Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have malware - browser redirects and mystery sounds play


  • This topic is locked This topic is locked
15 replies to this topic

#1 bobshare

bobshare

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 10 October 2012 - 09:06 PM

Something is wrong with this computer - random sounds play from the speakers (sounds like ads) and I get very bizarre browser redirects, often to "iexplore-microsoft.com". I also cannot run tdsskiller, even if I rename it. Also at shutdown, it says it is waiting for a program to close (even though I closed everything)

I'm out of ideas what to do, hopefully someone can help me out! Thank you so much!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Robert at 21:43:02 on 2012-10-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6057.3235 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TRENDnet\TEW-624UB\WlanWpsSvc.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\splwow64.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.earthlink.net/
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Google Update] "C:\Users\Robert\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [<NO NAME>]
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: robotgalaxy.com\www
DPF: RGFCPlugin - hxxp://www.robotgalaxy.com/images/plugin/RGFCPlugin.CAB
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F0759B54-E45D-4140-A822-5056720F9EF4} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F0759B54-E45D-4140-A822-5056720F9EF4}\0716E63616B656C616E646 : DhcpNameServer = 167.206.251.129 167.206.251.130
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll"
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [(Default)]
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2011-5-4 150920]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-20 399432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-9-10 200728]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-9-10 200728]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-9-10 200728]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-9-10 200728]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2012-9-10 237920]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2012-9-10 218320]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-8-5 1692480]
R2 SpyroService;Spyro Portal Service;C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe [2011-9-9 48128]
R2 WlanWpsSvc;WlanWpsSvc;C:\Program Files\TRENDnet\TEW-624UB\WlanWpsSvc.exe [2012-2-13 167936]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\system32\drivers\HipShieldK.sys --> C:\Windows\system32\drivers\HipShieldK.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-20 676936]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 cphs;Intel® Content Protection HECI Service;C:\Windows\SysWOW64\IntelCpHeciSvc.exe [2012-3-19 276248]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-10-10 19:26:57 -------- d-----w- C:\Users\Robert\AppData\Roaming\SUPERAntiSpyware.com
2012-10-10 19:26:48 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-10-10 19:26:48 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-10-06 08:01:04 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{91F87539-42C8-45DE-A39A-06E0D5EA6B55}\mpengine.dll
2012-09-28 02:50:30 196440 ----a-w- C:\Windows\System32\drivers\HipShieldK.sys
2012-09-25 10:05:17 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-09-25 10:04:44 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-25 10:04:44 -------- d-----w- C:\Program Files\iTunes
2012-09-25 10:04:44 -------- d-----w- C:\Program Files\iPod
2012-09-25 10:04:44 -------- d-----w- C:\Program Files (x86)\iTunes
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-09-25 10:01:29 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-09-24 17:41:59 -------- d-----w- C:\Windows\pss
2012-09-24 00:34:45 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-09-21 23:53:04 -------- d-----w- C:\Users\Robert\AppData\Local\{9BC619FB-57F3-49C0-BCDB-2CD8EDB59E16}
2012-09-20 18:39:08 -------- d-----w- C:\Program Files\CCleaner
2012-09-20 13:08:26 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-19 01:51:51 -------- d--h--w- C:\Windows\msdownld.tmp
2012-09-16 03:20:50 -------- d-----w- C:\Users\Robert\AppData\Local\{505A6D44-6C42-4BD8-BC03-385D3C222623}
2012-09-15 00:39:01 -------- d-----w- C:\Users\Robert\AppData\Local\{A994CFCB-00E8-465D-84CD-A37BD93DC20E}
2012-09-12 13:05:24 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-09-12 13:05:24 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-09-12 13:05:23 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-09-12 13:05:23 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-09-12 13:05:22 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-09-12 13:05:21 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-09-12 13:05:21 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
.
==================== Find3M ====================
.
2012-09-10 03:45:53 16200 ----a-w- C:\Windows\stinger.sys
2012-08-21 17:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-08-21 17:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-08-16 09:38:12 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 09:38:12 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-30 16:14:10 2368958 ----a-w- C:\Users\Robert\the easiest vampire game of doom.exe
2012-07-28 16:47:41 2799224 ----a-w- C:\Users\Robert\treasure.exe
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 21:51:13.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 12 October 2012 - 04:16 AM

Hello bobshare,

Welcome to the forum.

