Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.0access and Win32:Sirefef-PL[Rtk]


  • This topic is locked This topic is locked
17 replies to this topic

#1 korniceman3000

korniceman3000

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 06 July 2012 - 01:35 PM

Hi everyone. Hope you won't mind helping me with this issue.

Yesterday, upon start up of my laptop (Windows Vista Home Edition OS), I was informed by Avast that I had some sort of a trojan infection and that it would proceed to quarantine them to the virus chest. After the reboot and scan, it had shown that the virus was removed but another scan done by MBAM revealed that the infected object was still there. I was told by MBAM that it was the following file C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) but I can't seem to find it anywhere. An Avast scan stated the following had been removed/placed in virus chest but each subsequent scan by MBAM still reveals the Desktop.ini to be infected.

C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\n
C:\Windows\Installer\...\000000cb.@
Win32:Sirefef-PL[Rtk]
Win32:Malware-gen

At one point, Avast stated that one of my music software exe files for FL Studio.exe was a virus even though upon scanning by both Avast and MBAM, it was not. I'm not sure what is the cause of some false positives or how to remove this virus. My Google Chrome browser gets periodically automatically redirected to this address http://83.133.127.55/ whenever I click on a link in Yahoo or Google.

Also, whenever I try to access google.com on Chrome, I receive the following message:

The site's security certificate is signed using a weak signature algorithm!
You attempted to reach www.google.com, but the server presented a certificate signed using a weak signature algorithm. This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker).
You cannot proceed because the website operator has requested heightened security for this domain.

I have enclosed a copy of the DDS scan log for your review

Please help me resolve this issue.
Thank you for your time. Your help is greatly appreciated.
Best regards,
JTL




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Justin T Leung at 14:16:02 on 2012-07-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3036.949 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATK Hotkey\MsgTranAgt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ATK Hotkey\LOSD.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\real\realplayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Image-Line\FL Studio 7\FL.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin T Leung\AppData\Local\Google\Chrome\Application%

Edited by korniceman3000, 06 July 2012 - 02:24 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 06 July 2012 - 03:55 PM

Hi,

Please run the following:

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Boot Menu:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Choose your language settings, and then click Next.
  • Click Repair your computer.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 07 July 2012 - 01:19 PM

Hi CatByte and thank you for your reply.

Before I start, hope you won't mind my asking a few questions. I don't have a flash drive so would it be ok if I used an external hard drive? Will the Farbar scan affect the contents of the hard drive eg. transfer/infect it with the virus? If so, I will purchase a flash drive.

I also noticed that one of the steps requires that I use a Windows installation disc but my laptop but it was purchased from Best Buy and Windows Home Edition was pre-installed and does not come with a disc copy. Do I have to carry out both steps or just perform the Boot Menu one?

Please let me know.
Thank you for your help. It is greatly appreciated.
JTL

Edited by korniceman3000, 07 July 2012 - 01:42 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 07 July 2012 - 01:27 PM

Hi, you can try an external hard drive, but that may not work, you could try saving FRST directly to your C:\ drive and run it from there, however, the recovery environment will probably change your OS drive letter from C:\ to D:\ as it appears that your recovery environment should be pre-installed if you were not supplied with an installation disk (those instructions are only if the recovery environment is not pre-installed)

let me know if you have any other questions

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 08 July 2012 - 12:51 PM

Hi CatByte,

Thank you for the reply. I bought a flash drive and followed your instructions as advised. Please find the FRST log below.
It still lists the C:\Windows\assembly\GAC\Desktop.ini and services.exe as present.

Thank you for your help. It is much appreciated. Please advise on the next step.
JTL


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 07-07-2012 03
Ran by SYSTEM at 07-07-2012 18:38:47
Running from E:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4241512 2012-03-06] (AVAST Software)
HKLM\...\Run: [TkBellExe] "C:\Program Files\real\realplayer\update\realsched.exe" -osboot [273544 2011-08-08] (RealNetworks, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Justin T Leung\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2009-02-18] (Google Inc.)
HKU\Justin T Leung\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [3905408 2012-07-05] (SUPERAntiSpyware.com)
HKU\Justin T Leung\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [1022352 2012-07-02] (BitTorrent, Inc.)
HKU\Justin T Leung\...\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" [409320 2011-03-24] (SANDBOXIE L.T.D)
HKU\Justin T Leung\...\Run: [Google Update] "C:\Users\Justin T Leung\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-02-26] (Google Inc.)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (Western Digital Technologies, Inc.)

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-24] (SUPERAntiSpyware.com)
2 ASLDRService; C:\Program Files\ATK Hotkey\ASLDRSrv.exe [94208 2007-10-02] ()
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44768 2012-03-06] (AVAST Software)
2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [518696 2008-04-10] (Broadcom Corporation.)
2 ETService; C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [24576 2008-06-11] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe" [165416 2008-05-05] (WildTangent, Inc.)
3 GoogleDesktopManager-080708-050100; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [24064 2008-12-24] (Google)
2 NIHardwareService; C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [4176896 2011-12-05] (Native Instruments GmbH)
3 odserv; "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [440696 2011-07-20] (Microsoft Corporation)
3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [145184 2006-10-26] (Microsoft Corporation)
2 SbieSvc; "C:\Program Files\Sandboxie\SbieSvc.exe" [72936 2011-03-24] (SANDBOXIE L.T.D)
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe" [237056 2010-09-08] (WDC)
4 WDFME; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe" [1034752 2010-09-08] ()
2 WDSC; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe" [484352 2010-09-08] ()

