04-11 04:45 - 2011-11-26 22:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8566D7C8-51B2-4B84-835F-CB8BE74C41D6}
2012-04-11 04:45 - 2011-09-04 17:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{27664A51-4315-4EC6-95F6-F2B817CDA96D}
2012-04-10 09:34 - 2012-02-27 23:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-10 09:34 - 2012-02-27 22:56 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-10 09:34 - 2012-02-27 22:48 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-10 09:34 - 2012-02-27 22:45 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-10 09:34 - 2012-02-27 22:42 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-10 09:34 - 2012-02-27 17:52 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-10 09:34 - 2012-02-27 17:18 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-10 09:34 - 2012-02-27 17:09 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-10 09:34 - 2012-02-27 17:06 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-10 09:34 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-10 09:34 - 2011-05-06 08:58 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-10 09:34 - 2011-05-02 21:29 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-10 09:34 - 2011-05-02 20:30 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-10 09:34 - 2010-11-20 05:27 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-10 09:34 - 2010-11-20 04:21 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-10 09:34 - 2009-07-13 17:41 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-10 09:34 - 2009-07-13 17:38 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-10 09:34 - 2009-07-13 17:16 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-10 09:34 - 2009-07-13 17:14 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-10 09:33 - 2009-07-13 17:41 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-10 09:33 - 2009-07-13 17:16 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-10 09:33 - 2009-07-13 17:16 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-10 09:29 - 2009-07-13 17:47 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-04-10 09:29 - 2009-07-13 17:41 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-04-10 09:29 - 2009-07-13 17:38 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-04-10 09:29 - 2009-07-13 17:33 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-04-10 09:29 - 2009-07-13 17:16 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-04-10 09:29 - 2009-07-13 17:14 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-04-10 09:29 - 2009-07-13 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-04-10 08:09 - 2012-04-08 06:55 - 0243824 ____A C:\Users\Caleb\Desktop\D1334074120.pdf
2012-04-10 07:38 - 2011-08-27 07:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB66730E-764B-4C34-BE5C-A29B36E59491}
2012-04-10 07:37 - 2009-11-11 11:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{33127D64-FAAC-4EFD-8B27-284202E6F9FB}
2012-04-08 06:55 - 2012-04-24 18:45 - 0011028 ____A C:\Users\Caleb\Desktop\Contract 2.docx
2012-04-08 06:50 - 2012-03-07 19:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CBC24B69-70D6-4E48-9947-F65784889E5E}
2012-04-08 06:50 - 2011-05-27 04:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{103362D0-9D5A-49A4-8F6A-18B763F93DFB}
2012-04-08 06:42 - 2012-04-10 10:44 - 0000000 ____D C:\Program Files\iPod
2012-04-08 06:42 - 2012-04-08 06:42 - 0000000 ____D C:\Program Files\iTunes
2012-04-07 19:06 - 2012-03-18 23:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4A81A784-7E12-4895-A77B-D89D7CDE0979}
2012-04-06 22:29 - 2011-12-11 07:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{1351519B-BE2F-443A-86F0-63F39E121177}
2012-04-06 22:29 - 2011-06-25 06:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{ABAF41EE-47E0-4DE4-9AAD-3168AE0D83DE}
2012-04-06 22:28 - 2012-01-11 20:08 - 0000000 ____D C:\Windows\en
2012-04-06 22:25 - 2011-03-09 12:51 - 0000000 ____D C:\Program Files\Windows Live
2012-04-06 22:20 - 2011-11-06 20:05 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B92EBD37-5DA3-49FD-B63E-A5B2D7400E92}
2012-04-06 22:20 - 2011-10-22 06:10 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3E7034FC-8C6B-4A7D-B057-A72629D6438C}
2012-04-06 14:22 - 2012-04-14 19:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B6079E04-AC53-411D-8896-F089B33C5FD4}
2012-04-06 14:22 - 2011-10-20 13:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{18F7CE18-6BAD-49F6-B3DB-3A00CEC34D13}
2012-04-06 10:18 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{40C45008-69EA-4FE5-8C4F-EE1CB6962349}
2012-04-06 10:18 - 2012-01-06 23:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{000A181E-8DEB-4F86-B2CD-E2066AC6B13F}
2012-04-04 20:38 - 2012-02-24 23:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8F867343-4454-4AE5-97EA-CB66B8CC300E}
2012-04-04 20:38 - 2011-06-24 05:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{743783A6-CAF4-41C7-B62B-C1B4D254027D}
2012-04-04 19:01 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63325AF5-C349-4B13-ABFC-73403447301E}
2012-04-04 18:47 - 2011-08-02 20:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C231530C-0D36-4B38-9B09-E5B18AC7CA5B}
2012-04-04 00:14 - 2011-05-18 20:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{24532CAF-D2CD-4A6C-B4FD-B8549096DD16}
2012-04-03 15:24 - 2011-12-29 04:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{DDE45303-16E9-467C-AADE-A6EF8219A390}
2012-04-03 15:24 - 2011-05-05 11:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FDD874D7-DA45-4AA4-9F0C-382A41C4C2EC}
2012-04-03 08:40 - 2012-03-26 12:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5461D794-BB73-4853-BECC-93AC43AB911F}
2012-04-03 08:39 - 2011-10-13 18:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A9EFEFBB-3B72-4739-8A25-C2C9CEAB31D9}
2012-04-02 20:09 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5B296E1C-7344-4311-AA80-869F588D3052}
2012-04-02 20:09 - 2011-06-20 18:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{BC03DECB-9DB0-4786-9D9B-7F3A170347FA}
2012-04-02 03:59 - 2012-04-13 20:59 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-02 03:45 - - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-02 03:44 - 2009-07-13 17:14 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-01 23:21 - 2011-10-03 10:54 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9FDC32D8-9BE3-4B82-BAE3-643E862213F6}
2012-04-01 18:41 - 2012-03-02 14:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7BDABE43-D63C-478E-8215-5AA9027B50E5}
2012-04-01 18:41 - 2011-10-21 06:00 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CEBEE2A6-2CAB-43F7-B316-ECB4696464F6}
2012-04-01 13:30 - 2011-06-15 19:52 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A8A9DA9-9F3D-48FE-A1A7-1B2F9AEA71BC}
2012-04-01 13:30 - 2011-05-16 06:23 - 0000000 ____D C:\Users\Caleb\AppData\Local\{98360B09-AA61-4B3B-B779-2803BC9D7D99}
2012-04-01 13:00 - 2011-12-30 22:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{45253104-7437-495F-B1ED-A401D0A51633}
2012-04-01 12:59 - 2011-11-30 18:05 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D4F8CBAB-48C1-4DC0-AB24-AF8088616EA7}
2012-04-01 10:03 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{899546A1-0676-4949-888C-FEA6652B7514}
2012-04-01 10:03 - 2012-04-14 03:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E62FCFE0-FEDA-4BA2-952D-DE19A1537C8C}
2012-03-30 21:02 - 2012-03-15 11:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{07D53A93-EF44-446A-9CCC-A6CD4564FC34}
2012-03-30 21:02 - 2011-12-20 06:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C6CAFE9C-D6DF-4BC3-9446-71255A121CCB}
2012-03-30 07:16 - 2011-11-22 14:48 - 0000000 ____D C:\Users\Caleb\AppData\Local\{61EBEE71-37F9-46CA-998F-AAC0AE87111B}
2012-03-28 11:37 - 2012-01-29 14:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{407230E5-55A3-4C8A-80BF-8BE30B0A4ED6}
2012-03-28 11:37 - 2011-12-18 05:54 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63117794-EE6D-4820-BD7E-B657F80C65C0}
2012-03-26 12:50 - 2012-02-14 05:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{54521E06-1AC3-4E20-96C2-4897FC2D8635}
2012-03-26 12:50 - 2011-12-20 18:49 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D7E9140B-DF47-4C84-8A8B-35910302AE03}
2012-03-26 10:45 - 2011-10-10 15:13 - 24417978 ____A C:\Users\Caleb\Desktop\stupid comments.mp3


