Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef infection - Computer restarts in 1 minute everytime I boot it


  • This topic is locked This topic is locked
8 replies to this topic

#1 rk123

rk123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 16 June 2012 - 01:20 AM

Hi, Last night I was browsing the internet and attempted to download something from a website that seemed legitimate, but when I went to scan the file with MSE, I was shocked to find that MSE was turned off, and I could not get it to work again.
I forget the exact error displayed, but I immediately disconnected the internet, uninstalled MSE, and then re-installed, reconnected to the net, updated MSE and was immediately confronted with a security warning that my system was infected with "Sirefef.Y".

MSE tried to clean the infection, but before it could complete the process, I recieved a Windows Critical error, stating that my system has encountered a problem and will automatically restart in 60 seconds, which it did.
This is a cycle that continues to occur, and pretty much immediately after boot, which gives me very little time to do anything about the problem.
Please help!

I am running Windows 7 Home Premium 64bit.

I have tried starting the computer in safe mode but get the same problem - each time I receive the Windows error and the system reboots


Any help you could provide would be appreciated a great deal.

Thanks in advance.

RK.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:30 AM

Posted 16 June 2012 - 07:41 PM

download Farbar Recovery Scan Tool and save it to a flash drive.
(you need the 64bit version)
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 rk123

rk123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 16 June 2012 - 10:03 PM

Thanks for the reply. Please see the log below

Scan result of Farbar Recovery Scan Tool Version: 17-06-2012
Ran by SYSTEM at 17-06-2012 08:22:39
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-12] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-04] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Naz\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Naz\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-06-16] (Hewlett-Packard Company)
HKU\rajatkaul\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\rajatkaul\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-06-16] (Hewlett-Packard Company)
HKU\rajatkaul\...\Run: [googletalk] C:\Users\rajatkaul\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKU\rajatkaul\...\Run: [Google Update] "C:\Users\rajatkaul\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-26] (Google Inc.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe, [625416 2010-04-23] (DigitalPersona, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\..\Interfaces\{15E9CFA8-F39A-4638-BF17-69F4F0941D3F}: [NameServer]0.0.0.0
Lsa: [Notification Packages] DPPassFilter
scecli
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Canon LBP3300 Status Window.lnk
ShortcutTarget: Canon LBP3300 Status Window.lnk -> C:\Windows\System32\spool\drivers\x64\3\CNAB5LAD.EXE (CANON INC.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Naz\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 CinemaNow Service; C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [400368 2010-06-12] (CinemaNow, Inc.)
2 DpHost; C:\Program Files\DigitalPersona\Bin\DpHostW.exe [445192 2010-04-23] (DigitalPersona, Inc.)
2 GoogleDesktopManager-051210-111108; "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2011-05-15] (Google)
2 hasplms; C:\Windows\system32\hasplms.exe -run [3750400 2009-12-16] (SafeNet Inc.)
4 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [86072 2011-09-09] (Hewlett-Packard Company)
2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [64856 2009-02-26] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2533400 2010-04-30] (Intel Corporation)
2 vcsFPService; C:\Windows\system32\vcsFPService.exe [2192176 2010-02-23] (Validity Sensors, Inc.)
2 vcsFPService; C:\Windows\SysWow64\vcsFPService.exe [1799472 2010-02-23] (Validity Sensors, Inc.)
3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [306400 2011-08-04] (Microsoft Corporation)
3 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [8277728 2011-08-04] (Microsoft Corporation)
3 ZuneWlanCfgSvc; "C:\Program Files\Zune\ZuneWlanCfgSvc.exe" [467680 2011-08-04] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

