Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 serenescene

serenescene

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 20 July 2012 - 11:20 AM

I have rand frst64.exe from syste recovery and here is the log file:

Scan result of Farbar Recovery Scan Tool Version: 20-07-2012
Ran by SYSTEM at 20-07-2012 09:07:17
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1482080 2009-08-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon [689488 2008-03-10] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2114376 2008-03-17] (CANON INC.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\CS Johnson\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
AppInit_DLLs:
Tcpip\..\Interfaces\{23F74F0E-3092-418C-B9D6-44068E345543}: [NameServer]8.26.56.26,156.154.70.22
Tcpip\..\Interfaces\{AD06741D-6FCD-4C7C-99B7-34C9A8A06ACE}: [NameServer]8.26.56.26,156.154.70.22
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

==================== Services (Whitelisted) ======

3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [517448 2010-10-25] ()
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [6127184 2010-11-10] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe" [265400 2010-10-22] (AVG Technologies CZ, s.r.o.)
2 CLPSLS; C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [1267000 2011-11-23] (COMODO)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [52288 2011-02-02] (NOS Microsystems Ltd.)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2009-04-30] (MicroVision Development, Inc.)

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\Drivers\AVGIDSDriver.sys [157264 2010-08-19] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\Drivers\AVGIDSEH.sys [27216 2010-09-13] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\Drivers\AVGIDSFilter.sys [35920 2010-08-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [305232 2010-09-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [41040 2010-09-07] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [30288 2010-09-07] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [382032 2010-11-09] (AVG Technologies CZ, s.r.o.)
1 onbqphxb; C:\Windows\System32\Drivers\onbqphxb.sys [50392 2012-07-19] (Microsoft Corporation)
3 PTDUBus; C:\Windows\System32\Drivers\PTDUBus.sys [70672 2009-08-12] (DEVGURU Co., LTD.)
3 PTDUMdm; C:\Windows\System32\Drivers\PTDUMdm.sys [173456 2009-08-12] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTDUVsp; C:\Windows\System32\Drivers\PTDUVsp.sys [173456 2009-08-12] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTDUWFLT; C:\Windows\System32\Drivers\PTDUWFLT.sys [12688 2009-08-12] (DEVGURU Co., LTD.)
3 PTDUWWAN; C:\Windows\System32\Drivers\PTDUWWAN.sys [141840 2009-08-12] (DEVGURU Co., LTD.)
3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-05-25] (Smith Micro Inc.)
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-20 09:01 - 2012-07-20 09:02 - 00000000 ____D C:\FRST
2012-07-19 20:08 - 2012-07-19 20:08 - 00000000 ____D C:\Users\All Users\Comodo
2012-07-19 17:53 - 2012-07-19 17:53 - 00009216 ____A C:\Users\CS Johnson\Documents\cleanpc file.wps
2012-07-19 17:42 - 2012-07-19 19:49 - 00070108 ____A C:\Users\CS Johnson\Downloads\yorkyt.exe.log
2012-07-19 17:41 - 2012-07-19 17:41 - 01415784 ____A C:\Users\CS Johnson\Downloads\yorkyt.exe
2012-07-19 17:11 - 2012-07-19 17:11 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\onbqphxb.sys
2012-07-19 16:24 - 2012-07-19 16:25 - 00000000 ____D C:\Windows\pss
2012-07-19 16:13 - 2012-07-19 16:13 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-19 16:04 - 2012-07-19 16:05 - 03879800 ____A (AVG Technologies) C:\Users\CS Johnson\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-07-19 12:52 - 2012-07-19 16:13 - 00002127 ____A C:\Windows\epplauncher.mif
2012-07-19 12:51 - 2012-07-19 16:36 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-19 12:51 - 2012-07-19 16:36 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-19 12:51 - 2012-07-19 12:51 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-19 12:50 - 2012-07-19 12:51 - 12621696 ____A (Microsoft Corporation) C:\Users\CS Johnson\Downloads\mseinstall.exe
2012-07-19 11:57 - 2012-07-19 17:04 - 00000168 ____A C:\Windows\setupact.log
2012-07-19 11:57 - 2012-07-19 11:57 - 00000000 ____A C:\Windows\setuperr.log
2012-07-19 11:36 - 2012-07-19 11:36 - 00045088 ____A C:\Users\CS Johnson\Documents\cc_20120719_121217.reg
2012-07-12 14:17 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-12 14:11 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 14:11 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 14:11 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 14:11 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 14:11 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 14:11 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 14:11 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 14:11 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 14:11 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 14:11 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 14:11 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 14:11 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 14:11 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 14:11 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 14:11 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-12 14:11 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-12 14:11 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-12 14:11 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-12 14:11 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-12 14:11 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-12 14:11 