It seems the system is infected with a partition/MBR infection.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Edited by Farbar, 12 October 2012 - 04:17 AM.


#3 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 09:40 AM

Farbar,

Thank you so much for responding to my post!

I have the tool on the flash drive. I then went to the infected computer. After I selected "Repair your computer", it gave me a black screen with a white bar on the bottom and the words "Windows is loading files", and it didn't go any further. It has been like that for about half an hour now.

I didn't want to go ahead and get to a command prompt some other way to run the tool without checking with you first as to the best way to proceed :)

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 15 October 2012 - 12:16 PM

You are welcome.

Please follow the steps to Create a Windows 7 System Repair Disc

You can make it on the infected computer, in case you have another computer with Windows 7 (x64 version), you can make it there.

After that you can use the second method instead of F8 key as instructed.

#5 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 12:46 PM

That worked with no problem. Here is the results:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-10-2012
Ran by SYSTEM at 15-10-2012 13:37:22
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2835443 2012-02-01] ()
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1535112 2012-09-12] (McAfee, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Robert\...\Run: [Google Update] "C:\Users\Robert\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-10] (Google Inc.)
HKU\Robert\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5628288 2012-10-08] (SUPERAntiSpyware.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [383608 2012-09-10] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [237920 2012-06-22] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-06-22] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [177144 2012-06-22] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 SpyroService; "C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe" [48128 2011-09-09] (FS)
2 WlanWpsSvc; C:\Program Files\TRENDnet\TEW-624UB\WlanWpsSvc.exe [167936 2008-06-26] ()