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20696 2012-03-06] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [57688 2012-03-06] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [35672 2012-03-06] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [612184 2012-03-06] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [337880 2012-03-06] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [53848 2012-03-06] (AVAST Software)
1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
2 int15; \??\C:\Windows\system32\drivers\int15.sys [15392 2008-06-11] (Acer, Inc.)
3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [112128 2008-07-14] (Intel® Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2006-12-13] (ATK0100)
2 Nsynas32; C:\Windows\System32\Drivers\Nsynas32.sys [17688 2005-11-03] (SIA Syncrosoft)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
3 pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [47360 2010-06-30] (VSO Software)
3 pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [8192 2007-06-02] ()
3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [14904 2010-07-07] (Secunia)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-09] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-08-09] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys [126696 2011-03-24] (SANDBOXIE L.T.D)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1769984 2007-09-30] ()
3 SynasUSB; C:\Windows\System32\drivers\SynasUSB.sys [16896 2005-11-03] (SIA Syncrosoft)
0 TPkd; C:\Windows\System32\Drivers\TPkd.sys [93304 2011-06-28] (PACE Anti-Piracy, Inc.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
4 jgtdmehf; [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-07 13:41 - 2012-07-07 13:43 - 69074072 ____A C:\Users\Justin T Leung\Downloads\tcwhwjzdpsyz.avi
2012-07-07 13:37 - 2012-07-06 12:23 - 00000000 ____D C:\Users\Justin T Leung\Downloads\SMTown World Tour iPad app by Min.SY
2012-07-07 13:24 - 2012-07-07 13:37 - 19649389 ____A C:\Users\Justin T Leung\Downloads\SMTown World Tour iPad app by Min.SY.rar
2012-07-07 12:40 - 2012-07-07 13:54 - 00000000 ____D C:\Users\Justin T Leung\Downloads\Orbit 7-7-2012
2012-07-07 12:23 - 2012-07-07 12:23 - 00002084 ____A C:\Users\Justin T Leung\Documents\CatByte Virus Removal (7-7-2012).rtf
2012-07-07 12:20 - 2012-07-07 12:20 - 00101126 ____A C:\Users\Justin T Leung\Downloads\Infected with Trojan.0access and Win32 Sirefef-PL[Rtk].htm
2012-07-07 12:20 - 2012-07-07 12:20 - 00000000 ____D C:\Users\Justin T Leung\Downloads\Infected with Trojan.0access and Win32 Sirefef-PL[Rtk]_files
2012-07-07 10:41 - 2012-07-07 10:46 - 21064247 ____A C:\Users\Justin T Leung\Downloads\2NE1 - I LOVE YOU M_V(360p_H.264-AAC).mp4
2012-07-07 10:37 - 2012-07-07 10:53 - 74132784 ____A C:\Users\Justin T Leung\Downloads\120706 SNSD Yoon-A Cut @ MBC Special(720p_H.264-AAC).mp4
2012-07-07 09:45 - 2012-07-07 09:45 - 00888144 ____A C:\Users\Justin T Leung\Downloads\FRST.exe
2012-07-06 13:27 - 2012-07-06 13:33 - 20925945 ____A C:\Users\Justin T Leung\Downloads\Shreddage X - Double-tracking and tone crafting with ReValver HPse! (Demo Video #2)(360p_H.264-AAC).mp4
2012-07-06 13:22 - 2012-07-06 13:22 - 00013222 ____A C:\Users\Justin T Leung\Downloads\(demian007)_Peavey_Revalver_Mk_III_V_VST_STANDALONE_(incl_patch)-[Demonoid.me].torrent
2012-07-06 13:06 - 2012-07-06 13:08 - 14004848 ____A C:\Users\Justin T Leung\Downloads\Shreddage SFZ - 5 minute setup and usage tutorial(360p_H.264-AAC).mp4
2012-07-06 10:20 - 2012-07-06 10:20 - 00019300 ____A C:\Users\Justin T Leung\Documents\Attach (7-6-2012).txt
2012-07-06 10:20 - 2012-07-06 10:20 - 00016266 ____A C:\Users\Justin T Leung\Documents\DDS (7-6-2012).txt
2012-07-06 10:14 - 2012-07-06 10:14 - 00607260 ____R (Swearware) C:\Users\Justin T Leung\Downloads\dds.scr
2012-07-05 12:44 - 2012-07-05 17:44 - 00000000 ____D C:\Users\Justin T Leung\Downloads\P.O.D. - Murdered Love (2012)
2012-07-05 11:42 - 2012-07-05 11:42 - 06714656 ____A C:\Users\Justin T Leung\Downloads\Amp sim Lecto - Holy Wars intro by Megadeth(1080p_H.264-AAC).mp4
2012-07-05 11:39 - 2012-07-05 11:39 - 01409403 ____A C:\Users\Justin T Leung\Downloads\????? Challenge SALE(6_29~7_29)(360p_H.264-AAC).mp4
2012-07-05 11:37 - 2012-07-05 11:39 - 06137022 ____A C:\Users\Justin T Leung\Downloads\SNSD NEW CF YOONA VER.(1080p_H.264-AAC).mp4
2012-07-05 11:28 - 2012-07-05 11:37 - 27153939 ____A C:\Users\Justin T Leung\Downloads\120702 macao tiffany fancam interview(720p_H.264-AAC).mp4
2012-07-05 10:36 - 2012-07-05 10:38 - 07320243 ____A C:\Users\Justin T Leung\Downloads\2NE1 - I LOVE YOU [Audio](360p_H.264-AAC).mp4
2012-07-04 12:41 - 2012-07-04 12:40 - 00018995 ____A C:\Users\Justin T Leung\Downloads\[Demonoid.me]-Cinematic_Strings_Monster_Staccatos_[patch](win_mac)_rar.torrent
2012-07-04 12:34 - 2012-07-04 12:34 - 00037422 ____A C:\Users\Justin T Leung\Downloads\Cinematic_Strings_Pro_Edition_KONTAKT(win_mac)_rar__-Demonoid.me-_.torrent
2012-07-04 12:20 - 2012-07-04 12:20 - 02096675 ____A C:\Users\Justin T Leung\Downloads\Amplitube 3 - Dual Rectifier Guitarhack Impulses(360p_H.264-AAC).mp4
2012-07-04 11:39 - 2012-07-04 11:41 - 13811429 ____A C:\Users\Justin T Leung\Downloads\2NE1 - I LOVE YOU M_V Teaser(1080p_H.264-AAC).mp4
2012-07-03 10:10 - 2012-07-03 10:22 - 70479332 ____A C:\Users\Justin T Leung\Downloads\T-ara(???) _ DAY BY DAY(360p_H.264-AAC).mp4
2012-07-03 10:07 - 2012-07-03 10:10 - 12961229 ____A C:\Users\Justin T Leung\Downloads\[FANCAM]120702 KPOP Nation In Macau SNSD stopped performing due to technical problem(1080p_H.264-AAC).mp4
2012-07-02 13:02 - 2012-07-02 13:04 - 20073542 ____A C:\Users\Justin T Leung\Downloads\120701 - ???? ????(720p_H.264-AAC).mp4
2012-07-02 11:51 - 2012-07-02 11:52 - 11047782 ____A C:\Users\Justin T Leung\Downloads\Ola Englund (Feared) - The Unknown Song (mixed by matisq) - ReValver MKIII.V 6505(360p_H.264-AAC).mp4
2012-07-02 11:51 - 2012-07-02 11:52 - 05474908 ____A C:\Users\Justin T Leung\Downloads\Recabinet 3 - Ola Englund presets(360p_H.264-AAC).mp4
2012-07-02 11:36 - 2012-07-02 11:36 - 00043424 ____A C:\Users\Justin T Leung\Downloads\Olas Revalver presets.bank
2012-07-02 11:07 - 2012-07-02 11:07 - 00000000 ____D C:\Users\Justin T Leung\AppData\Local\ExtractNow
2012-07-02 11:07 - 2012-07-02 11:07 - 00000000 ____D C:\Program Files\ExtractNow
2012-07-02 11:06 - 2012-07-02 11:06 - 01890040 ____A (Nathan Moinvaziri ) C:\Users\Justin T Leung\Downloads\extractnow.exe
2012-07-02 10:58 - 2012-07-02 10:59 - 16153034 ____A C:\Users\Justin T Leung\Downloads\SISTAR_Loving U_Dance Practice ver.(????)(360p_H.264-AAC).mp4
2012-07-02 09:27 - 2012-07-02 14:23 - 00000000 ____D C:\Users\Justin T Leung\AppData\Roaming\Nico Mak Computing