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-12 14:11 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-12 14:11 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-12 14:11 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-12 14:11 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-12 14:11 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-12 14:11 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-12 14:11 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 11:48 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 11:48 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 11:48 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 11:48 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 11:48 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 11:48 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 11:48 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 11:48 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 11:48 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 11:48 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 11:48 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 11:48 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 11:48 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 11:48 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32(30).dll
2012-07-11 11:48 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 11:48 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-11 11:48 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 11:48 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-11 11:30 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 11:30 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-28 12:45 - 2012-06-28 12:45 - 00011776 ____A C:\Users\CS Johnson\Documents\Tabatha's Wedding Speech.wps
2012-06-21 06:23 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 06:23 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 06:23 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 06:23 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 06:23 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 06:23 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 06:23 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 06:23 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 06:23 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-19 19:49 - 2012-07-19 17:42 - 00070108 ____A C:\Users\CS Johnson\Downloads\yorkyt.exe.log
2012-07-19 17:53 - 2012-07-19 17:53 - 00009216 ____A C:\Users\CS Johnson\Documents\cleanpc file.wps
2012-07-19 17:53 - 2010-02-11 17:40 - 00010626 ____A C:\Users\CS Johnson\AppData\Roaming\wklnhst.dat
2012-07-19 17:41 - 2012-07-19 17:41 - 01415784 ____A C:\Users\CS Johnson\Downloads\yorkyt.exe
2012-07-19 17:37 - 2009-12-18 13:28 - 01493998 ____A C:\Windows\WindowsUpdate.log
2012-07-19 17:21 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-19 17:21 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-19 17:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At38.job
2012-07-19 17:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At37.job
2012-07-19 17:11 - 2012-07-19 17:11 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\onbqphxb.sys
2012-07-19 17:10 - 2009-07-13 21:13 - 00729880 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-19 17:05 - 2010-02-01 17:48 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-19 17:04 - 2012-07-19 11:57 - 00000168 ____A C:\Windows\setupact.log
2012-07-19 17:04 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-19 16:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At36.job
2012-07-19 16:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At35.job
2012-07-19 16:13 - 2012-07-19 16:13 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-19 16:13 - 2012-07-19 12:52 - 00002127 ____A C:\Windows\epplauncher.mif
2012-07-19 16:05 - 2012-07-19 16:04 - 03879800 ____A (AVG Technologies) C:\Users\CS Johnson\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-07-19 12:53 - 2010-02-01 17:48 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-19 12:51 - 2012-07-19 12:51 - 00744030 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-19 12:51 - 2012-07-19 12:50 - 12621696 ____A (Microsoft Corporation) C:\Users\CS Johnson\Downloads\mseinstall.exe
2012-07-19 12:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At28.job
2012-07-19 12:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At27.job
2012-07-19 11:57 - 2012-07-19 11:57 - 00000000 ____A C:\Windows\setuperr.log
2012-07-19 11:36 - 2012-07-19 11:36 - 00045088 ____A C:\Users\CS Johnson\Documents\cc_20120719_121217.reg
2012-07-19 11:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At26.job
2012-07-19 11:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At25.job
2012-07-19 08:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At20.job
2012-07-19 08:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At19.job
2012-07-19 07:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At18.job
2012-07-19 07:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At17.job
2012-07-19 06:43 - 2010-02-26 15:17 - 00012800 ____A C:\Users\CS Johnson\Documents\Untitled Document.wps
2012-07-19 06:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At16.job
2012-07-19 06:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At15.job
2012-07-19 05:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At14.job
2012-07-19 05:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At13.job
2012-07-18 20:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At44.job
2012-07-18 20:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At43.job
2012-07-18 19:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At42.job