============ 3 Months Modified Files and Folders =============

2012-04-25 01:58 - 2012-04-23 14:20 - 0000000 ____D C:\FRST
2012-04-24 21:56 - 2012-04-23 10:11 - 0000000 ____D C:\Users\Caleb\Desktop\New folder
2012-04-24 21:56 - 2009-11-11 00:47 - 1284952 ____A C:\Windows\WindowsUpdate.log
2012-04-24 20:59 - 2012-04-02 03:45 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-24 20:11 - 2009-07-13 20:51 - 0228508 ____A C:\Windows\setupact.log
2012-04-24 18:46 - 2009-07-13 20:45 - 0013472 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-24 18:46 - 2009-07-13 20:45 - 0013472 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-24 18:45 - 2012-04-24 18:45 - 0005810 ____A C:\Users\Caleb\Desktop\ComboFix.zip
2012-04-24 18:39 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-24 18:38 - 2009-11-11 00:44 - 3219988480 __ASH C:\hiberfil.sys
2012-04-24 18:37 - 2012-04-20 10:38 - 0000000 ____D C:\Qoobox
2012-04-24 18:36 - 2012-04-24 18:45 - 0018690 ____A C:\Users\Caleb\Desktop\ComboFix.txt
2012-04-24 18:36 - 2012-04-24 18:36 - 0018690 ____A C:\ComboFix.txt
2012-04-24 18:29 - 2012-04-24 18:29 - 0000000 ____D C:\$RECYCLE.BIN
2012-04-24 18:29 - 2012-04-24 16:42 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-04-24 18:29 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-04-24 18:28 - 2009-11-11 09:27 - 0105820 ____A C:\Windows\PFRO.log
2012-04-24 16:52 - 2009-11-11 05:23 - 0000000 ____D C:\users\Caleb
2012-04-24 16:43 - 2011-12-27 16:09 - 0000000 ____D C:\Windows\ERDNT
2012-04-24 16:21 - 2012-04-24 16:22 - 4475037 ____R (Swearware) C:\Users\Caleb\Desktop\ComboFix.exe
2012-04-24 13:34 - 2010-06-05 07:23 - 0000000 ____D C:\Users\Caleb\AppData\Roaming\Skype
2012-04-23 10:16 - 2010-08-03 10:18 - 0000000 ____D C:\Users\All Users\Lx_cats
2012-04-23 10:16 - 2010-08-03 10:18 - 0000000 ____D C:\ProgramData\Lx_cats
2012-04-23 10:12 - 2009-07-13 21:13 - 0822284 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-22 20:43 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{897F5E73-C430-48F5-B9BD-756638C5A8F2}
2012-04-22 20:43 - 2012-04-22 20:43 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5AFFEAFD-1351-4995-BB21-85CD74B78590}
2012-04-22 20:43 - 2010-10-21 08:19 - 0000000 ____D C:\Users\Caleb\AppData\Local\Windows Live
2012-04-21 21:18 - 2012-04-21 21:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AF99E0A6-5948-4318-9742-DA6AD1FFEE43}
2012-04-21 21:18 - 2012-04-21 21:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{67696A9D-58B4-4137-BED3-8A2EAAEF983C}
2012-04-21 21:11 - 2012-04-21 21:08 - 0128386 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_01.08.55_log.txt
2012-04-21 21:04 - 2012-04-21 20:55 - 0129908 ____A C:\TDSSKiller.2.7.31.0_22.04.2012_00.55.14_log.txt
2012-04-21 20:59 - 2012-03-21 20:22 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-04-21 07:13 - 2010-02-08 17:28 - 136523982 ____A C:\Windows\ntbtlog.txt
2012-04-21 02:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-04-21 01:35 - 2012-04-21 01:32 - 0128950 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.32.49_log.txt
2012-04-21 01:30 - 2012-04-21 01:28 - 0129886 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.28.11_log.txt
2012-04-21 01:23 - 2012-04-21 01:15 - 0131196 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_05.15.24_log.txt
2012-04-21 01:22 - 2011-11-25 14:56 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-21 01:22 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-04-20 22:56 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-20 15:50 - 2012-04-20 21:33 - 2072624 ____A (Kaspersky Lab ZAO) C:\Users\Caleb\Desktop\TDSSKiller.exe
2012-04-20 15:21 - 2009-07-13 23:45 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-04-20 15:06 - 2009-07-13 18:34 - 80740352 ____A C:\Windows\System32\config\software.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 20185088 ____A C:\Windows\System32\config\system.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 0282624 ____A C:\Windows\System32\config\default.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 0065536 ____A C:\Windows\System32\config\sam.bak
2012-04-20 15:06 - 2009-07-13 18:34 - 0028672 ____A C:\Windows\System32\config\security.bak
2012-04-20 13:16 - 2012-04-20 13:16 - 0001117 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-19 21:52 - 2012-04-19 21:52 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C1B5AA9D-700E-4E16-AF70-60A550EA568C}
2012-04-18 16:17 - 2011-06-12 13:08 - 0000000 ____D C:\Users\Caleb\AppData\Roaming\Mumble
2012-04-18 13:57 - 2012-04-18 13:57 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4BF9294E-512C-44F6-AD3A-F898162AE26D}
2012-04-18 13:57 - 2012-04-18 13:56 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB0B8027-C3CC-45CC-85ED-5A87415225CD}
2012-04-17 16:59 - 2012-04-17 16:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F6CBA245-2B4D-4A33-A999-3DB24E7E3DDF}
2012-04-17 16:59 - 2012-04-17 16:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{AAB56D53-4CA4-4B9C-91AE-EDB418D40190}