2012-07-02 09:27 - 2011-11-10 06:33 - 00017224 ____A (WinZip Computing, S.L.(WinZip Computing)) C:\Windows\System32\roboot.exe
2012-07-02 09:26 - 2012-07-02 14:23 - 00000000 ____D C:\Program Files\WinZip Registry Optimizer
2012-07-01 12:35 - 2012-07-01 12:35 - 00014781 ____A C:\Users\Justin T Leung\Downloads\Wind Blast -2010- [DVDRip.XviD-miguel] [ENG] [h33t].torrent
2012-07-01 10:58 - 2012-07-01 10:59 - 02904725 ____A C:\Users\Justin T Leung\Downloads\[FANCAM] 120701 Macau Ferry - Yoona Sooyoung and Tiffany(360p_H.264-AAC).mp4
2012-07-01 10:16 - 2012-07-01 10:16 - 00015118 ____A C:\Users\Justin T Leung\Downloads\Duma - 2005 - DvDrip - Xvid - Eng - aman15 [h33t].torrent
2012-06-30 12:50 - 2012-06-30 12:53 - 26779648 ____A C:\Users\Justin T Leung\Downloads\Schlampe - Knochenmauer.wav
2012-06-29 10:29 - 2012-06-29 10:33 - 18282109 ____A C:\Users\Justin T Leung\Downloads\CHI CHI Love is Energy Music Video Full Version(360p_H.264-AAC).mp4
2012-06-29 10:29 - 2012-06-29 10:31 - 11790853 ____A C:\Users\Justin T Leung\Downloads\???? ??? (SNSD - TTS) ?? ????.wmv(360p_H.264-AAC).mp4
2012-06-29 10:13 - 2012-06-29 10:42 - 88059433 ____A C:\Users\Justin T Leung\Downloads\YoonA, Jessica, - 120629 I am(Movie) Stage Greetings(CGV Gimpo Airport) 1 by Hanbang(720p_H.264-AAC).mp4
2012-06-28 10:36 - 2012-06-28 10:38 - 06264644 ____A C:\Users\Justin T Leung\Downloads\120627 High Cut vol.79 - ???? ?????? SNSD High Cut photoshoot(360p_H.264-AAC).mp4
2012-06-28 10:04 - 2012-06-28 10:07 - 10149409 ____A C:\Users\Justin T Leung\Downloads\MONUMENTS - Doxa (OFFICIAL ALBUM TRACK)(360p_H.264-AAC).mp4
2012-06-27 10:52 - 2012-06-27 10:55 - 21848039 ____A C:\Users\Justin T Leung\Downloads\Girls' Generation - Paparazzi MV Close Up(360p_H.264-AAC).mp4
2012-06-27 10:37 - 2012-06-27 10:37 - 00000380 ____A C:\Users\Justin T Leung\Documents\ANNE YIP CONTACT INFO.rtf
2012-06-26 13:18 - 2012-06-26 13:18 - 00000000 ____D C:\Users\Justin T Leung\Documents\Nomad Factory
2012-06-26 13:18 - 2012-06-26 13:18 - 00000000 ____D C:\Program Files\Common Files\Nomad Factory
2012-06-26 13:00 - 2012-06-26 13:03 - 13358832 ____A C:\Users\Justin T Leung\Downloads\StrumGTR - Vol. I. Electric. _ Wavesfactory _ Kontakt _ EXS24(720p_H.264-AAC).mp4
2012-06-26 10:10 - 2012-06-26 10:12 - 16665042 ____A C:\Users\Justin T Leung\Downloads\Power Tube testing - Metal(360p_H.264-AAC).mp4
2012-06-25 10:29 - 2012-06-25 10:32 - 12621447 ____A C:\Users\Justin T Leung\Downloads\120624 SNSD YoonA Yakult Promotion video(720p_H.264-AAC).mp4
2012-06-24 13:17 - 2012-06-24 13:27 - 63675378 ____A C:\Users\Justin T Leung\Downloads\SNSD Jestina Making Film(720p_H.264-AAC).mp4
2012-06-23 11:14 - 2012-06-23 11:14 - 04097378 ____A C:\Users\Justin T Leung\Downloads\120623 Sooyoung, Yoona, Seohyun I AM Japan Video Message(720p_H.264-AAC).mp4
2012-06-22 10:45 - 2012-06-22 10:46 - 10468343 ____A C:\Users\Justin T Leung\Downloads\120622 SNSD(????) - Talk MS(360p_H.264-AAC).mp4
2012-06-22 10:38 - 2012-06-22 10:42 - 16514271 ____A C:\Users\Justin T Leung\Downloads\120622 SNSD(????) - Opening MS(720p_H.264-AAC).mp4
2012-06-21 08:48 - 2012-06-21 08:48 - 00000752 ____A C:\Users\Justin T Leung\Documents\HKPA EXCEL Email.rtf
2012-06-21 07:44 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 07:44 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 07:44 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 07:44 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 07:43 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 07:43 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 07:43 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 07:42 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 07:42 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 07:02 - 2012-06-21 07:02 - 00015779 ____A C:\Users\Justin T Leung\Downloads\((Demonoid.me))-ToonTrack_Americana_EZX_Win_EXPANSION_AudioP2P.torrent
2012-06-20 12:48 - 2012-06-20 12:50 - 11087108 ____A C:\Users\Justin T Leung\Downloads\PERIPHERY - Scarlet (OFFICIAL ALBUM TRACK)(360p_H.264-AAC).mp4
2012-06-17 15:03 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-17 15:03 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-17 15:03 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-17 15:03 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-17 15:03 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-17 15:03 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-17 15:03 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-17 15:03 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-17 15:03 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-17 15:03 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-17 15:03 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-17 15:03 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-17 15:03 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-17 15:03 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-16 12:47 - 2012-06-16 12:55 - 50649806 ____A C:\Users\Justin T Leung\Downloads\Yoona cut [full] Jamshil baseball stadium (Doosan Bears) Jun 15, 2012 GIRLS' GENERATION(720p_H.264-AAC).mp4
2012-06-16 10:22 - 2012-06-16 10:23 - 03451349 ____A C:\Users\Justin T Leung\Downloads\Yoona (SNSD) CF - Innisfree Part 1 2 3 Mineral Melting Foundation Feb18.2011 GIRLS' GENERATION(360p_H.264-AAC).mp4
2012-06-16 10:20 - 2012-06-16 10:22 - 05575537 ____A C:\Users\Justin T Leung\Downloads\Yoona 110916 SNSD - EIDER TV commercial making film.mp4
2012-06-13 11:41 - 2012-06-13 15:59 - 00000000 ____D C:\Users\Justin T Leung\Downloads\Prime.Loops.High.Voltage.Solo.Guitars.-28WAV-29
2012-06-13 10:30 - 2012-06-13 10:31 - 05363011 ____A C:\Users\Justin T Leung\Downloads\Yoona funny face @ Love Rain Press Conference(720p_H.264-AAC).mp4
2012-06-12 13:47 - 2012-06-12 13:47 - 00000000 ____D C:\Users\Justin T Leung\Downloads\Periphery II Demo
2012-06-12 13:04 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 13:04 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 13:04 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 12:31 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 12:31 - 2012-05-01 06:03 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 10:59 - 2012-06-12 10:59 - 00000485 ____A C:\Users\Justin T Leung\Documents\Cat Emoticon.rtf
2012-06-12 05:35 - 2012-07-07 11:56 - 00000000 ____D C:\Users\Justin T Leung\Downloads\Assorted Downloaded Files
2012-06-11 10:50 - 2012-06-11 10:51 - 07171017 ____A C:\Users\Justin T Leung\Downloads\Girl plays three instruments at once! AMAZING!!(360p_H.264-AAC).mp4
2012-06-11 10:46 - 2012-06-11 10:46 - 00000272 ____A C:\Users\Justin T Leung\Documents\MDC Number.rtf
2012-06-08 13:08 - 2012-06-08 13:25 - 84656417 ____A C:\Users\Justin T Leung\Downloads\Yoona in Love Rain(720p_H.264-AAC).mp4