2 aksdf; C:\Windows\System32\Drivers\aksdf.sys [71040 2009-09-20] (Aladdin Knowledge Systems Ltd.)
2 aksfridge; C:\Windows\System32\Drivers\aksfridge.sys [130816 2009-08-19] (Aladdin Knowledge Systems Ltd.)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [32880 2010-06-24] (Windows ® Win 7 DDK provider)
1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [87600 2010-04-16] (Citrix Systems, Inc.)
3 Dot4Print; C:\Windows\System32\DRIVERS\Dot4Prt.sys [19968 2010-11-20] (Microsoft Corporation)
2 hardlock; C:\Windows\System32\Drivers\hardlock.sys [318464 2009-03-12] (Aladdin Knowledge Systems Ltd.)
3 hwdatacard; C:\Windows\System32\DRIVERS\ewusbmdm.sys [115328 2008-07-23] (Huawei Technologies Co., Ltd.)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [232992 2010-01-11] (Realtek Semiconductor Corp.)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-17 08:21 - 2012-06-17 08:23 - 00000000 ____D C:\FRST
2012-06-15 19:37 - 2012-06-15 21:37 - 00814790 ____A C:\Windows\ntbtlog.txt
2012-06-15 19:20 - 2012-06-15 19:20 - 00001266 ____A C:\Users\Naz\Desktop\shutdown.lnk
2012-06-15 18:55 - 2012-06-15 18:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-15 18:55 - 2012-06-15 18:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-15 18:50 - 2012-06-15 18:52 - 12621696 ____A (Microsoft Corporation) C:\Users\Naz\Downloads\mseinstall.exe
2012-06-15 05:52 - 2012-06-15 16:56 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Skype
2012-06-15 05:37 - 2012-06-15 05:56 - 00000000 ____D C:\Users\Naz\AppData\Roaming\vlc
2012-06-15 05:04 - 2012-06-15 05:04 - 00428205 ____A C:\Users\Naz\Downloads\ITR1_2012_13_R2.zip
2012-06-15 05:01 - 2012-06-15 05:01 - 01472520 ____A C:\Users\Naz\Downloads\ITR2_2012_13_R2.zip
2012-06-14 07:25 - 2012-06-14 07:25 - 00000000 ____A C:\Windows\SysWOW64\sho6CF3.tmp
2012-06-14 06:56 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 06:56 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 06:56 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 06:56 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 06:56 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 06:56 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 06:56 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 06:56 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 06:56 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 06:56 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 06:56 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 06:56 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 06:56 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 06:56 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 06:56 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-14 06:56 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-14 06:56 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-14 06:56 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-14 06:56 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-14 06:56 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-14 06:56 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-14 06:56 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-14 06:56 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-14 06:56 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-14 06:56 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-14 06:56 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-14 06:56 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-14 06:56 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-12 23:31 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-12 23:31 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-12 23:31 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-12 23:31 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-12 23:31 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-12 23:31 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-12 23:31 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-12 23:30 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 23:30 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 23:30 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 23:30 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 23:30 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 23:30 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-12 23:30 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-12 23:30 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-12 23:30 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-12 23:30 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-12 06:08 - 2012-06-12 06:08 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-11 19:49 - 2012-06-16 18:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-10 09:15 - 2012-06-10 09:15 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-10 09:15 - 2012-06-10 09:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-06-07 06:52 - 2012-06-07 06:52 - 01043625 ____A C:\Users\Naz\Desktop\Educomp.docx
2012-06-06 04:37 - 2012-06-06 08:40 - 00004556 ____A C:\Users\Naz\Downloads\532876 (1).csv
2012-06-05 10:25 - 2012-06-05 10:29 - 00004676 ____A C:\Users\Naz\Downloads\532696.csv
2012-06-05 10:16 - 2012-06-05 18:02 - 00004549 ____A C:\Users\Naz\Downloads\532876.csv
2012-06-03 05:39 - 2012-06-03 05:40 - 07867441 ____A C:\Users\Naz\Downloads\Chapter9Assignment.zip
2012-06-03 05:39 - 2012-06-03 05:40 - 07867441 ____A C:\Users\Naz\Downloads\Chapter9Assignment (1).zip
2012-06-03 05:37 - 2012-06-03 05:39 - 08238373 ____A C:\Users\Naz\Downloads\Chapter8Assignment (1).zip
2012-06-02 03:12 - 2012-06-02 03:12 - 00000000 ____D C:\Users\Naz\Documents\SPSSInc
2012-06-02 03:11 - 2012-06-02 03:11 - 00000000 ____D C:\Users\Naz\AppData\Local\javasharedresources
2012-06-02 03:11 - 2012-06-02 03:11 - 00000000 ____D C:\Users\Naz\AppData\Local\IBM
2012-06-02 02:56 - 2012-06-02 02:56 - 00000000 ____D C:\Users\All Users\SPSS
2012-06-02 02:55 - 2012-06-02 02:55 - 00000000 ____D C:\Program Files\Common Files\IBM
2012-06-02 02:54 - 2012-06-02 02:54 - 00000000 ____D C:\Program Files\IBM
2012-06-02 01:38 - 2012-06-02 02:45 - 00000499 ____A C:\Users\Naz\Downloads\dlmgr.pro
2012-06-02 01:38 - 2012-06-02 02:42 - 945551928 ____A (IBM Corp ) C:\Users\Naz\Downloads\CI4G0ML.exe
2012-06-02 01:37 - 2012-06-02 01:38 - 00000033 ____A C:\Users\Naz\dlmgr_.pro
2012-06-01 06:35 - 2012-06-01 06:35 - 00780800 ____A C:\Users\Naz\Downloads\chap10-11-12-solutions.doc
2012-05-31 03:21 - 2012-06-10 17:22 - 00041472 ____A C:\Users\Naz\Downloads\hll financial statement analysis worksheet consolidated financial statements 2011.xls
2012-05-30 22:28 - 2012-05-30 22:28 - 00000000 ____D C:\Users\Naz\Documents\SafeNet Sentinel
2012-05-30 22:28 - 2012-05-30 22:28 - 00000000 ____D C:\Users\Naz\.spss
2012-05-30 09:33 - 2012-05-30 09:50 - 00000288 ____A C:\Users\Naz\AppData\Roaming\MSBlint.dat
2012-05-30 09:33 - 2012-05-30 09:50 - 00000288 ____A C:\Users\All Users\PDF2XL-4-14.TrialData
2012-05-30 09:33 - 2012-05-30 09:33 - 00002057 ____A C:\Users\Public\Desktop\Cogniview PDF2XL Evaluation.lnk
2012-05-30 09:33 - 2012-05-30 09:33 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Cogniview
2012-05-30 09:33 - 2012-05-30 09:33 - 00000000 ____D C:\Program Files (x86)\Cogniview
2012-05-30 09:29 - 2012-05-30 09:31 - 28017152 ____A C:\Users\Naz\Downloads\PDF2XL-Setup-631912-Eval.msi
2012-05-27 16:58 - 2012-05-27 16:58 - 00195072 ____A C:\Users\Naz\Downloads\United Spirits Limited.doc
2012-05-27 06:32 - 2012-05-27 06:32 - 00162483 ____A C:\Users\Naz\Downloads\Analysis.docx
2012-05-24 04:35 - 2012-05-24 04:36 - 00002675 ____A C:\Users\Public\Desktop\Microsoft Office Outlook 2007.lnk
2012-05-21 09:04 - 2012-05-21 09:04 - 00000000 ____D C:\Users\Naz\Desktop\NJ
2012-05-20 09:00 - 2012-05-20 09:00 - 00784784 ____A (Solid State Networks) C:\Users\Naz\Downloads\install_reader10_en_gtba_aih.exe