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-06-22] (McAfee, Inc.)
3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
0 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [169320 2012-06-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [300392 2012-06-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [513456 2012-06-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [752672 2012-06-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-06-22] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [335784 2012-06-22] (McAfee, Inc.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
4 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]
3 mfeavfk01; [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-14 17:23 - 2012-09-19 07:45 - 00001371 ____A C:\Users\Robert\Desktop\Internet Explorer (64-bit).lnk
2012-10-10 21:01 - 2012-10-10 21:03 - 00013702 ____A C:\Users\Robert\My Documents\Attach.txt
2012-10-10 21:01 - 2012-10-10 21:03 - 00013702 ____A C:\Users\Robert\Documents\Attach.txt
2012-10-10 20:42 - 2012-10-10 20:42 - 00607260 ____R (Swearware) C:\Users\Robert\Downloads\dds.com
2012-10-10 20:41 - 2012-10-10 20:41 - 00050477 ____A C:\Users\Robert\Downloads\Defogger.exe
2012-10-10 20:41 - 2012-10-10 20:41 - 00000474 ____A C:\Users\Robert\Desktop\defogger_disable.log
2012-10-10 20:41 - 2012-10-10 20:41 - 00000000 ____A C:\Users\Robert\defogger_reenable
2012-10-10 16:52 - 2012-10-10 16:57 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Robert\Downloads\iexplore.exe
2012-10-10 15:59 - 2012-10-10 15:59 - 00836461 ____A C:\Users\Robert\Local Settings\census.cache
2012-10-10 15:59 - 2012-10-10 15:59 - 00836461 ____A C:\Users\Robert\Local Settings\Application Data\census.cache
2012-10-10 15:59 - 2012-10-10 15:59 - 00836461 ____A C:\Users\Robert\AppData\Local\census.cache
2012-10-10 15:58 - 2012-10-10 15:58 - 00110364 ____A C:\Users\Robert\Local Settings\ars.cache
2012-10-10 15:58 - 2012-10-10 15:58 - 00110364 ____A C:\Users\Robert\Local Settings\Application Data\ars.cache
2012-10-10 15:58 - 2012-10-10 15:58 - 00110364 ____A C:\Users\Robert\AppData\Local\ars.cache
2012-10-10 15:53 - 2012-10-10 15:53 - 02406064 ____A (Trend Micro Inc.) C:\Users\Robert\Downloads\HousecallLauncher64.exe
2012-10-10 15:53 - 2012-10-10 15:53 - 00000036 ____A C:\Users\Robert\Local Settings\housecall.guid.cache
2012-10-10 15:53 - 2012-10-10 15:53 - 00000036 ____A C:\Users\Robert\Local Settings\Application Data\housecall.guid.cache
2012-10-10 15:53 - 2012-10-10 15:53 - 00000036 ____A C:\Users\Robert\AppData\Local\housecall.guid.cache
2012-10-10 14:26 - 2012-10-10 14:26 - 21024192 ____A (SUPERAntiSpyware.com) C:\Users\Robert\Downloads\SUPERAntiSpyware.exe
2012-10-10 14:26 - 2012-10-10 14:26 - 00001770 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-10-10 14:26 - 2012-10-10 14:26 - 00001770 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-10-10 14:26 - 2012-10-10 14:26 - 00000000 ____D C:\Users\Robert\Application Data\SUPERAntiSpyware.com
2012-10-10 14:26 - 2012-10-10 14:26 - 00000000 ____D C:\Users\Robert\AppData\Roaming\SUPERAntiSpyware.com
2012-10-10 14:26 - 2012-10-10 14:26 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-10-10 14:26 - 2012-10-10 14:26 - 00000000 ____D C:\Users\All Users\Application Data\SUPERAntiSpyware.com