2012-04-17 06:29 - 2012-04-17 06:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{001D91DC-7553-42E1-B3A5-0B89BC30E608}
2012-04-14 19:55 - 2012-04-14 19:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F025D07D-A864-4356-A0B0-DC2F2CC92213}
2012-04-14 19:55 - 2012-04-14 19:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B5F7D970-ADCC-4894-AE5B-3F35BF1AA03B}
2012-04-14 03:31 - 2012-04-14 03:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E61EB7F1-F402-4E3A-9A81-0E36116F2EF4}
2012-04-14 03:30 - 2012-04-14 03:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8B75F9B2-F4A3-4F39-AC87-3BFE9BCD77B7}
2012-04-13 20:59 - 2012-04-02 03:59 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-13 20:59 - 2012-04-02 03:44 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-13 20:59 - 2011-05-19 08:13 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-11 04:45 - 2012-04-11 04:45 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8566D7C8-51B2-4B84-835F-CB8BE74C41D6}
2012-04-11 04:45 - 2012-04-11 04:45 - 0000000 ____D C:\Users\Caleb\AppData\Local\{27664A51-4315-4EC6-95F6-F2B817CDA96D}
2012-04-10 09:36 - 2009-11-11 19:33 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-10 09:36 - 2009-11-11 19:33 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-10 09:30 - 2009-11-11 05:31 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-10 08:09 - 2012-04-10 08:09 - 0243824 ____A C:\Users\Caleb\Desktop\D1334074120.pdf
2012-04-10 07:38 - 2012-04-10 07:38 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FB66730E-764B-4C34-BE5C-A29B36E59491}
2012-04-10 07:38 - 2012-04-10 07:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{33127D64-FAAC-4EFD-8B27-284202E6F9FB}
2012-04-08 06:55 - 2012-04-08 06:55 - 0011028 ____A C:\Users\Caleb\Desktop\Contract 2.docx
2012-04-08 06:51 - 2012-04-08 06:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{103362D0-9D5A-49A4-8F6A-18B763F93DFB}
2012-04-08 06:50 - 2012-04-08 06:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CBC24B69-70D6-4E48-9947-F65784889E5E}
2012-04-08 06:43 - 2012-04-08 06:42 - 0000000 ____D C:\Program Files\iTunes
2012-04-08 06:42 - 2012-04-08 06:42 - 0000000 ____D C:\Program Files\iPod
2012-04-07 19:06 - 2012-04-07 19:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4A81A784-7E12-4895-A77B-D89D7CDE0979}
2012-04-06 22:29 - 2012-04-06 22:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{ABAF41EE-47E0-4DE4-9AAD-3168AE0D83DE}
2012-04-06 22:29 - 2012-04-06 22:29 - 0000000 ____D C:\Users\Caleb\AppData\Local\{1351519B-BE2F-443A-86F0-63F39E121177}
2012-04-06 22:28 - 2012-04-06 22:28 - 0000000 ____D C:\Windows\en
2012-04-06 22:26 - 2009-11-11 07:49 - 0000000 ____D C:\Program Files (x86)\Windows Live
2012-04-06 22:25 - 2012-04-06 22:25 - 0000000 ____D C:\Program Files\Windows Live
2012-04-06 22:23 - 2009-11-11 06:57 - 0372793 ____A C:\Windows\DirectX.log
2012-04-06 22:20 - 2012-04-06 22:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B92EBD37-5DA3-49FD-B63E-A5B2D7400E92}
2012-04-06 22:20 - 2012-04-06 22:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3E7034FC-8C6B-4A7D-B057-A72629D6438C}
2012-04-06 14:22 - 2012-04-06 14:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B6079E04-AC53-411D-8896-F089B33C5FD4}
2012-04-06 14:22 - 2012-04-06 14:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{18F7CE18-6BAD-49F6-B3DB-3A00CEC34D13}
2012-04-06 10:19 - 2012-04-06 10:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{40C45008-69EA-4FE5-8C4F-EE1CB6962349}
2012-04-06 10:18 - 2012-04-06 10:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{000A181E-8DEB-4F86-B2CD-E2066AC6B13F}
2012-04-04 20:38 - 2012-04-04 20:38 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8F867343-4454-4AE5-97EA-CB66B8CC300E}
2012-04-04 20:38 - 2012-04-04 20:38 - 0000000 ____D C:\Users\Caleb\AppData\Local\{743783A6-CAF4-41C7-B62B-C1B4D254027D}
2012-04-04 19:01 - 2012-04-04 19:01 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63325AF5-C349-4B13-ABFC-73403447301E}
2012-04-04 18:47 - 2012-04-04 18:47 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C231530C-0D36-4B38-9B09-E5B18AC7CA5B}
2012-04-04 11:56 - 2010-02-08 17:39 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-04 00:14 - 2012-04-04 00:14 - 0000000 ____D C:\Users\Caleb\AppData\Local\{24532CAF-D2CD-4A6C-B4FD-B8549096DD16}
2012-04-03 15:24 - 2012-04-03 15:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FDD874D7-DA45-4AA4-9F0C-382A41C4C2EC}
2012-04-03 15:24 - 2012-04-03 15:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{DDE45303-16E9-467C-AADE-A6EF8219A390}
2012-04-03 08:40 - 2012-04-03 08:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5461D794-BB73-4853-BECC-93AC43AB911F}
2012-04-03 08:40 - 2012-04-03 08:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A9EFEFBB-3B72-4739-8A25-C2C9CEAB31D9}
2012-04-02 20:09 - 2012-04-02 20:09 - 0000000 ____D C:\Users\Caleb\AppData\Local\{BC03DECB-9DB0-4786-9D9B-7F3A170347FA}