============ 3 Months Modified Files ========================

2012-07-07 14:33 - 2008-12-24 00:26 - 01947069 ____A C:\Windows\WindowsUpdate.log
2012-07-07 14:33 - 2008-10-31 00:44 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-07 14:33 - 2006-11-02 05:01 - 00032594 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-07 14:33 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-07 14:33 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-07 14:33 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-07 14:30 - 2006-11-02 02:33 - 00791000 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-07 14:28 - 2010-02-07 12:24 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-07 14:23 - 2010-02-07 12:24 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-07 13:55 - 2009-11-08 21:21 - 01044336 ____A C:\Users\Justin T Leung\Desktop\Emule Forums.txt
2012-07-07 13:54 - 2010-03-11 12:35 - 00000944 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2387443995-1114366851-1031939079-1000UA.job
2012-07-07 13:53 - 2012-05-03 11:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-07 13:43 - 2012-07-07 13:41 - 69074072 ____A C:\Users\Justin T Leung\Downloads\tcwhwjzdpsyz.avi
2012-07-07 13:37 - 2012-07-07 13:24 - 19649389 ____A C:\Users\Justin T Leung\Downloads\SMTown World Tour iPad app by Min.SY.rar
2012-07-07 13:32 - 2011-12-09 10:50 - 00014862 ____A C:\Users\Justin T Leung\Documents\Kung Fu YT Movies.rtf
2012-07-07 12:23 - 2012-07-07 12:23 - 00002084 ____A C:\Users\Justin T Leung\Documents\CatByte Virus Removal (7-7-2012).rtf
2012-07-07 12:20 - 2012-07-07 12:20 - 00101126 ____A C:\Users\Justin T Leung\Downloads\Infected with Trojan.0access and Win32 Sirefef-PL[Rtk].htm
2012-07-07 10:53 - 2012-07-07 10:37 - 74132784 ____A C:\Users\Justin T Leung\Downloads\120706 SNSD Yoon-A Cut @ MBC Special(720p_H.264-AAC).mp4
2012-07-07 10:46 - 2012-07-07 10:41 - 21064247 ____A C:\Users\Justin T Leung\Downloads\2NE1 - I LOVE YOU M_V(360p_H.264-AAC).mp4
2012-07-07 09:54 - 2010-03-11 12:35 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2387443995-1114366851-1031939079-1000Core.job
2012-07-07 09:45 - 2012-07-07 09:45 - 00888144 ____A C:\Users\Justin T Leung\Downloads\FRST.exe
2012-07-07 09:34 - 2008-12-24 00:42 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
2012-07-07 09:33 - 2012-02-13 06:22 - 00004630 ____A C:\Windows\PFRO.log
2012-07-06 14:01 - 2011-03-27 06:19 - 00008522 ____A C:\Windows\Sandboxie.ini
2012-07-06 13:33 - 2012-07-06 13:27 - 20925945 ____A C:\Users\Justin T Leung\Downloads\Shreddage X - Double-tracking and tone crafting with ReValver HPse! (Demo Video #2)(360p_H.264-AAC).mp4
2012-07-06 13:22 - 2012-07-06 13:22 - 00013222 ____A C:\Users\Justin T Leung\Downloads\(demian007)_Peavey_Revalver_Mk_III_V_VST_STANDALONE_(incl_patch)-[Demonoid.me].torrent
2012-07-06 13:08 - 2012-07-06 13:06 - 14004848 ____A C:\Users\Justin T Leung\Downloads\Shreddage SFZ - 5 minute setup and usage tutorial(360p_H.264-AAC).mp4
2012-07-06 11:47 - 2009-11-08 21:21 - 00017844 ____A C:\Users\Justin T Leung\Desktop\Song Names.txt
2012-07-06 10:20 - 2012-07-06 10:20 - 00019300 ____A C:\Users\Justin T Leung\Documents\Attach (7-6-2012).txt
2012-07-06 10:20 - 2012-07-06 10:20 - 00016266 ____A C:\Users\Justin T Leung\Documents\DDS (7-6-2012).txt
2012-07-06 10:14 - 2012-07-06 10:14 - 00607260 ____R (Swearware) C:\Users\Justin T Leung\Downloads\dds.scr
2012-07-06 07:05 - 2010-04-07 12:34 - 00002231 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-06 06:55 - 2010-05-01 14:51 - 00000372 ____A C:\rkill.log
2012-07-06 06:12 - 2010-03-07 12:18 - 00009498 ____A C:\Users\Justin T Leung\Desktop\hijackthis.log
2012-07-05 11:42 - 2012-07-05 11:42 - 06714656 ____A C:\Users\Justin T Leung\Downloads\Amp sim Lecto - Holy Wars intro by Megadeth(1080p_H.264-AAC).mp4
2012-07-05 11:39 - 2012-07-05 11:39 - 01409403 ____A C:\Users\Justin T Leung\Downloads\????? Challenge SALE(6_29~7_29)(360p_H.264-AAC).mp4
2012-07-05 11:39 - 2012-07-05 11:37 - 06137022 ____A C:\Users\Justin T Leung\Downloads\SNSD NEW CF YOONA VER.(1080p_H.264-AAC).mp4
2012-07-05 11:37 - 2012-07-05 11:28 - 27153939 ____A C:\Users\Justin T Leung\Downloads\120702 macao tiffany fancam interview(720p_H.264-AAC).mp4
2012-07-05 10:38 - 2012-07-05 10:36 - 07320243 ____A C:\Users\Justin T Leung\Downloads\2NE1 - I LOVE YOU [Audio](360p_H.264-AAC).mp4
2012-07-04 19:08 - 2012-03-08 17:31 - 00000048 ____A C:\Users\Justin T Leung\AppData\Roaming\msregsvv.dll
2012-07-04 19:08 - 2012-03-08 17:31 - 00000048 ____A C:\Users\All Users\autobk.inc
2012-07-04 19:08 - 2012-03-08 17:31 - 00000048 ____A C:\Users\All Users\Application Data\autobk.inc
2012-07-04 19:08 - 2011-06-06 07:18 - 00000128 ____A C:\Windows\System32\msvcsv60.dll
2012-07-04 19:08 - 2009-10-15 20:13 - 00000128 ____A C:\Windows\System32\w3data.vss
2012-07-04 19:08 - 2009-10-15 20:13 - 00000128 ____A C:\Windows\msocreg32.dat
2012-07-04 12:40 - 2012-07-04 12:41 - 00018995 ____A C:\Users\Justin T Leung\Downloads\[Demonoid.me]-Cinematic_Strings_Monster_Staccatos_[patch](win_mac)_rar.torrent
2012-07-04 12:34 - 2012-07-04 12:34 - 00037422 ____A C:\Users\Justin T Leung\Downloads\Cinematic_Strings_Pro_Edition_KONTAKT(win_mac)_rar__-Demonoid.me-_.torrent
2012-07-04 12:20 - 2012-07-04 12:20 - 02096675 ____A C:\Users\Justin T Leung\Downloads\Amplitube 3 - Dual Rectifier Guitarhack Impulses(360p_H.264-AAC).mp4
2012-07-04 11:41 - 2012-07-04 11:39 - 13811429 ____A C:\Users\Justin T Leung\Downloads\2NE1 - I LOVE YOU M_V Teaser(1080p_H.264-AAC).mp4
2012-07-03 10:22 - 2012-07-03 10:10 - 70479332 ____A C:\Users\Justin T Leung\Downloads\T-ara(???) _ DAY BY DAY(360p_H.264-AAC).mp4
2012-07-03 10:10 - 2012-07-03 10:07 - 12961229 ____A C:\Users\Justin T Leung\Downloads\[FANCAM]120702 KPOP Nation In Macau SNSD stopped performing due to technical problem(1080p_H.264-AAC).mp4
2012-07-02 13:04 - 2012-07-02 13:02 - 20073542 ____A C:\Users\Justin T Leung\Downloads\120701 - ???? ????(720p_H.264-AAC).mp4
2012-07-02 11:52 - 2012-07-02 11:51 - 11047782 ____A C:\Users\Justin T Leung\Downloads\Ola Englund (Feared) - The Unknown Song (mixed by matisq) - ReValver MKIII.V 6505(360p_H.264-AAC).mp4
2012-07-02 11:52 - 2012-07-02 11:51 - 05474908 ____A C:\Users\Justin T Leung\Downloads\Recabinet 3 - Ola Englund presets(360p_H.264-AAC).mp4
2012-07-02 11:36 - 2012-07-02 11:36 - 00043424 ____A C:\Users\Justin T Leung\Downloads\Olas Revalver presets.bank
2012-07-02 11:06 - 2012-07-02 11:06 - 01890040 ____A (Nathan Moinvaziri ) C:\Users\Justin T Leung\Downloads\extractnow.exe
2012-07-02 10:59 - 2012-07-02 10:58 - 16153034 ____A C:\Users\Justin T Leung\Downloads\SISTAR_Loving U_Dance Practice ver.(????)(360p_H.264-AAC).mp4
2012-07-02 09:26 - 2009-10-28 19:42 - 00000754 ____A C:\Users\Public\Desktop\µTorrent.lnk
2012-07-01 12:35 - 2012-07-01 12:35 - 00014781 ____A C:\Users\Justin T Leung\Downloads\Wind Blast -2010- [DVDRip.XviD-miguel] [ENG] [h33t].torrent