============ 3 Months Modified Files and Folders =============

2012-06-17 08:23 - 2012-06-17 08:21 - 00000000 ____D C:\FRST
2012-06-16 18:50 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-16 18:50 - 2009-07-13 18:34 - 00000534 ____A C:\Windows\win.ini
2012-06-16 18:49 - 2009-07-13 20:51 - 00076070 ____A C:\Windows\setupact.log
2012-06-16 18:29 - 2012-04-22 03:33 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Dropbox
2012-06-16 18:28 - 2012-06-11 19:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-16 18:27 - 2011-04-10 07:00 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-16 18:27 - 2011-04-10 07:00 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-16 18:23 - 2011-01-26 00:20 - 00000924 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2206101987-668002411-143173057-1000UA.job
2012-06-16 03:27 - 2009-07-13 21:13 - 00730746 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-15 21:37 - 2012-06-15 19:37 - 00814790 ____A C:\Windows\ntbtlog.txt
2012-06-15 19:42 - 2012-04-22 03:36 - 00000000 ___RD C:\Users\Naz\Dropbox
2012-06-15 19:20 - 2012-06-15 19:20 - 00001266 ____A C:\Users\Naz\Desktop\shutdown.lnk
2012-06-15 18:57 - 2011-01-24 07:57 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-15 18:57 - 2010-09-16 00:52 - 01159573 ____A C:\Windows\WindowsUpdate.log
2012-06-15 18:55 - 2012-06-15 18:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-15 18:55 - 2012-06-15 18:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-15 18:55 - 2011-01-24 07:31 - 00744896 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-15 18:52 - 2012-06-15 18:50 - 12621696 ____A (Microsoft Corporation) C:\Users\Naz\Downloads\mseinstall.exe
2012-06-15 18:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing
2012-06-15 18:46 - 2010-12-28 06:50 - 00124080 ____A C:\Users\rajatkaul\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-15 18:45 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-15 18:45 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-15 17:23 - 2011-01-26 00:20 - 00000872 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2206101987-668002411-143173057-1000Core.job
2012-06-15 17:21 - 2012-05-06 06:39 - 210035712 ____A C:\Users\Naz\Desktop\Naz_IIM.pst
2012-06-15 16:56 - 2012-06-15 05:52 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Skype
2012-06-15 16:56 - 2012-02-07 08:31 - 00000348 ____A C:\Windows\Tasks\HPCeeScheduleForrajatkaul.job
2012-06-15 05:56 - 2012-06-15 05:37 - 00000000 ____D C:\Users\Naz\AppData\Roaming\vlc
2012-06-15 05:16 - 2012-04-21 00:23 - 00000000 ____D C:\Users\Naz\Desktop\Academics
2012-06-15 05:04 - 2012-06-15 05:04 - 00428205 ____A C:\Users\Naz\Downloads\ITR1_2012_13_R2.zip
2012-06-15 05:01 - 2012-06-15 05:01 - 01472520 ____A C:\Users\Naz\Downloads\ITR2_2012_13_R2.zip
2012-06-14 07:26 - 2012-05-07 22:20 - 00000324 ____A C:\Windows\Tasks\HPCeeScheduleForNaz.job
2012-06-14 07:26 - 2009-07-13 20:45 - 00449888 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 07:25 - 2012-06-14 07:25 - 00000000 ____A C:\Windows\SysWOW64\sho6CF3.tmp
2012-06-14 07:25 - 2012-04-24 05:35 - 00327680 ____A C:\Windows\System32\Ikeext.etl
2012-06-14 07:08 - 2011-11-04 06:17 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-14 07:02 - 2011-02-08 16:33 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-12 06:08 - 2012-06-12 06:08 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-12 05:59 - 2012-04-04 18:00 - 00000000 ____D C:\users\Naz
2012-06-11 19:49 - 2012-05-11 08:19 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-11 19:49 - 2011-12-24 21:08 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-11 19:35 - 2012-01-15 19:47 - 00000000 __SHD C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
2012-06-11 09:01 - 2012-04-09 07:42 - 00000000 ____D C:\Users\Naz\AppData\Local\CrashDumps
2012-06-10 17:30 - 2009-07-13 21:08 - 00032634 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-10 17:22 - 2012-05-31 03:21 - 00041472 ____A C:\Users\Naz\Downloads\hll financial statement analysis worksheet consolidated financial statements 2011.xls
2012-06-10 09:15 - 2012-06-10 09:15 - 00000000 ____D C:\Users\All Users\Mozilla
2012-06-10 09:15 - 2012-06-10 09:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-06-10 09:15 - 2011-03-02 07:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-06-10 09:09 - 2012-04-22 03:36 - 00001015 ____A C:\Users\Naz\Desktop\Dropbox.lnk
2012-06-08 09:42 - 2012-04-19 04:02 - 00000000 ____D C:\Users\Naz\Desktop\Blog
2012-06-07 06:52 - 2012-06-07 06:52 - 01043625 ____A C:\Users\Naz\Desktop\Educomp.docx
2012-06-06 08:40 - 2012-06-06 04:37 - 00004556 ____A C:\Users\Naz\Downloads\532876 (1).csv
2012-06-05 18:02 - 2012-06-05 10:16 - 00004549 ____A C:\Users\Naz\Downloads\532876.csv
2012-06-05 10:29 - 2012-06-05 10:25 - 00004676 ____A C:\Users\Naz\Downloads\532696.csv
2012-06-03 05:40 - 2012-06-03 05:39 - 07867441 ____A C:\Users\Naz\Downloads\Chapter9Assignment.zip
2012-06-03 05:40 - 2012-06-03 05:39 - 07867441 ____A C:\Users\Naz\Downloads\Chapter9Assignment (1).zip
2012-06-03 05:39 - 2012-06-03 05:37 - 08238373 ____A C:\Users\Naz\Downloads\Chapter8Assignment (1).zip
2012-06-02 21:16 - 2012-04-04 18:01 - 00124080 ____A C:\Users\Naz\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-02 03:12 - 2012-06-02 03:12 - 00000000 ____D C:\Users\Naz\Documents\SPSSInc