2012-04-02 20:09 - 2012-04-02 20:09 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5B296E1C-7344-4311-AA80-869F588D3052}
2012-04-01 23:21 - 2012-04-01 23:21 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9FDC32D8-9BE3-4B82-BAE3-643E862213F6}
2012-04-01 18:41 - 2012-04-01 18:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CEBEE2A6-2CAB-43F7-B316-ECB4696464F6}
2012-04-01 18:41 - 2012-04-01 18:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7BDABE43-D63C-478E-8215-5AA9027B50E5}
2012-04-01 13:30 - 2012-04-01 13:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{98360B09-AA61-4B3B-B779-2803BC9D7D99}
2012-04-01 13:30 - 2012-04-01 13:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A8A9DA9-9F3D-48FE-A1A7-1B2F9AEA71BC}
2012-04-01 13:00 - 2012-04-01 13:00 - 0000000 ____D C:\Users\Caleb\AppData\Local\{45253104-7437-495F-B1ED-A401D0A51633}
2012-04-01 13:00 - 2012-04-01 12:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D4F8CBAB-48C1-4DC0-AB24-AF8088616EA7}
2012-04-01 10:04 - 2012-04-01 10:03 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E62FCFE0-FEDA-4BA2-952D-DE19A1537C8C}
2012-04-01 10:03 - 2012-04-01 10:03 - 0000000 ____D C:\Users\Caleb\AppData\Local\{899546A1-0676-4949-888C-FEA6652B7514}
2012-03-30 21:02 - 2012-03-30 21:02 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C6CAFE9C-D6DF-4BC3-9446-71255A121CCB}
2012-03-30 21:02 - 2012-03-30 21:02 - 0000000 ____D C:\Users\Caleb\AppData\Local\{07D53A93-EF44-446A-9CCC-A6CD4564FC34}
2012-03-30 20:57 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-03-30 07:16 - 2012-03-30 07:16 - 0000000 ____D C:\Users\Caleb\AppData\Local\{61EBEE71-37F9-46CA-998F-AAC0AE87111B}
2012-03-29 19:54 - 2011-08-13 09:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\Fallout3
2012-03-28 11:37 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{63117794-EE6D-4820-BD7E-B657F80C65C0}
2012-03-28 11:37 - 2012-03-28 11:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{407230E5-55A3-4C8A-80BF-8BE30B0A4ED6}
2012-03-27 10:10 - 2011-08-24 07:20 - 0000000 ____D C:\Users\Caleb\AppData\Local\dxhr
2012-03-26 12:50 - 2012-03-26 12:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D7E9140B-DF47-4C84-8A8B-35910302AE03}
2012-03-26 12:50 - 2012-03-26 12:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{54521E06-1AC3-4E20-96C2-4897FC2D8635}
2012-03-26 10:45 - 2012-03-26 10:45 - 24417978 ____A C:\Users\Caleb\Desktop\stupid comments.mp3
2012-03-25 13:53 - 2012-03-25 13:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A481EDF3-2E58-4C86-ABD7-86C6E14F35B5}
2012-03-25 13:53 - 2012-03-25 13:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6FEDF100-5432-4190-B436-D41AA08795B0}
2012-03-23 12:22 - 2012-03-23 12:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E89B1DD6-49EE-4016-965D-B37374CDE176}
2012-03-23 12:22 - 2012-03-23 12:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CD4AE716-22F3-4A37-BC3C-7CEEA62C029C}
2012-03-22 16:15 - 2009-07-13 21:08 - 0032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-22 06:13 - 2012-03-22 06:13 - 0000000 ____D C:\Users\Caleb\AppData\Local\{994A7B38-BD07-473B-9761-0B064A0B43CD}
2012-03-21 20:27 - 2010-06-11 05:57 - 0000000 ____D C:\Users\Caleb\AppData\Local\ElevatedDiagnostics
2012-03-21 20:11 - 2010-02-08 17:28 - 0000000 ____D C:\Windows\Minidump
2012-03-21 20:10 - 2010-02-08 17:28 - 549705721 ____A C:\Windows\MEMORY.DMP
2012-03-21 20:09 - 2012-01-11 12:10 - 0000000 ____D C:\RBin
2012-03-21 19:41 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-03-21 10:10 - 2010-07-28 21:34 - 0000000 ____D C:\Program Files (x86)\StarCraft II
2012-03-20 12:32 - 2012-03-20 12:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{00CC2DF1-D7B6-4080-B347-7F594D9B2A56}
2012-03-20 12:32 - 2012-03-20 12:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0A74C6B7-ABAA-4935-8DDA-496FD781928F}
2012-03-19 18:08 - 2012-03-19 18:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{454416DA-6615-474D-BDD8-05EC0D1BBCF1}
2012-03-19 18:08 - 2012-03-19 18:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3FF35D8A-C029-45A3-BD55-9B35B4E6A9FC}
2012-03-19 08:09 - 2012-01-09 12:47 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-03-18 23:24 - 2012-03-18 23:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4AA5734C-38F6-492F-96A5-4B267378708E}
2012-03-18 23:24 - 2012-03-18 23:24 - 0000000 ____D C:\Users\Caleb\AppData\Local\{49D032E5-D248-4434-9DBB-58580DD684D6}
2012-03-18 09:10 - 2012-03-18 09:10 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E3502CDE-8340-47EC-9324-12CA54503929}
2012-03-16 08:56 - 2012-03-16 08:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3B498582-386B-41A4-9F89-A95AD5EE2702}
2012-03-16 08:55 - 2012-03-16 08:55 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0DDB115F-6D15-4F27-BE14-4CB48A00023D}
2012-03-15 11:34 - 2012-03-15 11:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{07CD6C18-F8D7-4179-98D7-73622B17DD6B}
2012-03-14 12:58 - 2012-02-28 10:49 - 0000000 ____D C:\Users\Caleb\AppData\Roaming\FileZilla