2012-10-10 14:26 - 2012-10-10 14:26 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-10-10 11:43 - 2012-10-10 11:43 - 02790920 ____A C:\Users\Robert\My Documents\AutoRuns.arn
2012-10-10 11:43 - 2012-10-10 11:43 - 02790920 ____A C:\Users\Robert\Documents\AutoRuns.arn
2012-10-10 11:19 - 2012-10-10 11:19 - 00000000 ____D C:\Users\Robert\My Documents\Autoruns
2012-10-10 11:19 - 2012-10-10 11:19 - 00000000 ____D C:\Users\Robert\Documents\Autoruns
2012-10-09 18:24 - 2012-10-09 18:24 - 03941312 ____A (Piriform Ltd) C:\Users\Robert\Downloads\ccsetup323.exe
2012-10-07 07:03 - 2012-10-07 07:03 - 02561823 ____A C:\Users\Robert\My Documents\pokemon comix episode season 1 episode 1.pptx
2012-10-07 07:03 - 2012-10-07 07:03 - 02561823 ____A C:\Users\Robert\Documents\pokemon comix episode season 1 episode 1.pptx
2012-09-28 19:55 - 2012-09-28 20:00 - 00000000 ____D C:\Users\Robert\My Documents\New folder
2012-09-28 19:55 - 2012-09-28 20:00 - 00000000 ____D C:\Users\Robert\Documents\New folder
2012-09-27 21:50 - 2012-04-20 15:40 - 00196440 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2012-09-25 18:20 - 2012-09-25 18:20 - 02815696 ____A (YoYoGames Ltd) C:\Users\Robert\Desktop\MAZE of ORBS.exe
2012-09-25 18:20 - 2012-09-25 18:20 - 00525737 ____A C:\Users\Robert\Desktop\MAZE of ORBS.gmk
2012-09-25 05:05 - 2012-09-25 05:05 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-09-25 05:05 - 2012-09-25 05:05 - 00001785 ____A C:\Users\All Users\Desktop\iTunes.lnk
2012-09-25 05:05 - 2012-08-21 12:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-09-25 05:04 - 2012-09-25 05:05 - 00000000 ____D C:\Users\All Users\Application Data\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-25 05:04 - 2012-09-25 05:05 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-25 05:04 - 2012-09-25 05:05 - 00000000 ____D C:\Program Files\iTunes
2012-09-25 05:04 - 2012-09-25 05:05 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-09-25 05:04 - 2012-09-25 05:04 - 00000000 ____D C:\Program Files\iPod
2012-09-25 05:01 - 2012-09-25 05:01 - 00001847 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-09-25 05:01 - 2012-09-25 05:01 - 00001847 ____A C:\Users\All Users\Desktop\QuickTime Player.lnk
2012-09-25 05:01 - 2012-09-25 05:01 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-09-24 12:41 - 2012-09-24 12:41 - 00000000 ____D C:\Windows\pss
2012-09-22 20:08 - 2012-09-22 20:08 - 04683943 ____A () C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.exe
2012-09-22 20:08 - 2012-09-22 20:08 - 02264650 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.gmk
2012-09-22 17:07 - 2012-09-22 17:08 - 00000000 ____D C:\Users\Robert\Downloads\iexplore
2012-09-22 17:06 - 2012-09-22 17:06 - 02193278 ____A C:\Users\Robert\Downloads\iexplore.zip
2012-09-22 17:05 - 2012-09-22 17:05 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Robert\Downloads\tdsskiller.exe
2012-09-22 17:03 - 2012-09-22 17:03 - 00587640 ____A C:\Users\Robert\Downloads\cbsidlm-tr1_6-TDL_Rootkit_Detector-75332705.exe
2012-09-22 17:03 - 2012-09-22 17:03 - 00000915 ____A C:\Users\Robert\Desktop\Install TDL Rootkit Detector.lnk
2012-09-22 17:02 - 2012-09-22 17:02 - 00000000 ____D C:\Users\Robert\Downloads\tdsskiller (1)
2012-09-22 17:01 - 2012-09-22 17:01 - 02193345 ____A C:\Users\Robert\Downloads\tdsskiller (1).zip
2012-09-22 16:56 - 2012-09-22 16:56 - 01678240 ____A (Bleeping Computer, LLC) C:\Users\Robert\Downloads\rkill.exe