2012-07-18 19:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At41.job
2012-07-18 18:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At40.job
2012-07-18 18:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At39.job
2012-07-18 11:15 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At24.job
2012-07-18 11:15 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At22.job
2012-07-18 11:15 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At23.job
2012-07-18 11:15 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At21.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At6.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At48.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At46.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At4.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At2.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At5.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At47.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At45.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At3.job
2012-07-17 01:56 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At1.job
2012-07-16 14:29 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At32.job
2012-07-16 14:29 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At30.job
2012-07-16 14:29 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At31.job
2012-07-16 14:29 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At29.job
2012-07-15 15:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At34.job
2012-07-15 15:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At33.job
2012-07-15 09:36 - 2012-05-09 16:55 - 00016384 ____A C:\Users\CS Johnson\Documents\EMPLOYMENT APPS.wps
2012-07-13 07:07 - 2012-04-17 10:55 - 00024064 ____A C:\Users\CS Johnson\Documents\S. Johnson Resume 2012.wps
2012-07-13 05:06 - 2012-03-03 17:50 - 00002025 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-07-13 02:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At8.job
2012-07-13 02:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At7.job
2012-07-12 15:57 - 2011-08-22 05:04 - 00002351 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-12 14:36 - 2009-07-13 20:45 - 00457584 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 14:14 - 2010-02-24 07:38 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-08 03:30 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At10.job
2012-07-08 03:30 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At9.job
2012-07-03 12:46 - 2010-07-22 14:05 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 12:45 - 2012-06-28 12:45 - 00011776 ____A C:\Users\CS Johnson\Documents\Tabatha's Wedding Speech.wps
2012-06-28 12:36 - 2012-06-19 15:40 - 00011264 ____A C:\Users\CS Johnson\Documents\MANDY wedding songs.wps
2012-06-27 14:00 - 2012-03-28 11:28 - 00014336 ____A C:\Users\CS Johnson\Documents\Susanna Johnson Resume 2012.wps
2012-06-27 14:00 - 2012-03-27 09:08 - 00273408 ____A C:\Users\CS Johnson\Documents\Clint's resume 2012.wps
2012-06-26 08:02 - 2009-07-13 21:08 - 00032570 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-18 20:35 - 2012-06-18 20:35 - 00125440 ____A C:\Users\CS Johnson\Documents\Kathy conversation.wps
2012-06-18 08:03 - 2012-06-13 06:29 - 00033792 ____A C:\Users\CS Johnson\Documents\My Biography.wps
2012-06-18 04:20 - 2011-12-16 07:41 - 00000352 ____A C:\Windows\Tasks\At12.job
2012-06-18 04:20 - 2011-12-16 07:41 - 00000350 ____A C:\Windows\Tasks\At11.job
2012-06-15 07:14 - 2012-04-21 10:31 - 00014848 ____A C:\Users\CS Johnson\Documents\Cover Letter.wps
2012-06-15 06:31 - 2012-06-15 06:31 - 00015360 ____A C:\Users\CS Johnson\Documents\BLESSINGS AT THE KERNS.wps
2012-06-14 17:44 - 2012-06-14 17:44 - 00011264 ____A C:\Users\CS Johnson\Documents\RELAY PLEDGE FORM.wps
2012-06-14 05:59 - 2010-06-07 12:34 - 00012288 ____A C:\Users\CS Johnson\Documents\FATHERS DAY PICNIC CHECK LIST.wps
2012-06-13 07:41 - 2011-08-18 06:08 - 00014848 ____A C:\Users\CS Johnson\Documents\Encouragement.wps
2012-06-11 19:08 - 2012-07-12 14:17 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 06:39 - 2012-06-11 06:39 - 00010240 ____A C:\Users\CS Johnson\Documents\Past Employment Addresses and Phone Numbers.wps
2012-06-11 06:36 - 2012-04-05 06:32 - 00023552 ____A C:\Users\CS Johnson\Documents\Susanna Johnson 2012 Resume.wps
2012-06-11 06:27 - 2011-07-13 16:33 - 00257024 ____A C:\Users\CS Johnson\Documents\ER Business cards.wps
2012-06-11 06:23 - 2011-05-17 08:13 - 00009728 ____A C:\Users\CS Johnson\Documents\Dad's Obituary.wps
2012-06-11 06:16 - 2011-08-24 04:19 - 00018944 ____A C:\Users\CS Johnson\Documents\Dad being at home.wps
2012-06-11 06:14 - 2012-05-31 10:34 - 00009216 ____A C:\Users\CS Johnson\Documents\Dad taking off from residence.wps
2012-06-09 21:50 - 2012-04-05 14:06 - 00076800 ____A C:\Users\CS Johnson\Documents\Debbi Resume.wps
2012-06-09 12:10 - 2012-06-09 12:10 - 00009728 ____A C:\Users\CS Johnson\Documents\Feelingsr.wps
2012-06-09 12:09 - 2012-04-02 06:12 - 00013824 ____A C:\Users\CS Johnson\Documents\Sue Johnson Resume 2012.wps
2012-06-08 21:43 - 2012-07-11 11:48 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 11:48 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 11:48 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 11:48 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 11:30 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 11:48 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 11:48 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 11:30 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-05 08:51 - 2012-06-05 08:51 - 00013824 ____A C:\Users\CS Johnson\Documents\~AutoSave-00000004.wps