2012-03-14 12:08 - 2012-03-14 12:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5FAE2935-5013-4462-9B0D-2181F05236E5}
2012-03-14 12:07 - 2012-03-14 12:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5CC54FB2-8127-4E17-BFE7-01EB80E8466F}
2012-03-14 09:29 - 2009-07-13 20:45 - 0413312 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-13 13:57 - 2012-03-13 13:57 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C8DBB023-F936-4D3A-83FB-181CFCAFA26B}
2012-03-12 05:08 - 2012-03-12 05:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E57DD82D-2F0B-44D8-B0E4-8D1624F169BE}
2012-03-12 05:08 - 2012-03-12 05:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{832AF57D-90FF-41C2-A317-36E33CC27436}
2012-03-11 09:36 - 2012-03-11 09:36 - 0000000 ____D C:\Users\Caleb\AppData\Local\{665E9097-5F42-4B8B-BC54-2ABD11BACD1C}
2012-03-11 09:36 - 2012-03-11 09:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8FB53FE3-056B-49EA-A860-C51918BAF0AB}
2012-03-10 08:59 - 2012-03-10 08:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D8B26965-E1CF-4424-9307-5235925309C9}
2012-03-10 08:59 - 2012-03-10 08:59 - 0000000 ____D C:\Users\Caleb\AppData\Local\{700C2071-1158-4335-8330-4EDD8009F839}
2012-03-09 09:50 - 2012-03-09 09:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C8844FA0-E205-4FA1-BE42-4FBCA078DBC4}
2012-03-09 09:50 - 2012-03-09 09:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6D49C98E-F542-4562-9D20-5BB4673D2F0E}
2012-03-08 14:45 - 2012-03-08 14:45 - 0000000 ____D C:\Users\Caleb\AppData\Local\{86BC0CA9-CB4D-4706-8D7E-0EE891E7F1E9}
2012-03-08 14:45 - 2012-03-08 14:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{2F68171D-1989-4692-BF12-D8B3466D8854}
2012-03-08 14:37 - 2012-03-08 14:37 - 0302448 ____A (Microsoft Corporation) C:\Windows\WLXPGSS.SCR
2012-03-07 19:51 - 2012-03-07 19:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{48FBF54E-2BD2-4417-8C0A-E244A423E94D}
2012-03-07 19:50 - 2012-03-07 19:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CB42AA3B-357F-411D-8A70-37F4B3C40724}
2012-03-07 07:41 - 2012-03-07 07:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{458C1E8D-91DD-4CBF-AB0F-69E0A2797221}
2012-03-06 08:05 - 2012-03-06 08:05 - 0011348 ____A C:\Users\Caleb\Desktop\Drink Receipes.docx
2012-03-05 22:53 - 2012-04-10 09:33 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-10 09:33 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-10 09:33 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-05 13:37 - 2012-03-05 13:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{2C2EFBB1-E77C-4035-8817-E7DD301DA8B3}
2012-03-05 13:37 - 2012-03-05 13:36 - 0000000 ____D C:\Users\Caleb\AppData\Local\{99A842D5-25FC-4E8E-893E-E9673664FC06}
2012-03-05 08:27 - 2012-03-05 08:27 - 0000000 ____D C:\Users\Caleb\AppData\Local\{035C0F5E-4025-4450-9DCD-B7B7D1D17415}
2012-03-03 08:40 - 2012-03-03 08:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{502C534C-23AA-4ACF-9BCA-58E1E5B4DD2E}
2012-03-02 14:35 - 2012-03-02 14:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7B291BD5-B96B-4E80-A01D-9A82A393D8D7}
2012-03-02 14:35 - 2012-03-02 14:35 - 0000000 ____D C:\Users\Caleb\AppData\Local\{25E0BD72-A269-4833-B90D-C0EC81831D44}
2012-02-29 22:46 - 2012-04-10 09:29 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-10 09:29 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-10 09:29 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-10 09:29 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-10 09:29 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-10 09:29 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-10 09:29 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-28 11:19 - 2012-02-28 11:19 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8B3F767D-09EB-41D5-8933-E4220808AE50}
2012-02-28 11:19 - 2012-02-28 11:18 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C5E5EDC5-73EE-4A80-B76F-352B0BD14F00}
2012-02-28 10:49 - 2012-02-28 10:49 - 0002008 ____A C:\Users\Public\Desktop\FileZilla Client.lnk
2012-02-28 10:49 - 2012-02-28 10:49 - 0000000 ____D C:\Program Files (x86)\FileZilla FTP Client
2012-02-27 23:34 - 2012-04-10 09:34 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-10 09:34 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-10 09:34 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-10 09:34 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-10 09:34 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-10 09:34 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-10 09:34 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-10 09:34 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-10 09:34 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-10 09:34 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-10 09:34 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-10 09:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-10 09:34 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 19:58 - 2012-02-27 19:58 - 0000000 ____D C:\Users\Caleb\AppData\Local\{BDCEE914-642C-472B-9173-8D28303BA761}