2012-09-21 18:53 - 2012-09-21 18:53 - 00000000 ____D C:\Users\Robert\Local Settings\Application Data\{9BC619FB-57F3-49C0-BCDB-2CD8EDB59E16}
2012-09-21 18:53 - 2012-09-21 18:53 - 00000000 ____D C:\Users\Robert\Local Settings\{9BC619FB-57F3-49C0-BCDB-2CD8EDB59E16}
2012-09-21 18:53 - 2012-09-21 18:53 - 00000000 ____D C:\Users\Robert\AppData\Local\{9BC619FB-57F3-49C0-BCDB-2CD8EDB59E16}
2012-09-20 20:33 - 2012-09-20 20:34 - 00006226 ____A C:\Users\Robert\My Documents\cc_20120920_213354.reg
2012-09-20 20:33 - 2012-09-20 20:34 - 00006226 ____A C:\Users\Robert\Documents\cc_20120920_213354.reg
2012-09-20 19:43 - 2012-09-20 19:43 - 04684672 ____A () C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.exe
2012-09-20 19:43 - 2012-09-20 19:43 - 02266999 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.gmk
2012-09-20 14:16 - 2012-09-20 14:18 - 00111152 ____A C:\Users\Robert\My Documents\cc_20120920_151552.reg
2012-09-20 14:16 - 2012-09-20 14:18 - 00111152 ____A C:\Users\Robert\Documents\cc_20120920_151552.reg
2012-09-20 13:39 - 2012-10-09 18:25 - 00000784 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-09-20 13:39 - 2012-10-09 18:25 - 00000784 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2012-09-20 13:39 - 2012-10-09 18:25 - 00000000 ____D C:\Program Files\CCleaner
2012-09-20 13:38 - 2012-09-20 13:38 - 03927560 ____A (Piriform Ltd) C:\Users\Robert\Downloads\ccsetup322.exe
2012-09-20 08:08 - 2012-09-20 08:08 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:08 - 2012-09-20 08:08 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:08 - 2012-09-20 08:08 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-19 22:38 - 2012-09-19 22:38 - 00000000 ____D C:\Users\Robert\Downloads\tdsskiller
2012-09-19 22:37 - 2012-09-19 22:37 - 02193278 ____A C:\Users\Robert\Downloads\tdsskiller.zip
2012-09-19 22:34 - 2012-09-19 22:34 - 00027709 ____A C:\Users\Robert\Downloads\Result.txt
2012-09-19 22:33 - 2012-09-19 22:33 - 00751391 ____A (Farbar) C:\Users\Robert\Downloads\MiniToolBox.exe
2012-09-18 20:51 - 2012-09-18 20:52 - 00000000 ___HD C:\Windows\msdownld.tmp
2012-09-18 20:42 - 2012-09-18 20:44 - 38487400 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\BOIE9_ENUS_BO0085_WIN764.EXE
2012-09-17 15:01 - 2012-09-17 15:01 - 12621696 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\mseinstall (1).exe
2012-09-17 12:24 - 2012-09-17 12:25 - 74473552 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\msert.exe
2012-09-16 15:33 - 2012-09-16 15:33 - 00894952 ____A (Oracle Corporation) C:\Users\Robert\Downloads\chromeinstall-7u7.exe
2012-09-15 22:20 - 2012-09-15 22:21 - 00000000 ____D C:\Users\Robert\Local Settings\Application Data\{505A6D44-6C42-4BD8-BC03-385D3C222623}
2012-09-15 22:20 - 2012-09-15 22:21 - 00000000 ____D C:\Users\Robert\Local Settings\{505A6D44-6C42-4BD8-BC03-385D3C222623}
2012-09-15 22:20 - 2012-09-15 22:21 - 00000000 ____D C:\Users\Robert\AppData\Local\{505A6D44-6C42-4BD8-BC03-385D3C222623}
2012-09-15 19:15 - 2012-09-15 19:15 - 00007607 ____A C:\Users\Robert\Local Settings\Resmon.ResmonCfg
2012-09-15 19:15 - 2012-09-15 19:15 - 00007607 ____A C:\Users\Robert\Local Settings\Application Data\Resmon.ResmonCfg
2012-09-15 19:15 - 2012-09-15 19:15 - 00007607 ____A C:\Users\Robert\AppData\Local\Resmon.ResmonCfg