2012-06-02 14:19 - 2012-06-21 06:23 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 06:23 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 06:23 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-21 06:23 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 06:23 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 06:23 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 06:23 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 06:23 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-21 06:23 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-12 14:11 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-12 14:11 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-12 14:11 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-12 14:11 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-12 14:11 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-12 14:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-12 14:11 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-12 14:11 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-12 14:11 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-12 14:11 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-12 14:11 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-12 14:11 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-12 14:11 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-12 14:11 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-12 14:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-12 14:11 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-12 14:11 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-12 14:11 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-12 14:11 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 14:11 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-12 14:11 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-12 14:11 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 14:11 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 14:11 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-12 14:11 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-12 14:11 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 14:11 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 14:11 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 11:48 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 11:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 11:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 11:48 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 11:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 11:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 11:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:40 - 2012-07-11 11:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32(30).dll
2012-06-01 20:39 - 2012-07-11 11:48 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 11:48 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-24 15:51 - 2012-05-24 13:01 - 00127488 ____A C:\Users\CS Johnson\Documents\JAMES & MANDY WEDDING INVITATION.wps
2012-05-07 06:53 - 2010-09-27 07:55 - 00012288 ____A C:\Users\CS Johnson\Documents\BIRTHDAY CALENDAR.wps
2012-05-04 03:06 - 2012-06-13 19:01 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 19:01 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 19:01 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 21:40 - 2012-06-13 19:01 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:55 - 2012-06-13 19:00 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 17:38 - 2012-04-26 17:38 - 00013824 ____A C:\Users\CS Johnson\Documents\James & Mandy.wps
2012-04-25 21:41 - 2012-06-13 19:01 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 19:01 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 19:01 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-25 06:52 - 2012-03-22 16:01 - 00023552 ____A C:\Users\CS Johnson\Documents\God's Soverignty.wps
2012-04-23 21:37 - 2012-06-13 19:00 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-13 19:00 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-13 19:00 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-13 19:00 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-13 19:00 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 19:00 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-23 06:52 - 2012-04-18 17:12 - 00261632 ____A C:\Users\CS Johnson\Documents\Clinton Johnson Resume 2012.wps
2012-04-23 06:25 - 2012-04-23 06:25 - 00010240 ____A C:\Users\CS Johnson\Documents\Jobs applied for.wps

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3836.17 MB
Available physical RAM: 3242.4 MB
Total Pagefile: 3834.32 MB
Available Pagefile: 3231.85 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (TI105736W0B) (Fixed) (Total:287.61 GB) (Free:217.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:0.46 GB) (Free:0.37 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 476 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 287 GB 1501 MB
Partition 3 Primary 9 GB 289 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105736W0B NTFS Partition 287 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 476 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 476 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-20 00:36



Can any one make me a fixlist from this log?

Sorry, to green in this to attempt myself. This is a nasty bug!

Thanks!!
======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:06 AM

Posted 24 July 2012 - 10:58 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
cmd: del /a/f/q c:\windows\tasks\at*.job
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:06 AM

Posted 29 July 2012 - 04:27 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users