2012-06-02 03:11 - 2012-06-02 03:11 - 00000000 ____D C:\Users\Naz\AppData\Local\javasharedresources
2012-06-02 03:11 - 2012-06-02 03:11 - 00000000 ____D C:\Users\Naz\AppData\Local\IBM
2012-06-02 02:56 - 2012-06-02 02:56 - 00000000 ____D C:\Users\All Users\SPSS
2012-06-02 02:55 - 2012-06-02 02:55 - 00000000 ____D C:\Program Files\Common Files\IBM
2012-06-02 02:54 - 2012-06-02 02:54 - 00000000 ____D C:\Program Files\IBM
2012-06-02 02:54 - 2012-02-04 02:40 - 00000219 ____A C:\Windows\SysWOW64\lsprst7.tgz
2012-06-02 02:54 - 2012-02-04 02:40 - 00000205 ____A C:\Windows\SysWOW64\lsprst7.dll
2012-06-02 02:54 - 2012-02-04 02:40 - 00000016 ____H C:\Windows\SysWOW64\servdat.slm
2012-06-02 02:45 - 2012-06-02 01:38 - 00000499 ____A C:\Users\Naz\Downloads\dlmgr.pro
2012-06-02 02:42 - 2012-06-02 01:38 - 945551928 ____A (IBM Corp ) C:\Users\Naz\Downloads\CI4G0ML.exe
2012-06-02 01:38 - 2012-06-02 01:37 - 00000033 ____A C:\Users\Naz\dlmgr_.pro
2012-06-02 01:27 - 2012-03-30 00:17 - 00002167 ____A C:\Users\Public\Desktop\HP Photosmart Essential 3.5.lnk
2012-06-02 01:23 - 2012-03-29 23:27 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2012-06-02 01:23 - 2010-09-16 00:57 - 00326602 ____A C:\Windows\PFRO.log
2012-06-02 01:18 - 2012-04-08 03:07 - 00000000 ____D C:\Program Files (x86)\Airtel NetXpert
2012-06-01 06:35 - 2012-06-01 06:35 - 00780800 ____A C:\Users\Naz\Downloads\chap10-11-12-solutions.doc
2012-05-30 22:28 - 2012-05-30 22:28 - 00000000 ____D C:\Users\Naz\Documents\SafeNet Sentinel
2012-05-30 22:28 - 2012-05-30 22:28 - 00000000 ____D C:\Users\Naz\.spss
2012-05-30 09:50 - 2012-05-30 09:33 - 00000288 ____A C:\Users\Naz\AppData\Roaming\MSBlint.dat
2012-05-30 09:50 - 2012-05-30 09:33 - 00000288 ____A C:\Users\All Users\PDF2XL-4-14.TrialData
2012-05-30 09:33 - 2012-05-30 09:33 - 00002057 ____A C:\Users\Public\Desktop\Cogniview PDF2XL Evaluation.lnk
2012-05-30 09:33 - 2012-05-30 09:33 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Cogniview
2012-05-30 09:33 - 2012-05-30 09:33 - 00000000 ____D C:\Program Files (x86)\Cogniview
2012-05-30 09:31 - 2012-05-30 09:29 - 28017152 ____A C:\Users\Naz\Downloads\PDF2XL-Setup-631912-Eval.msi
2012-05-30 06:02 - 2012-02-07 19:49 - 00000000 ____D C:\Users\All Users\Real
2012-05-30 06:01 - 2012-04-04 18:01 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Real
2012-05-29 16:43 - 2012-04-04 18:00 - 00000000 ____D C:\Users\Naz\AppData\Local\Microsoft Help
2012-05-27 16:58 - 2012-05-27 16:58 - 00195072 ____A C:\Users\Naz\Downloads\United Spirits Limited.doc
2012-05-27 06:32 - 2012-05-27 06:32 - 00162483 ____A C:\Users\Naz\Downloads\Analysis.docx
2012-05-24 04:36 - 2012-05-24 04:35 - 00002675 ____A C:\Users\Public\Desktop\Microsoft Office Outlook 2007.lnk
2012-05-21 20:01 - 2011-02-22 07:36 - 00000000 ____D C:\Users\rajatkaul\AppData\Roaming\Mozilla
2012-05-21 09:28 - 2012-04-21 06:30 - 2107433984 ____A C:\Users\Naz\Desktop\Naz.pst
2012-05-21 09:04 - 2012-05-21 09:04 - 00000000 ____D C:\Users\Naz\Desktop\NJ
2012-05-21 02:05 - 2011-12-30 06:11 - 00002379 ____A C:\Users\rajatkaul\Desktop\Google Chrome.lnk
2012-05-20 09:00 - 2012-05-20 09:00 - 00784784 ____A (Solid State Networks) C:\Users\Naz\Downloads\install_reader10_en_gtba_aih.exe
2012-05-17 18:47 - 2012-06-14 06:56 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-14 06:56 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-14 06:56 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-14 06:56 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-14 06:56 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-14 06:56 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-14 06:56 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-14 06:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-14 06:56 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-14 06:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-14 06:56 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-14 06:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-14 06:56 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-14 06:56 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-14 06:56 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-14 06:56 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-14 06:56 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-14 06:56 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-14 06:56 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-14 06:56 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-14 06:56 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-14 06:56 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-14 06:56 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-14 06:56 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-14 06:56 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-14 06:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-14 06:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-14 06:56 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-15 23:56 - 2012-05-15 23:56 - 00000000 ____D C:\Users\Naz\AppData\Roaming\FLEXnet
2012-05-14 17:32 - 2012-06-12 23:30 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 09:21 - 2012-05-11 09:20 - 08326674 ____A C:\Users\Naz\Downloads\Chapter2Assignment.zip