2012-07-01 10:59 - 2012-07-01 10:58 - 02904725 ____A C:\Users\Justin T Leung\Downloads\[FANCAM] 120701 Macau Ferry - Yoona Sooyoung and Tiffany(360p_H.264-AAC).mp4
2012-07-01 10:41 - 2010-04-30 09:37 - 00002089 ____A C:\Users\Justin T Leung\Desktop\Google Chrome.lnk
2012-07-01 10:16 - 2012-07-01 10:16 - 00015118 ____A C:\Users\Justin T Leung\Downloads\Duma - 2005 - DvDrip - Xvid - Eng - aman15 [h33t].torrent
2012-06-30 12:53 - 2012-06-30 12:50 - 26779648 ____A C:\Users\Justin T Leung\Downloads\Schlampe - Knochenmauer.wav
2012-06-29 10:42 - 2012-06-29 10:13 - 88059433 ____A C:\Users\Justin T Leung\Downloads\YoonA, Jessica, - 120629 I am(Movie) Stage Greetings(CGV Gimpo Airport) 1 by Hanbang(720p_H.264-AAC).mp4
2012-06-29 10:33 - 2012-06-29 10:29 - 18282109 ____A C:\Users\Justin T Leung\Downloads\CHI CHI Love is Energy Music Video Full Version(360p_H.264-AAC).mp4
2012-06-29 10:31 - 2012-06-29 10:29 - 11790853 ____A C:\Users\Justin T Leung\Downloads\???? ??? (SNSD - TTS) ?? ????.wmv(360p_H.264-AAC).mp4
2012-06-28 19:46 - 2009-10-18 20:57 - 00000349 ____A C:\Users\Public\Documents\PCLECHAL.INI
2012-06-28 10:38 - 2012-06-28 10:36 - 06264644 ____A C:\Users\Justin T Leung\Downloads\120627 High Cut vol.79 - ???? ?????? SNSD High Cut photoshoot(360p_H.264-AAC).mp4
2012-06-28 10:07 - 2012-06-28 10:04 - 10149409 ____A C:\Users\Justin T Leung\Downloads\MONUMENTS - Doxa (OFFICIAL ALBUM TRACK)(360p_H.264-AAC).mp4
2012-06-27 12:49 - 2010-10-02 11:20 - 00766614 ____A C:\Users\Justin T Leung\Documents\Free NI Instruments.rtf
2012-06-27 10:55 - 2012-06-27 10:52 - 21848039 ____A C:\Users\Justin T Leung\Downloads\Girls' Generation - Paparazzi MV Close Up(360p_H.264-AAC).mp4
2012-06-27 10:37 - 2012-06-27 10:37 - 00000380 ____A C:\Users\Justin T Leung\Documents\ANNE YIP CONTACT INFO.rtf
2012-06-26 13:03 - 2012-06-26 13:00 - 13358832 ____A C:\Users\Justin T Leung\Downloads\StrumGTR - Vol. I. Electric. _ Wavesfactory _ Kontakt _ EXS24(720p_H.264-AAC).mp4
2012-06-26 10:12 - 2012-06-26 10:10 - 16665042 ____A C:\Users\Justin T Leung\Downloads\Power Tube testing - Metal(360p_H.264-AAC).mp4
2012-06-25 13:31 - 2012-05-03 11:55 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-25 13:31 - 2011-12-13 12:12 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-25 10:32 - 2012-06-25 10:29 - 12621447 ____A C:\Users\Justin T Leung\Downloads\120624 SNSD YoonA Yakult Promotion video(720p_H.264-AAC).mp4
2012-06-24 13:27 - 2012-06-24 13:17 - 63675378 ____A C:\Users\Justin T Leung\Downloads\SNSD Jestina Making Film(720p_H.264-AAC).mp4
2012-06-23 11:14 - 2012-06-23 11:14 - 04097378 ____A C:\Users\Justin T Leung\Downloads\120623 Sooyoung, Yoona, Seohyun I AM Japan Video Message(720p_H.264-AAC).mp4
2012-06-22 10:46 - 2012-06-22 10:45 - 10468343 ____A C:\Users\Justin T Leung\Downloads\120622 SNSD(????) - Talk MS(360p_H.264-AAC).mp4
2012-06-22 10:42 - 2012-06-22 10:38 - 16514271 ____A C:\Users\Justin T Leung\Downloads\120622 SNSD(????) - Opening MS(720p_H.264-AAC).mp4
2012-06-21 08:48 - 2012-06-21 08:48 - 00000752 ____A C:\Users\Justin T Leung\Documents\HKPA EXCEL Email.rtf
2012-06-21 07:02 - 2012-06-21 07:02 - 00015779 ____A C:\Users\Justin T Leung\Downloads\((Demonoid.me))-ToonTrack_Americana_EZX_Win_EXPANSION_AudioP2P.torrent
2012-06-20 12:50 - 2012-06-20 12:48 - 11087108 ____A C:\Users\Justin T Leung\Downloads\PERIPHERY - Scarlet (OFFICIAL ALBUM TRACK)(360p_H.264-AAC).mp4
2012-06-19 12:36 - 2012-06-05 17:20 - 02298327 ____A C:\Users\Justin T Leung\Documents\GTR EQ Ola Englund.rtf
2012-06-17 15:40 - 2006-11-02 04:47 - 00594472 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-17 15:10 - 2010-05-16 15:02 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-16 12:55 - 2012-06-16 12:47 - 50649806 ____A C:\Users\Justin T Leung\Downloads\Yoona cut [full] Jamshil baseball stadium (Doosan Bears) Jun 15, 2012 GIRLS' GENERATION(720p_H.264-AAC).mp4
2012-06-16 10:23 - 2012-06-16 10:22 - 03451349 ____A C:\Users\Justin T Leung\Downloads\Yoona (SNSD) CF - Innisfree Part 1 2 3 Mineral Melting Foundation Feb18.2011 GIRLS' GENERATION(360p_H.264-AAC).mp4
2012-06-16 10:22 - 2012-06-16 10:20 - 05575537 ____A C:\Users\Justin T Leung\Downloads\Yoona 110916 SNSD - EIDER TV commercial making film.mp4
2012-06-13 10:31 - 2012-06-13 10:30 - 05363011 ____A C:\Users\Justin T Leung\Downloads\Yoona funny face @ Love Rain Press Conference(720p_H.264-AAC).mp4
2012-06-12 10:59 - 2012-06-12 10:59 - 00000485 ____A C:\Users\Justin T Leung\Documents\Cat Emoticon.rtf
2012-06-11 10:51 - 2012-06-11 10:50 - 07171017 ____A C:\Users\Justin T Leung\Downloads\Girl plays three instruments at once! AMAZING!!(360p_H.264-AAC).mp4
2012-06-11 10:46 - 2012-06-11 10:46 - 00000272 ____A C:\Users\Justin T Leung\Documents\MDC Number.rtf
2012-06-08 13:25 - 2012-06-08 13:08 - 84656417 ____A C:\Users\Justin T Leung\Downloads\Yoona in Love Rain(720p_H.264-AAC).mp4
2012-06-06 11:03 - 2012-06-06 11:01 - 13358502 ____A C:\Users\Justin T Leung\Downloads\2011_12_24 KBS ???? ?? _All I Want For Christmas Is You_ by DaftTaengk(720p_H.264-AAC).mp4
2012-06-06 10:50 - 2012-06-06 10:47 - 29274629 ____A C:\Users\Justin T Leung\Downloads\?????? 1st DVD Preview ? (See the our comments)(720p_H.264-AAC).mp4
2012-06-06 10:40 - 2012-06-06 10:40 - 00030489 ____A C:\Users\Justin T Leung\Downloads\Cat Run 2011 BDRiP XViD NOSCREENS.torrent
2012-06-02 14:19 - 2012-06-21 07:44 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 07:44 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 07:44 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 07:43 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 07:43 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 07:44 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 07:43 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-21 07:42 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-21 07:42 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 10:44 - 2012-06-01 10:43 - 06035928 ____A C:\Users\Justin T Leung\Downloads\2012 ????? ?? ??? ???_??? ?? ???? ????!(360p_H.264-AAC).mp4
2012-05-28 12:48 - 2012-05-28 12:41 - 00005095 ____A C:\Users\Justin T Leung\Documents\Avex (5-28-2012).rtf
2012-05-28 12:32 - 2012-05-28 12:32 - 00003336 ____A C:\Users\Justin T Leung\Documents\Avex Audition (5-28-2012).rtf
2012-05-25 11:14 - 2012-05-25 11:14 - 00000938 ____A C:\Users\Justin T Leung\Documents\New United Mileage Plus Number.rtf
2012-05-25 10:09 - 2012-05-25 10:09 - 00000446 ____A C:\Users\Justin T Leung\Documents\DIGZ Music Address.rtf
2012-05-20 13:48 - 2012-05-20 13:44 - 00019696 ____A C:\Users\Justin T Leung\Downloads\3.jdc
2012-05-20 13:33 - 2012-05-20 13:33 - 02809635 ____A C:\Users\Justin T Leung\Documents\ROUTING KONTAKT TO MIXER CHANNELS.rtf