==================== 3 Months Modified Files ==================

2012-10-15 12:28 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-15 12:28 - 2009-07-13 23:51 - 00094783 ____A C:\Windows\setupact.log
2012-10-15 12:27 - 2011-08-05 14:33 - 01458191 ____A C:\Windows\WindowsUpdate.log
2012-10-15 12:27 - 2009-07-13 23:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-15 12:27 - 2009-07-13 23:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-15 12:25 - 2012-09-10 01:59 - 00001790 ____A C:\Users\Public\Desktop\McAfee Security Center.lnk
2012-10-15 12:25 - 2012-09-10 01:59 - 00001790 ____A C:\Users\All Users\Desktop\McAfee Security Center.lnk
2012-10-15 12:24 - 2009-07-14 00:13 - 00780220 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-15 12:22 - 2012-09-10 00:12 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-142841763-1285199829-3490562073-1000UA.job
2012-10-13 01:22 - 2012-09-10 00:12 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-142841763-1285199829-3490562073-1000Core.job
2012-10-11 15:27 - 2012-07-28 09:53 - 00002645 ____A C:\Users\Public\Documents\Global.sw2
2012-10-11 15:27 - 2012-07-28 09:53 - 00002645 ____A C:\Users\All Users\Documents\Global.sw2
2012-10-10 21:03 - 2012-10-10 21:01 - 00013702 ____A C:\Users\Robert\My Documents\Attach.txt
2012-10-10 21:03 - 2012-10-10 21:01 - 00013702 ____A C:\Users\Robert\Documents\Attach.txt
2012-10-10 20:42 - 2012-10-10 20:42 - 00607260 ____R (Swearware) C:\Users\Robert\Downloads\dds.com
2012-10-10 20:41 - 2012-10-10 20:41 - 00050477 ____A C:\Users\Robert\Downloads\Defogger.exe
2012-10-10 20:41 - 2012-10-10 20:41 - 00000474 ____A C:\Users\Robert\Desktop\defogger_disable.log
2012-10-10 20:41 - 2012-10-10 20:41 - 00000000 ____A C:\Users\Robert\defogger_reenable
2012-10-10 19:23 - 2012-09-10 00:13 - 00002493 ____A C:\Users\Robert\Desktop\Google Chrome.lnk
2012-10-10 16:57 - 2012-10-10 16:52 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Robert\Downloads\iexplore.exe
2012-10-10 16:53 - 2012-09-03 11:54 - 00002040 ____A C:\Users\Robert\Desktop\Rkill.txt
2012-10-10 15:59 - 2012-10-10 15:59 - 00836461 ____A C:\Users\Robert\Local Settings\census.cache
2012-10-10 15:59 - 2012-10-10 15:59 - 00836461 ____A C:\Users\Robert\Local Settings\Application Data\census.cache
2012-10-10 15:59 - 2012-10-10 15:59 - 00836461 ____A C:\Users\Robert\AppData\Local\census.cache
2012-10-10 15:58 - 2012-10-10 15:58 - 00110364 ____A C:\Users\Robert\Local Settings\ars.cache
2012-10-10 15:58 - 2012-10-10 15:58 - 00110364 ____A C:\Users\Robert\Local Settings\Application Data\ars.cache
2012-10-10 15:58 - 2012-10-10 15:58 - 00110364 ____A C:\Users\Robert\AppData\Local\ars.cache
2012-10-10 15:53 - 2012-10-10 15:53 - 02406064 ____A (Trend Micro Inc.) C:\Users\Robert\Downloads\HousecallLauncher64.exe
2012-10-10 15:53 - 2012-10-10 15:53 - 00000036 ____A C:\Users\Robert\Local Settings\housecall.guid.cache
2012-10-10 15:53 - 2012-10-10 15:53 - 00000036 ____A C:\Users\Robert\Local Settings\Application Data\housecall.guid.cache
2012-10-10 15:53 - 2012-10-10 15:53 - 00000036 ____A C:\Users\Robert\AppData\Local\housecall.guid.cache
2012-10-10 14:26 - 2012-10-10 14:26 - 21024192 ____A (SUPERAntiSpyware.com) C:\Users\Robert\Downloads\SUPERAntiSpyware.exe
2012-10-10 14:26 - 2012-10-10 14:26 - 00001770 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-10-10 14:26 - 2012-10-10 14:26 - 00001770 ____A C:\Users\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-10-10 11:43 - 2012-10-10 11:43 - 02790920 ____A C:\Users\Robert\My Documents\AutoRuns.arn
2012-10-10 11:43 - 2012-10-10 11:43 - 02790920 ____A C:\Users\Robert\Documents\AutoRuns.arn