2012-05-11 08:18 - 2012-05-11 08:18 - 00000000 ____D C:\Windows\System32\Macromed
2012-05-10 10:02 - 2012-05-10 10:01 - 08834884 ____A C:\Users\Naz\Downloads\Stat-2 (1).zip
2012-05-10 09:29 - 2012-05-10 09:29 - 00000000 ____D C:\Users\Naz\Desktop\0471703591
2012-05-10 08:27 - 2012-05-10 08:24 - 09678331 ____A C:\Users\Naz\Desktop\0471703591.zip
2012-05-09 10:30 - 2010-07-20 06:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-09 10:08 - 2012-05-09 10:08 - 00000000 ____D C:\Users\Naz\Documents\Chapter3Assignment
2012-05-07 03:49 - 2012-05-07 03:57 - 00714159 ____A C:\Users\Naz\Desktop\IndustryAnalysisIMFL.docx
2012-05-07 03:24 - 2012-05-07 03:24 - 00012836 ____A C:\Users\Naz\Documents\Threat_of_entry.docx
2012-05-07 02:05 - 2012-05-07 02:04 - 00039084 ____A C:\Users\Naz\Desktop\Timeline_Alcohol_industry.docx
2012-05-07 00:22 - 2012-05-06 22:43 - 00011956 ____A C:\Users\Naz\Desktop\Temp.xlsx
2012-05-06 23:35 - 2012-05-06 23:10 - 00320786 ____A C:\Users\Naz\Desktop\ONGC.pptx
2012-05-06 22:51 - 2012-05-06 23:09 - 00621568 ____A C:\Users\Naz\Desktop\ONGC (Anshu Goel's conflicted copy 2012-05-06).ppt
2012-05-05 03:54 - 2012-05-05 03:54 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.txt
2012-05-05 03:54 - 2009-07-13 18:34 - 00001398 _RASH C:\Windows\System32\Drivers\etc\hosts
2012-05-04 05:11 - 2012-05-04 03:45 - 01416575 ____A C:\Users\Naz\Desktop\Flier.pptx
2012-05-04 03:06 - 2012-06-12 23:31 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-12 23:31 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-12 23:31 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-03 09:29 - 2012-05-03 09:29 - 00012287 ____A C:\Users\rajatkaul\Desktop\SoftWhite.xlsx
2012-05-03 06:55 - 2012-05-03 06:55 - 00014858 ____A C:\Users\rajatkaul\Downloads\Softwhite_Story (1).docx
2012-05-03 06:53 - 2012-05-03 06:53 - 00014858 ____A C:\Users\rajatkaul\Downloads\Softwhite_Story.docx
2012-05-03 05:22 - 2012-05-03 05:22 - 00237978 ____A C:\Users\rajatkaul\Downloads\Decision Tree.pptx
2012-05-03 05:15 - 2012-05-03 05:15 - 00187391 ____A C:\Users\rajatkaul\Downloads\Session_1.pptx
2012-05-03 05:04 - 2012-05-03 05:04 - 00252610 ____A C:\Users\rajatkaul\Downloads\How to change the Webmail Password.pdf
2012-05-03 05:04 - 2012-05-03 05:04 - 00252610 ____A C:\Users\rajatkaul\Downloads\How to change the Webmail Password (2).pdf
2012-05-03 05:04 - 2012-05-03 05:04 - 00252610 ____A C:\Users\rajatkaul\Downloads\How to change the Webmail Password (1).pdf
2012-05-03 04:39 - 2011-06-16 01:32 - 00000000 ____D C:\Users\rajatkaul\Desktop\examo
2012-05-03 02:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-04-30 21:40 - 2012-06-12 23:31 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-28 20:20 - 2012-04-28 20:20 - 00000010 ____A C:\Users\Naz\Desktop\homegroup.txt
2012-04-28 20:19 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries
2012-04-28 20:08 - 2012-04-28 20:08 - 00716439 ____A C:\Users\Naz\Downloads\mr814v2_5305.zip
2012-04-27 22:32 - 2012-04-27 22:32 - 07311002 ____A C:\Users\Naz\Downloads\economics (1).pdf
2012-04-27 22:32 - 2012-04-27 22:31 - 07311002 ____A C:\Users\Naz\Downloads\economics.pdf
2012-04-27 19:55 - 2012-06-12 23:30 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 11:49 - 2012-04-01 19:59 - 2086863872 ____A C:\Users\rajatkaul\Desktop\Naz.pst
2012-04-26 11:05 - 2012-04-26 11:05 - 00000000 ___RD C:\Users\rajatkaul\Podcasts
2012-04-26 11:05 - 2012-04-26 11:02 - 00000000 ____D C:\Program Files\Zune
2012-04-26 11:05 - 2010-12-28 06:38 - 00000000 ____D C:\users\rajatkaul
2012-04-26 11:03 - 2012-04-26 11:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2012-04-26 11:03 - 2012-04-26 11:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUSB_01009.Wdf
2012-04-26 11:03 - 2012-04-26 11:03 - 00000000 ____D C:\Windows\System32\ms-MY
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-TW
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-CN
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sv-SE
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ru-RU
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\pt-PT
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\pl-PL
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\nb-NO
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ko-KR
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ja-JP
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\hu-HU
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\fi-FI
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\el-GR
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\da-DK
2012-04-26 11:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\cs-CZ
2012-04-26 11:02 - 2012-04-26 11:02 - 00000927 ____A C:\Users\Public\Desktop\Zune.lnk
2012-04-26 11:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\pt-BR
2012-04-26 11:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\nl-NL
2012-04-26 11:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\it-IT
2012-04-26 11:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\fr-FR
2012-04-26 11:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\es-ES
2012-04-26 11:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\de-DE
2012-04-26 10:56 - 2012-04-26 10:26 - 105664248 ____A (Microsoft Corporation) C:\Users\rajatkaul\Downloads\ZuneSetupPkg.exe