2012-05-20 13:18 - 2012-05-20 13:18 - 00966056 ____A C:\Users\Justin T Leung\Downloads\Routing multiple outputs to separate mixer channels in FL Studio.mht
2012-05-20 12:01 - 2012-05-20 11:59 - 16759236 ____A C:\Users\Justin T Leung\Downloads\Kontakt Routing In FL Studio - Multiple Outputs Into Mixer(360p_H.264-AAC).mp4
2012-05-19 09:32 - 2010-06-05 14:40 - 00000878 ____A C:\Users\Justin T Leung\Desktop\SpywareBlaster.lnk
2012-05-18 11:25 - 2012-05-18 11:25 - 00000720 ____A C:\Users\Justin T Leung\Documents\Sabrina Yue EMAIL.rtf
2012-05-17 15:11 - 2012-06-17 15:03 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-17 15:03 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-17 15:03 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-17 15:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-17 15:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-17 15:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-17 15:03 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-17 15:03 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-17 15:03 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-17 15:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-17 15:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-17 15:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-17 15:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-17 15:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 11:51 - 2012-06-12 12:31 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 13:36 - 2012-05-11 13:36 - 00026705 ____A C:\Windows\unins002.dat
2012-05-11 13:35 - 2012-05-11 13:36 - 00715152 ____A C:\Windows\unins002.exe
2012-05-10 10:43 - 2012-05-10 10:41 - 09585315 ____A C:\Users\Justin T Leung\Downloads\Bass processing - Layering Trick - Rock_ Metal (FL Studio_ TSE B.O.D._ Kefir)(240p_H.264-AAC).mp4
2012-05-09 11:49 - 2012-05-09 11:48 - 07476187 ____A C:\Users\Justin T Leung\Downloads\How to create keyswitches in Native Instruments' Kontakt(360p_H.264-AAC).mp4
2012-05-09 10:59 - 2012-05-02 12:11 - 00002717 ____A C:\Users\Justin T Leung\Documents\Email To Hong Kong Academy.rtf
2012-05-03 12:30 - 2012-05-03 12:30 - 00031535 ____A C:\Users\Justin T Leung\Downloads\Godsmack_-_Discography_(1998-2010)_[mp3@320].torrent
2012-05-01 06:03 - 2012-06-12 12:31 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 10:00 - 2012-04-27 09:47 - 00003385 ____A C:\Users\Justin T Leung\Documents\Banana Flower.rtf
2012-04-27 09:33 - 2012-04-27 09:33 - 00095188 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]toontrack.superior.drummer.v2.0.vsti.rtas.au.hybrid.airiso.torrent
2012-04-23 13:49 - 2009-10-06 09:32 - 00008102 ____A C:\Users\Justin T Leung\AppData\Roaming\wklnhst.dat
2012-04-23 12:14 - 2012-04-23 12:13 - 00150689 ____A C:\Windows\unins001.dat
2012-04-23 12:13 - 2012-04-23 12:13 - 00715038 ____A C:\Windows\unins001.exe
2012-04-23 08:00 - 2012-06-12 13:04 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:00 - 2012-06-12 13:04 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:00 - 2012-06-12 13:04 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-22 12:43 - 2012-04-22 12:43 - 00015071 ____A C:\Users\Justin T Leung\Downloads\Ironclad.2011.BRRip.Xvid {1337x}-Noir.torrent
2012-04-22 12:32 - 2012-04-22 12:32 - 00108714 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]asian.action.movies.pack.rosubbed.filelist.torrent
2012-04-22 12:30 - 2012-04-22 12:31 - 00012896 ____A C:\Users\Justin T Leung\Downloads\A Lonely Place to Die 2011 DVDRip XviD AC3 LiNZi.torrent
2012-04-22 12:27 - 2012-04-22 12:27 - 00018147 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]cello.2005.dvdrip.xvid.kor.hardsub.eng.torrent
2012-04-22 12:23 - 2012-04-22 12:23 - 00014549 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]muoi.dvdrip.xvid.postx.torrent
2012-04-22 12:20 - 2012-04-22 12:20 - 00021900 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]whispering.corridors.complete.all.5.memento.mori.wishing.stairs.voice.amp.blood.pledge.w.subs.torrent
2012-04-22 12:17 - 2012-04-22 12:17 - 00014566 ____A C:\Users\Justin T Leung\Downloads\Whispering_Corridors_(ENG_SUB).torrent
2012-04-22 12:15 - 2012-04-22 12:15 - 00015892 ____A C:\Users\Justin T Leung\Downloads\Assassination Games[2011]DVDRip XviD-ExtraTorrentRG.torrent
2012-04-22 11:54 - 2012-04-22 11:55 - 00028433 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]the.quiet.family.choyonghan.kajok.korean.by.choi.min.sik.torrent
2012-04-22 11:32 - 2012-04-22 11:32 - 00058351 ____A C:\Users\Justin T Leung\Downloads\Naked.Fear.2007.PROPER.DVDRip.XviD-VoMiT.5716204.TPB.torrent
2012-04-22 11:28 - 2012-04-22 11:29 - 00015031 ____A C:\Users\Justin T Leung\Downloads\100.Feet.2008.DvDRip-FxM.torrent
2012-04-22 11:27 - 2012-04-22 11:27 - 00014726 ____A C:\Users\Justin T Leung\Downloads\The Skeptic LiMiTED DVDRip XviD-DoNE [h33t].torrent
2012-04-20 09:53 - 2012-04-20 09:51 - 13667440 ____A C:\Users\Justin T Leung\Downloads\Heavier Guitar Tones (pt.1) - Combining Impulses(720p_H.264-AAC).mp4
2012-04-18 13:30 - 2012-04-18 12:46 - 00001343 ____A C:\Users\Justin T Leung\Documents\Commmons Audition.rtf
2012-04-17 10:38 - 2012-04-17 10:38 - 00067661 ____A C:\Users\Justin T Leung\Downloads\cports.zip
2012-04-17 10:21 - 2012-04-16 10:12 - 00000632 ____A C:\Users\Justin T Leung\Documents\Email To Yuki Fukanoshi (Digz).rtf
2012-04-17 10:04 - 2012-04-17 10:04 - 00000947 ____A C:\Users\Justin T Leung\Documents\Commmons Avex Audition address.rtf
2012-04-16 12:40 - 2012-04-16 12:40 - 00015265 ____A C:\Users\Justin T Leung\Downloads\[kat.ph]my.wife.is.a.gangster.2001.torrent
2012-04-16 11:50 - 2012-04-17 12:27 - 00000096 ____A C:\Users\Justin T Leung\Downloads\film.txt
2012-04-16 11:01 - 2012-04-16 11:01 - 00001084 ____A C:\Users\Justin T Leung\Documents\Short Email To Japan.rtf
2012-04-15 04:40 - 2010-05-31 16:12 - 00000471 ____A C:\Windows\System32\Datei4
2012-04-15 04:40 - 2010-05-31 16:12 - 00000471 ____A C:\Windows\System32\Datei2
2012-04-15 04:40 - 2010-05-31 16:12 - 00000470 ____A C:\Windows\System32\Datei3
2012-04-15 04:40 - 2010-05-31 16:12 - 00000470 ____A C:\Windows\System32\Datei1
2012-04-15 04:40 - 2010-05-31 16:12 - 00000469 ____A C:\Windows\System32\Datei7
2012-04-15 04:40 - 2010-05-31 16:12 - 00000469 ____A C:\Windows\System32\Datei5
2012-04-15 04:40 - 2010-05-31 16:12 - 00000468 ____A C:\Windows\System32\Datei0
2012-04-15 04:40 - 2010-05-31 16:12 - 00000467 ____A C:\Windows\System32\Datei9
2012-04-15 04:40 - 2010-05-31 16:12 - 00000467 ____A C:\Windows\System32\Datei8
2012-04-15 04:40 - 2010-05-31 16:12 - 00000467 ____A C:\Windows\System32\Datei10
2012-04-15 04:40 - 2010-05-31 16:12 - 00000465 ____A C:\Windows\System32\Datei6
2012-04-14 13:02 - 2012-04-14 13:02 - 02620588 ____A C:\Users\Justin T Leung\Downloads\Dunlop MXR M80 - Metal Bass Grit(360p_H.264-AAC).mp4
2012-04-10 09:27 - 2012-01-31 10:33 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