2012-02-27 17:52 - 2012-04-10 09:34 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-10 09:34 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-10 09:34 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-10 09:34 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-10 09:34 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-10 09:34 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-10 09:34 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-10 09:34 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-10 09:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-10 09:34 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-10 09:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-10 09:34 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-10 09:34 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-27 11:00 - 2012-02-27 11:00 - 0000000 ____D C:\Users\Caleb\AppData\Local\{CA8F30F8-5D26-4B81-87CF-6F12F9D75CF7}
2012-02-26 20:17 - 2012-02-26 20:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D389DED9-8831-47E1-A3B2-5BA82397213B}
2012-02-26 20:17 - 2012-02-26 20:16 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4F788C5C-CD34-4F17-B486-ED7D1AE402C9}
2012-02-26 07:12 - 2012-02-26 07:12 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A6C6BA1-70D5-47C9-ADFD-1F17EF7DC7F3}
2012-02-25 21:32 - 2012-02-25 21:32 - 0000000 ____D C:\Users\Caleb\AppData\Local\{415565AA-2BC0-4C1D-9520-B97E0E148CEE}
2012-02-25 21:32 - 2012-02-25 21:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4D97CF7E-93D7-4A7E-8EC5-B2A073F8EBB6}
2012-02-24 23:54 - 2012-02-24 23:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E310CDA3-2F74-4D88-9F47-55854B1EC8E0}
2012-02-24 23:53 - 2012-02-24 23:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{8EF5EB5B-FAC6-43AF-AE93-A6F333F185B1}
2012-02-24 15:25 - 2012-02-24 15:25 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5518FB77-6263-401C-992E-EEAC93486528}
2012-02-23 22:31 - 2012-02-23 22:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9B269811-77A2-400C-A50D-75A78D1CEC89}
2012-02-23 22:30 - 2012-02-23 22:30 - 0000000 ____D C:\Users\Caleb\AppData\Local\{73AB4424-56DE-45DD-84EF-16A2BDA34F33}
2012-02-23 06:18 - 2009-11-11 05:31 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 09:08 - 2012-02-22 09:08 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3499590D-BF9B-4A96-81FD-4B394DFAF017}
2012-02-22 09:08 - 2012-02-22 09:07 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F5D01D62-A121-4180-9A3E-4D85147C48F6}
2012-02-22 09:05 - 2012-01-17 10:26 - 0000003 ____A C:\Windows\System32\HRUPPROG.TXT
2012-02-22 09:05 - 2012-01-04 10:39 - 0000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2012-02-21 16:48 - 2012-02-21 16:48 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A7E2CC87-34B8-445A-9B2B-F3212D8B1D3D}
2012-02-21 16:48 - 2012-02-21 16:48 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A1481DD1-8631-4BF8-8FB4-C3C3D854E5C5}
2012-02-21 09:46 - 2012-02-21 09:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FCAB3F42-A8FF-4C3E-AB4E-12D356565462}
2012-02-21 09:46 - 2012-02-21 09:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9CE3876E-3188-444B-884D-F20953994433}
2012-02-20 11:46 - 2012-02-20 11:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E39D2C17-6DE6-45D9-A1B3-BF84870786E1}
2012-02-20 11:46 - 2012-02-20 11:46 - 0000000 ____D C:\Users\Caleb\AppData\Local\{DB400641-4192-41A0-AE5B-3F2778B6E5FB}
2012-02-19 16:51 - 2012-02-19 16:51 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7CDF5775-B81D-4446-ACB8-46007FC5E54B}
2012-02-19 16:51 - 2012-02-19 16:51 - 0000000 ____D C:\Users\Caleb\AppData\Local\{3352E7B3-7FC1-4A80-97AC-7399DCF138EC}
2012-02-18 20:34 - 2012-02-18 20:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F1A175BA-3759-4C06-B7A3-0E4709D73C4B}
2012-02-18 20:34 - 2012-02-18 20:34 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A7BC8E3F-BA28-459F-96C4-AF16E2835788}
2012-02-18 05:28 - 2012-02-18 05:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D2EC24E8-881D-42D0-8693-E9ECC6B4FD94}
2012-02-18 05:28 - 2012-02-18 05:28 - 0000000 ____D C:\Users\Caleb\AppData\Local\{4DEF3D0D-F5C6-490F-91B6-0C86CD564F26}
2012-02-18 05:21 - 2010-06-05 07:23 - 0000000 ____D C:\Users\All Users\Skype
2012-02-18 05:21 - 2010-06-05 07:23 - 0000000 ____D C:\ProgramData\Skype
2012-02-17 21:49 - 2012-02-17 21:49 - 0000000 ____D C:\Users\Caleb\AppData\Local\{732F6CB6-88FC-4DEC-B5B5-FEE4F2AF2D84}
2012-02-17 09:50 - 2012-02-17 09:50 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A8EDA8C1-9450-4E53-9C20-40C558C62624}
2012-02-16 22:38 - 2012-03-14 06:50 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-14 06:50 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-14 06:50 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-14 06:50 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 05:28 - 2009-11-11 05:23 - 0000174 ___SH C:\Users\Caleb\Start Menu\Programs\Startup\desktop.ini