2012-04-26 10:51 - 2012-04-26 10:50 - 03322136 ____A (Microsoft Corporation) C:\Users\rajatkaul\Desktop\OutlookConnector.exe
2012-04-26 10:40 - 2011-01-24 09:39 - 00000000 ____D C:\Program Files (x86)\MSECache
2012-04-26 07:37 - 2012-04-26 07:37 - 00015170 ____A C:\Users\Naz\Desktop\Branding Committee - Responsibilities v0.1.xlsx
2012-04-26 01:51 - 2012-04-04 18:00 - 00000000 ____D C:\Users\Naz\AppData\Local\Google
2012-04-26 01:51 - 2011-04-09 21:04 - 00001106 ____A C:\Users\Public\Desktop\Picasa 3.lnk
2012-04-26 01:50 - 2012-04-26 01:49 - 14907240 ____A (Google Inc.) C:\Users\Naz\Downloads\picasa39-setup.exe
2012-04-25 21:41 - 2012-06-12 23:31 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-12 23:31 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-12 23:31 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 07:20 - 2012-04-09 07:27 - 00000000 ____D C:\Users\Naz\AppData\Local\Hewlett-Packard
2012-04-24 00:49 - 2012-04-04 18:00 - 00000000 ____D C:\Users\Naz\AppData\LocalLow
2012-04-23 21:37 - 2012-06-12 23:30 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-12 23:30 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-12 23:30 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-12 23:30 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-12 23:30 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-12 23:30 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-22 08:30 - 2012-04-24 20:22 - 00011998 ____A C:\Users\Naz\Downloads\FRA_Project_Analysis.xlsx
2012-04-22 04:02 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2012-04-22 03:32 - 2012-04-22 03:30 - 15036792 ____A (Dropbox, Inc.) C:\Users\Naz\Downloads\Dropbox 1.2.52.exe
2012-04-21 06:07 - 2012-04-21 06:05 - 00025831 ____A C:\Users\Naz\Desktop\EPGPG4-Profile-v2-1.xlsx
2012-04-21 06:03 - 2012-04-21 05:59 - 00025793 ____A C:\Users\Naz\EPGPG4-Profile-v2-1.xlsx
2012-04-21 01:21 - 2012-04-21 01:21 - 00151255 ____A C:\Users\Naz\Downloads\Microsoft Word - financial reporting and analysis course outline epgp 2012.pdf
2012-04-21 01:21 - 2012-04-21 01:21 - 00151255 ____A C:\Users\Naz\Downloads\Microsoft Word - financial reporting and analysis course outline epgp 2012 (1).pdf
2012-04-19 09:48 - 2012-04-19 09:48 - 00002693 ____A C:\Users\Naz\Desktop\Microsoft Office Outlook 2007.lnk
2012-04-16 16:40 - 2012-04-04 18:02 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Apple Computer
2012-04-16 16:39 - 2012-04-16 16:39 - 00000000 ____D C:\Users\Naz\AppData\Local\Apple Computer
2012-04-14 05:07 - 2012-04-14 05:07 - 00000000 ____D C:\Users\Naz\AppData\Local\Apple
2012-04-10 08:04 - 2012-04-09 07:24 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Hewlett-Packard
2012-04-09 16:39 - 2012-04-09 16:39 - 00014171 ____A C:\Users\rajatkaul\Downloads\Payment Details (1).xlsx
2012-04-09 16:38 - 2012-04-09 16:38 - 00014171 ____A C:\Users\rajatkaul\Downloads\Payment Details.xlsx
2012-04-09 06:54 - 2012-03-12 05:15 - 00000000 ____D C:\Users\rajatkaul\AppData\Roaming\Skype
2012-04-09 06:19 - 2011-01-25 07:33 - 00000000 ____D C:\Users\rajatkaul\AppData\Roaming\vlc
2012-04-08 22:12 - 2012-04-08 22:11 - 00000000 ____D C:\Users\Naz\AppData\Local\Adobe
2012-04-08 22:11 - 2012-04-08 03:45 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Adobe
2012-04-08 11:59 - 2012-04-08 11:59 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Mozilla
2012-04-08 11:59 - 2012-04-08 11:59 - 00000000 ____D C:\Users\Naz\AppData\Local\Mozilla
2012-04-08 04:02 - 2012-04-08 04:02 - 00000000 ____D C:\SAP_Stuff
2012-04-08 03:46 - 2012-04-08 03:46 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Softland
2012-04-08 03:45 - 2012-04-08 03:45 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Yahoo!
2012-04-08 03:44 - 2012-04-08 03:44 - 00000000 ____D C:\Users\Naz\AppData\Local\SupportSoft
2012-04-08 03:07 - 2012-04-08 03:07 - 00000000 ____D C:\Users\rajatkaul\AppData\Local\SupportSoft
2012-04-08 03:07 - 2012-04-08 03:06 - 06922492 ____A (Bharti Airtel ) C:\Users\rajatkaul\Downloads\NetXpert_3.1_Prod_Setup.exe
2012-04-08 03:06 - 2012-04-08 03:06 - 00000161 ____A C:\Users\rajatkaul\startAgent.bat
2012-04-08 03:04 - 2012-04-08 03:04 - 00000312 ____A C:\Users\rajatkaul\launchAgent.bat
2012-04-08 03:04 - 2012-04-08 03:04 - 00000033 ____A C:\Users\rajatkaul\launchDrTCP.bat
2012-04-08 03:03 - 2012-04-08 03:03 - 07057587 ____A (Bharti Airtel ) C:\Users\rajatkaul\agent.exe
2012-04-08 03:03 - 2012-04-08 03:03 - 00053760 ____A (Tolunay Orkun) C:\Users\rajatkaul\DRTCP021.exe
2012-04-08 02:45 - 2012-04-08 02:46 - 01838232 ____A C:\Users\rajatkaul\Desktop\T28-0Q-015.img
2012-04-08 02:45 - 2012-04-08 02:44 - 01838232 ____A C:\Users\rajatkaul\Downloads\T28-0Q-015.img
2012-04-07 04:31 - 2012-06-12 23:30 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 03:26 - 2012-06-12 23:30 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-05 23:43 - 2012-04-05 23:43 - 00000000 ____D C:\Users\rajatkaul\Desktop\Website
2012-04-05 18:12 - 2011-02-18 20:46 - 00000000 ____D C:\Users\rajatkaul\AppData\Local\CutePDF Writer
2012-04-05 18:11 - 2012-04-05 18:12 - 00083284 ____A C:\Users\rajatkaul\Desktop\Vikas_Guru.pdf
2012-04-05 18:11 - 2012-04-05 18:11 - 00030258 ____A C:\Users\rajatkaul\Desktop\Vikas_Guru_Rajat.docx