ZeroAccess:
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\@
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\L
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\U
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\L\00000004.@
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\L\1afb2d56
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\L\201d3dde
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\U\00000004.@
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\U\00000008.@
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\U\000000cb.@

ZeroAccess:
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082}
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\@
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\L
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\n
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 3036.56 MB
Available physical RAM: 2702.36 MB
Total Pagefile: 2937.38 MB
Available Pagefile: 2804.5 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:222.88 GB) (Free:34.88 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:0.48 GB) (Free:0.03 GB) FAT
4 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:2.82 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1177 KB
Disk 1 Online 491 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 223 GB 10 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 223 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 491 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E FAT Removable 491 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-07 14:30

======================= End Of Log ==========================

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 08 July 2012 - 01:09 PM

Hi,

Please do the following:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
4 jgtdmehf; [x]
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082}
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082}
C:\Windows\assembly\GAC\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot normally

NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 09 July 2012 - 02:47 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 09 July 2012 - 02:22 PM

Hi CatByte,

Thank you for your reply. I performed all the steps you provided and I think it successfully removed the virus!! I re-scanned with both MBAM and Avast and both showed no infection!!! I did notice that in Qoobox, combofix did something to sandboxie, possibly remove it from the registry...

2012-07-08 23:16:09 . 2012-07-08 23:16:09 610 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Sandboxie.reg.dat

Will sandbox still work properly after this? I intend to use it each time I open a Chrome to prevent any trojans from infecting my browser.