2012-02-16 05:28 - 2009-11-11 05:23 - 0000174 ___SH C:\Users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-15 21:25 - 2009-12-02 20:12 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-15 20:15 - 2012-02-15 20:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0FDB4584-5004-436A-9457-0615D1AFEEB3}
2012-02-15 07:01 - 2012-02-15 07:01 - 4547944 ____A (Apple, Inc.) C:\Windows\System32\usbaaplrc.dll
2012-02-15 07:01 - 2012-02-15 07:01 - 0052736 ____A (Apple, Inc.) C:\Windows\System32\Drivers\usbaapl64.sys
2012-02-14 05:15 - 2012-02-14 05:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{F64A9700-26F1-4FA4-BFA8-F7BCD8952B04}
2012-02-14 05:15 - 2012-02-14 05:14 - 0000000 ____D C:\Users\Caleb\AppData\Local\{530E57E2-A658-4CA2-BEC8-8C0EEEC06799}
2012-02-10 21:37 - 2012-02-10 21:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{50460B86-AA3A-4980-A4E6-2531A83496BC}
2012-02-10 21:37 - 2012-02-10 21:37 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0DDC3D27-E1F5-4ED6-A446-DB9002E62594}
2012-02-09 22:36 - 2012-03-14 06:51 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-14 06:51 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-08 08:53 - 2012-02-08 08:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C4989C0B-B6D0-4ED3-9476-CCCA0827EC25}
2012-02-08 08:53 - 2012-02-08 08:53 - 0000000 ____D C:\Users\Caleb\AppData\Local\{A9FD91B1-E575-4435-83DD-7D9083BEA1D1}
2012-02-07 10:39 - 2012-02-07 10:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E8F68DB0-6984-423C-AD07-1DF70764C6EE}
2012-02-07 10:39 - 2012-02-07 10:39 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B41D7352-B8F8-430E-A832-47BBED4E5426}
2012-02-07 07:02 - 2012-02-07 07:02 - 1070352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-02-06 20:31 - 2012-02-06 20:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6D93DB27-F02B-4948-AC78-F849260EF1D3}
2012-02-06 20:31 - 2012-02-06 20:31 - 0000000 ____D C:\Users\Caleb\AppData\Local\{13804897-162D-4046-B990-F8A072FA29BC}
2012-02-06 11:57 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-06 07:15 - 2012-02-06 07:15 - 0000000 ____D C:\Users\Caleb\AppData\Local\{0193E0CD-C141-479C-A37F-838DE529C714}
2012-02-04 20:17 - 2012-02-04 20:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{424BEAB5-37CC-4916-9BA2-E00A689E124A}
2012-02-03 11:44 - 2012-02-03 11:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{D56A7151-EFFA-44D0-8CF5-362A067453FD}
2012-02-03 11:44 - 2012-02-03 11:44 - 0000000 ____D C:\Users\Caleb\AppData\Local\{7832198E-42B3-4679-9273-5E466B35A1B4}
2012-02-02 20:34 - 2012-03-14 06:51 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-01 12:17 - 2012-02-01 12:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{EE41CF8F-F009-4B13-A877-CD84639EFEB8}
2012-02-01 12:17 - 2012-02-01 12:17 - 0000000 ____D C:\Users\Caleb\AppData\Local\{36390932-558D-45B0-99A1-D1DD4BF4C76E}
2012-01-31 19:33 - 2012-01-31 19:33 - 0000000 ____D C:\Users\Caleb\Documents\Electronic Arts
2012-01-31 19:33 - 2012-01-31 19:33 - 0000000 ____D C:\Users\Caleb\AppData\Local\Electronic Arts
2012-01-31 19:31 - 2012-01-31 19:31 - 0000000 ____D C:\Users\Caleb\Documents\Electrontic Arts
2012-01-31 08:25 - 2012-01-31 08:25 - 0000000 ____D C:\Users\Caleb\AppData\Local\{C4F19734-C7D7-4D45-ABA6-FCBE82AD8FAB}
2012-01-31 08:25 - 2012-01-31 08:25 - 0000000 ____D C:\Users\Caleb\AppData\Local\{6A1BD776-6912-4213-A33D-97CA598DF3F2}
2012-01-30 13:06 - 2012-01-30 13:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9A30D9AB-6B8F-480F-9770-2A993E38CE7F}
2012-01-30 13:06 - 2012-01-30 13:06 - 0000000 ____D C:\Users\Caleb\AppData\Local\{5108FBF8-678E-41C1-9290-C221F0F76498}
2012-01-29 14:40 - 2012-01-29 14:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{FFAA5885-2B34-4996-B6BD-315CAF418093}
2012-01-29 14:40 - 2012-01-29 14:40 - 0000000 ____D C:\Users\Caleb\AppData\Local\{404AA8F1-E90B-4786-A08E-B3953765D62B}
2012-01-29 14:23 - 2012-01-29 14:23 - 0000000 ____D C:\Users\Caleb\AppData\Local\{725A164A-66B6-4BA5-8F65-BB2478FDA677}
2012-01-29 07:22 - 2012-01-29 07:22 - 0000000 ____D C:\Users\Caleb\AppData\Local\{B26DB58F-7353-4C7C-87C4-31E118B81DC2}
2012-01-28 20:42 - 2012-01-28 20:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{E5C8CD2A-2271-4CF7-A887-2C67428DC585}
2012-01-28 08:42 - 2012-01-28 08:42 - 0000000 ____D C:\Users\Caleb\AppData\Local\{88C92A1A-083B-4ECC-BA77-B36242E677E6}
2012-01-28 08:42 - 2012-01-28 08:41 - 0000000 ____D C:\Users\Caleb\AppData\Local\{72B8612E-345A-4AB6-841E-8D7983650B1A}
2012-01-27 12:07 - 2010-08-03 10:10 - 0089049 ____A C:\Windows\System32\LexFiles.ulf
2012-01-27 12:03 - 2012-01-27 12:03 - 0000000 ____D C:\Users\Caleb\AppData\Local\{9AEB290E-2684-42FC-9AE4-A8AD809193B4}
2012-01-27 12:03 - 2012-01-27 12:02 - 0000000 ____D C:\Users\Caleb\AppData\Local\{ED7EAB0F-97A3-4B46-BABA-6651F25A307B}
2012-01-27 07:58 - 2012-01-27 07:58 - 0000000 ____D C:\Users\Caleb\AppData\Local\{477688AE-4384-4D1C-A521-05DCC36F7EB7}