2012-04-05 17:52 - 2012-04-05 17:51 - 00606494 ____A C:\Users\rajatkaul\Downloads\headway-312.zip
2012-04-04 18:11 - 2012-03-07 05:48 - 00000000 ____D C:\Program Files (x86)\Railroad Tycoon 3
2012-04-04 18:11 - 2010-07-20 04:29 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-04-04 18:02 - 2012-04-04 18:02 - 00000000 ____D C:\Users\Naz\AppData\Roaming\Intel
2012-04-04 18:02 - 2012-04-04 18:02 - 00000000 ____D C:\Users\Naz\AppData\Roaming\ICAClient
2012-04-04 18:01 - 2012-04-04 18:01 - 00000000 ____D C:\Users\Naz\AppData\Roaming\hpqLog
2012-04-04 18:01 - 2012-04-04 18:01 - 00000000 ____D C:\Users\Naz\AppData\Roaming\DigitalPersona
2012-04-04 18:01 - 2012-04-04 18:01 - 00000000 ____D C:\Users\Naz\AppData\Local\VirtualStore
2012-04-04 18:01 - 2012-04-04 18:01 - 00000000 ____D C:\Users\Naz\AppData\Local\DigitalPersona
2012-04-04 18:01 - 2012-04-04 18:01 - 00000000 ____D C:\Users\Naz\AppData\Local\Citrix
2012-04-04 18:00 - 2012-04-04 18:00 - 00000020 ___SH C:\Users\Naz\ntuser.ini
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\Templates
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\Start Menu
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\PrintHood
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\NetHood
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\My Documents
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\Documents\My Videos
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\Documents\My Pictures
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\Documents\My Music
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\AppData\Local\Temporary Internet Files
2012-04-04 18:00 - 2012-04-04 18:00 - 00000000 __SHD C:\Users\Naz\AppData\Local\History
2012-04-04 17:58 - 2011-01-29 19:43 - 00000000 ____D C:\Rajat
2012-04-04 02:03 - 2012-04-04 02:03 - 00018959 ____A C:\Users\rajatkaul\Downloads\Savings_Stmt_040412153336.xls
2012-04-04 02:01 - 2012-04-04 02:01 - 00004476 ____A C:\Users\rajatkaul\Downloads\Savings_Stmt_04041215323.xls
2012-04-04 01:54 - 2012-04-04 01:53 - 00000000 ____D C:\Users\rajatkaul\Desktop\NJ
2012-04-04 01:30 - 2012-04-04 01:30 - 00004660 ____A C:\Users\rajatkaul\Downloads\F (7).pdf
2012-04-04 01:30 - 2012-04-04 01:30 - 00004660 ____A C:\Users\rajatkaul\Downloads\F (6).pdf
2012-04-04 01:29 - 2012-04-04 01:29 - 00143960 ____A C:\Users\rajatkaul\Downloads\Hike.pdf
2012-04-04 01:08 - 2012-04-04 01:08 - 00119808 ____A C:\Users\rajatkaul\Downloads\Admin Brief - Tented Accn.doc
2012-04-04 01:08 - 2012-04-04 01:08 - 00119808 ____A C:\Users\rajatkaul\Downloads\Admin Brief - Tented Accn (1).doc
2012-04-03 07:25 - 2012-04-03 07:25 - 00004660 ____A C:\Users\rajatkaul\Downloads\F (5).pdf
2012-04-03 07:25 - 2012-04-03 07:25 - 00004567 ____A C:\Users\rajatkaul\Downloads\F (4).pdf
2012-04-03 07:25 - 2012-04-03 07:25 - 00004567 ____A C:\Users\rajatkaul\Downloads\F (3).pdf
2012-04-03 07:24 - 2012-04-03 07:24 - 00004567 ____A C:\Users\rajatkaul\Downloads\F (2).pdf
2012-04-03 07:24 - 2012-04-03 07:24 - 00004567 ____A C:\Users\rajatkaul\Downloads\F (1).pdf
2012-04-03 07:23 - 2012-04-03 07:23 - 00004567 ____A C:\Users\rajatkaul\Downloads\F.pdf
2012-04-01 23:57 - 2012-04-01 23:57 - 00029477 ____A C:\Users\rajatkaul\Downloads\Hema Magesh CV.docx
2012-04-01 21:32 - 2012-04-01 21:32 - 00004476 ____A C:\Users\rajatkaul\Downloads\Savings_Stmt_02041211253.xls
2012-04-01 19:30 - 2012-04-01 19:30 - 00017334 ____A C:\Users\rajatkaul\Downloads\EPGP2012-13 Batch Accommodation.xlsx
2012-04-01 19:30 - 2012-04-01 19:30 - 00017334 ____A C:\Users\rajatkaul\Downloads\EPGP2012-13 Batch Accommodation (1).xlsx
2012-03-30 04:13 - 2010-12-28 06:38 - 00000000 ____D C:\Users\rajatkaul\AppData\LocalLow
2012-03-30 03:35 - 2012-05-09 09:19 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-30 00:52 - 2011-02-12 23:43 - 00000000 ____D C:\Users\rajatkaul\AppData\Roaming\HP
2012-03-30 00:52 - 2011-02-12 22:01 - 00000000 ____D C:\Users\All Users\HP
2012-03-30 00:40 - 2011-02-12 22:01 - 00010680 ____A C:\Users\All Users\hpzinstall.log
2012-03-30 00:19 - 2012-03-30 00:14 - 00224054 ____A C:\Windows\hpwins19.dat
2012-03-30 00:18 - 2012-03-30 00:18 - 00001315 ____A C:\Users\Public\Desktop\HP Solution Center.lnk
2012-03-30 00:18 - 2012-03-30 00:18 - 00000000 ____D C:\Windows\SysWOW64\spool
2012-03-30 00:18 - 2012-03-30 00:18 - 00000000 ____D C:\Users\All Users\HP Product Assistant
2012-03-30 00:18 - 2010-09-16 00:53 - 00000000 ____D C:\Program Files (x86)\HP
2012-03-29 23:55 - 2012-03-29 23:55 - 00000000 ____D C:\Users\rajatkaul\AppData\Local\HP
2012-03-29 23:51 - 2012-03-29 23:51 - 00054852 ____A C:\Users\rajatkaul\Desktop\HP Installation Error - Windows 7.hta
2012-03-29 23:27 - 2012-03-29 23:27 - 00000000 ____D C:\Users\rajatkaul\AppData\Roaming\Yahoo!
2012-03-29 20:21 - 2012-03-09 22:42 - 00000000 ____D C:\Users\rajatkaul\Desktop\wipro
2012-03-25 02:48 - 2012-03-25 02:48 - 00300588 ____A C:\Users\rajatkaul\Downloads\JetLite Web Booking eTicket ( PDJEYW ) - Kaul.pdf
2012-03-22 11:12 - 2012-03-22 11:12 - 04435968 ____A (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
2012-03-20 07:14 - 2012-03-20 07:14 - 00203888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 07:14 - 2012-03-20 07:14 - 00098688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys

ZeroAccess:
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\@
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\L
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\n
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U

ZeroAccess:
C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\@
C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\L
C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 3893.86 MB
Available physical RAM: 3139.68 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3129.52 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:575.36 GB) (Free:188.23 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:20.52 GB) (Free:2.98 GB) NTFS
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
4 Drive g: (DSC) (CDROM) (Total:0.03 GB) (Free:0 GB) CDFS
5 Drive h: (PEN) (Removable) (Total:3.8 GB) (Free:3.08 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 3900 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 575 GB 200 MB
Partition 3 Primary 20 GB 575 GB
Partition 4 Primary 103 MB 596 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 575 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 20 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3899 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H PEN FAT32 Removable 3899 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-07 16:58

======================= End Of Log ==========================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:30 AM

Posted 16 June 2012 - 10:18 PM

Hi,

please do the following:

There are some entries that need our attention.

  • We need to remove some of the entries that FRST has found.

    Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

    start
    SubSystems: [Windows] ==> ZeroAccess
    2012-06-14 07:25 - 2012-06-14 07:25 - 00000000 ____A C:\Windows\SysWOW64\sho6CF3.tmp
    2012-06-11 19:35 - 2012-01-15 19:47 - 00000000 __SHD C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
    C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
    C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
    end
    
    Now please enter System Recovery Options.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please rename this as fixlog2.txt as we need to search for a file and I don't want this log overwritten,
  • While you are still booted into System Recovery Options run FRST.

    Type the following in the edit box after "Search:" so it looks like this:

    Search: services.exe

    Click Search button and post the log it makes to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 rk123

rk123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 16 June 2012 - 10:56 PM

Please find the search log below

Farbar Recovery Scan Tool Version: 17-06-2012
Ran by SYSTEM at 2012-06-17 09:16:18
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Please also see the fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 17-06-2012
Ran by SYSTEM at 2012-06-17 08:54:16 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\SysWOW64\sho6CF3.tmp moved successfully.
C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e} moved successfully.
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e} moved successfully.
C:\Users\Naz\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e} not found.

==== End of Fixlog ====

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:30 AM

Posted 17 June 2012 - 07:18 AM

Hi

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 rk123

rk123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 17 June 2012 - 07:48 AM

Hi

I needed to use my notebook urgently so I went ahead and ran the System Recovery that comes with the Recovery Manager utility on HP laptops.
The utility has reformatted the hard drive and reinstalled windows - lot of my data was backed up already. The machine works for now but it still might have the malware.

If you are willing to assist still, I can run the FRST log and send you the extract

Rgds

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:30 AM

Posted 17 June 2012 - 04:08 PM

a reformat should have resolved the malware issue, but I'd be happy to check for you if you want to run FRST just to be certain

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:30 AM

Posted 22 June 2012 - 03:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users