THANK YOU VERY MUCH FOR YOUR INCREDIBLE ASSISTANCE AND FOR HELPING ME REMOVE THE VIRUS!!! IT IS GREATLY APPRECIATED!!!
Best regards,
JTL


Please find the scan logs below for your review.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 07-07-2012 03
Ran by SYSTEM at 2012-07-08 18:28:49 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
jgtdmehf service deleted successfully.
C:\Windows\Installer\{1ec6a51f-804c-3b4d-6c80-a239b6741082} moved successfully.
C:\Users\Justin T Leung\AppData\Local\{1ec6a51f-804c-3b4d-6c80-a239b6741082} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

==== End of Fixlog ====


ComboFix 12-07-08.01 - Justin T Leung 07/08/2012 18:38:16.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3036.1817 [GMT -4:00]
Running from: c:\users\Justin T Leung\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Justin T Leung\AppData\Roaming\FFSJ
c:\users\Justin T Leung\AppData\Roaming\FFSJ\FFSJ.cfg
c:\users\Justin T Leung\AppData\Roaming\Microsoft\Windows\Cookies\isindex.dat
c:\users\Justin T Leung\AppData\Roaming\msregsvv.dll
c:\users\Justin T Leung\AppData\Roaming\vso_ts_preview.xml
c:\windows\assembly\GAC\Desktop.ini
c:\windows\system32\msvcsv60.dll
c:\windows\system32\roboot.exe
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
.
.
2012-07-08 23:01 . 2012-07-08 23:07 -------- d-----w- c:\users\Justin T Leung\AppData\Local\temp
2012-07-08 23:01 . 2012-07-08 23:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-07-08 23:01 . 2012-07-08 23:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-08 02:38 . 2012-07-08 02:38 -------- d-----w- C:\FRST
2012-07-02 19:07 . 2012-07-02 19:07 -------- d-----w- c:\users\Justin T Leung\AppData\Local\ExtractNow
2012-07-02 19:07 . 2012-07-02 19:07 -------- d-----w- c:\program files\ExtractNow
2012-07-02 17:27 . 2012-07-02 22:23 -------- d-----w- c:\users\Justin T Leung\AppData\Roaming\Nico Mak Computing
2012-07-02 17:26 . 2012-07-02 22:23 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-06-26 21:18 . 2012-06-26 21:18 -------- d-----w- c:\program files\Common Files\Nomad Factory
2012-06-21 15:44 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 15:44 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 15:44 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 15:44 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 15:43 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 15:43 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 15:43 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 15:42 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 15:42 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-12 21:04 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-12 21:04 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-12 21:04 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-12 20:31 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-12 20:31 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 21:31 . 2012-05-03 19:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-25 21:31 . 2011-12-13 20:12 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-11 21:35 . 2012-05-11 21:36 715152 ----a-w- c:\windows\unins002.exe
2012-04-23 20:13 . 2012-04-23 20:13 715038 ----a-w- c:\windows\unins001.exe
2011-05-24 17:54 . 2011-05-24 17:54 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-05 3905408]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-07-02 1022352]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-03-24 409320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-08-08 273544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-9-8 5185536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-09 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
.
[HKLM\~\startupfolder\C:^Users^Justin T Leung^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Justin T Leung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-12-24 08:41 24064 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HControlUser]
2008-07-03 10:29 98304 ----a-r- c:\program files\ATK Hotkey\HControlUser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 19:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-10-31 05:06 6609440 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-07-10 09:52 1348904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-03 21:31]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 20:23]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 20:23]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2387443995-1114366851-1031939079-1000Core.job
- c:\users\Justin T Leung\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-11 19:29]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2387443995-1114366851-1031939079-1000UA.job
- c:\users\Justin T Leung\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-11 19:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp32&d=1208&m=uc7300_series
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp32&d=1208&m=uc7300_series
uInternet Settings,ProxyServer = 180.96.19.25:8080
uInternet Settings,ProxyOverride = *.local
IE: &Download All by Gigaget - c:\program files\Giganology\Gigaget\getallurl.htm
IE: &Download by Gigaget - c:\program files\Giganology\Gigaget\geturl.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki...
Trusted Zone: line6.net
TCP: DhcpNameServer = 192.168.1.1
DPF: {714382D9-2086-4D13-BFE3-307AB8E5C173} - hxxp://www.yg-audition.com/mov_component/muFormPlusM.cab
FF - ProfilePath - c:\users\Justin T Leung\AppData\Roaming\Mozilla\Firefox\Profiles\i3j6vqr0.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-Sandboxie - c:\windows\Installer\SandboxieInstall32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-08 19:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2387443995-1114366851-1031939079-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{37C816EC-A972-1F9C-7A03-55264CA2006B}*]
"maeobbeiaailacfajhihgdkmip"=hex:67,61,63,6d,69,70,68,62,65,6c,6d,69,66,63,00,
ff
"abdocbfdooeffifhfmgapeaiebjccginol"=hex:64,61,6c,6f,68,66,6e,69,00,00
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\program files\ATK Hotkey\MsgTranAgt.exe
c:\program files\ATK Hotkey\LOSD.exe
c:\program files\Secunia\PSI\psi.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
c:\program files\ATK Hotkey\WDC.exe
c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\taskmgr.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2012-07-08 19:18:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-08 23:18
.
Pre-Run: 38,143,041,536 bytes free
Post-Run: 38,423,384,064 bytes free
.
- - End Of File - - C4D8BE3C156EF349E31ACE84CE82830E

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 09 July 2012 - 02:48 PM

It was an orphaned entry

- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-Sandboxie - c:\windows\Installer\SandboxieInstall32.exe
.


which means there was nothing associated with it, it looks like the installer file, so shouldn't have any effect on the program itself.

we just have a couple more scans to do to make sure there are no leftovers, please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 09 July 2012 - 03:52 PM

Hi CatByte,

Thank you for the reply.

I just finished the MBAM scan and all is clear (^__^)!! I will post the ESET scan once it is complete.

Thank you for the info regarding sandbox!


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Justin T Leung :: JUSTINTLEUNG-PC [administrator]

7/9/2012 4:36:13 PM
mbam-log-2012-07-09 (16-36-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243830
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 10 July 2012 - 03:24 PM

Wow... This ESET Scan took forever... After several tries, I finally completed the scan. Please find the results below.


C:\FRST\Quarantine\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\{1ec6a51f-804c-3b4d-6c80-a239b6741082}\n Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC\Desktop.ini.vir Win32/Sirefef.EZ trojan
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win32/Sirefef.FB.Gen trojan
C:\Sandbox\Justin_T_Leung\DefaultBox\user\current\AppData\Local\Temp\jar_cache200872111092463128.tmp a variant of Java/Exploit.CVE-2011-3544.B trojan
C:\Sandbox\Justin_T_Leung\DefaultBox\user\current\AppData\Local\Temp\jar_cache309644785034479001.tmp Java/TrojanDownloader.OpenStream.NCM trojan
C:\Sandbox\Justin_T_Leung\DefaultBox\user\current\AppData\Local\Temp\jar_cache5739159771891012181.tmp a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Sandbox\Justin_T_Leung\DefaultBox\user\current\AppData\Local\Temp\jar_cache6023139165804530531.tmp Java/TrojanDownloader.OpenStream.NCM trojan
C:\Sandbox\Justin_T_Leung\DefaultBox\user\current\AppData\Local\Temp\jar_cache7309263691090303217.tmp multiple threats

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 10 July 2012 - 04:04 PM

those detections are all in quarantine or sandbox, so we don't have to be concerned

please run the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT


Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 11 July 2012 - 03:45 PM

All is well right now. I will let you know once I have updated both Adobe and Java.

Thank you so much for the help. It is greatly appreciated.
Best regards,
JTL

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 11 July 2012 - 06:17 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the DDS and FRST logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 korniceman3000

korniceman3000
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 July 2012 - 12:38 PM

Sorry for the late reply. My ISP had a massive outage. I will carry out the procedures as soon as I regain my service.

Thank you very much for your patience and assistance.
I apologize for the inconvenience.
Best regards, '
JTL

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:36 PM

Posted 13 July 2012 - 02:25 PM

no problem, let me know if there are any remaining issues with your machine

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users