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4094.43 MB
Available physical RAM: 3508.65 MB
Total Pagefile: 4092.58 MB
Available Pagefile: 3498.09 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (C: Drive) (Fixed) (Total:184.84 GB) (Free:11.73 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (D: Games & Music) (Fixed) (Total:186.31 GB) (Free:37.19 GB) NTFS
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.31 GB) NTFS
5 Drive g: (VICTORIA'S) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 186 GB 0 B
Disk 1 Online 186 GB 0 B
Disk 2 Online 62 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 184 GB 1501 MB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C C: Drive NTFS Partition 184 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 186 GB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D D: Games & NTFS Partition 186 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 62 MB 0 B

======================================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

======================================================================================================

==========================================================

Last Boot: 2012-04-20 15:33

======================= End Of Log ==========================



#14 TheProgramer

TheProgramer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:04 PM

Posted 25 April 2012 - 01:04 AM

[Accidental reply, ignore this]

Edited by TheProgramer, 25 April 2012 - 01:07 AM.


#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:04 PM

Posted 25 April 2012 - 10:21 AM

TheProgrammer,

:step1: Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.

:step2: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

:step3: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

In your next reply, please include:
  • Result.txt from Listparts
  • Malwarebytes log
  • ESET log
  • The contents of C:\Qoobox\Add-Remove Programs.txt
  • How's your computer running now?

Note: Please do not attach or zip the logs, just copy and paste them into your reply. It's easier for me to read that way.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users