2012-10-10 11:09 - 2009-07-14 00:08 - 00032610 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-09 18:25 - 2012-09-20 13:39 - 00000784 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-10-09 18:25 - 2012-09-20 13:39 - 00000784 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2012-10-09 18:24 - 2012-10-09 18:24 - 03941312 ____A (Piriform Ltd) C:\Users\Robert\Downloads\ccsetup323.exe
2012-10-07 07:03 - 2012-10-07 07:03 - 02561823 ____A C:\Users\Robert\My Documents\pokemon comix episode season 1 episode 1.pptx
2012-10-07 07:03 - 2012-10-07 07:03 - 02561823 ____A C:\Users\Robert\Documents\pokemon comix episode season 1 episode 1.pptx
2012-09-28 18:32 - 2011-10-14 15:29 - 00058880 __ASH C:\Users\Robert\My Documents\Thumbs.db
2012-09-28 18:32 - 2011-10-14 15:29 - 00058880 __ASH C:\Users\Robert\Documents\Thumbs.db
2012-09-28 04:55 - 2010-11-20 22:47 - 00334572 ____A C:\Windows\PFRO.log
2012-09-25 18:20 - 2012-09-25 18:20 - 02815696 ____A (YoYoGames Ltd) C:\Users\Robert\Desktop\MAZE of ORBS.exe
2012-09-25 18:20 - 2012-09-25 18:20 - 00525737 ____A C:\Users\Robert\Desktop\MAZE of ORBS.gmk
2012-09-25 05:05 - 2012-09-25 05:05 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-09-25 05:05 - 2012-09-25 05:05 - 00001785 ____A C:\Users\All Users\Desktop\iTunes.lnk
2012-09-25 05:01 - 2012-09-25 05:01 - 00001847 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-09-25 05:01 - 2012-09-25 05:01 - 00001847 ____A C:\Users\All Users\Desktop\QuickTime Player.lnk
2012-09-22 20:08 - 2012-09-22 20:08 - 04683943 ____A () C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.exe
2012-09-22 20:08 - 2012-09-22 20:08 - 02264650 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.gmk
2012-09-22 17:06 - 2012-09-22 17:06 - 02193278 ____A C:\Users\Robert\Downloads\iexplore.zip
2012-09-22 17:05 - 2012-09-22 17:05 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Robert\Downloads\tdsskiller.exe
2012-09-22 17:03 - 2012-09-22 17:03 - 00587640 ____A C:\Users\Robert\Downloads\cbsidlm-tr1_6-TDL_Rootkit_Detector-75332705.exe
2012-09-22 17:03 - 2012-09-22 17:03 - 00000915 ____A C:\Users\Robert\Desktop\Install TDL Rootkit Detector.lnk
2012-09-22 17:01 - 2012-09-22 17:01 - 02193345 ____A C:\Users\Robert\Downloads\tdsskiller (1).zip
2012-09-22 16:56 - 2012-09-22 16:56 - 01678240 ____A (Bleeping Computer, LLC) C:\Users\Robert\Downloads\rkill.exe
2012-09-20 20:34 - 2012-09-20 20:33 - 00006226 ____A C:\Users\Robert\My Documents\cc_20120920_213354.reg
2012-09-20 20:34 - 2012-09-20 20:33 - 00006226 ____A C:\Users\Robert\Documents\cc_20120920_213354.reg
2012-09-20 19:43 - 2012-09-20 19:43 - 04684672 ____A () C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.exe
2012-09-20 19:43 - 2012-09-20 19:43 - 02266999 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.gmk
2012-09-20 14:18 - 2012-09-20 14:16 - 00111152 ____A C:\Users\Robert\My Documents\cc_20120920_151552.reg
2012-09-20 14:18 - 2012-09-20 14:16 - 00111152 ____A C:\Users\Robert\Documents\cc_20120920_151552.reg
2012-09-20 13:38 - 2012-09-20 13:38 - 03927560 ____A (Piriform Ltd) C:\Users\Robert\Downloads\ccsetup322.exe
2012-09-20 08:08 - 2012-09-20 08:08 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-20 08:08 - 2012-09-20 08:08 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-19 22:37 - 2012-09-19 22:37 - 02193278 ____A C:\Users\Robert\Downloads\tdsskiller.zip
2012-09-19 22:34 - 2012-09-19 22:34 - 00027709 ____A C:\Users\Robert\Downloads\Result.txt
2012-09-19 22:33 - 2012-09-19 22:33 - 00751391 ____A (Farbar) C:\Users\Robert\Downloads\MiniToolBox.exe
2012-09-19 07:45 - 2012-10-14 17:23 - 00001371 ____A C:\Users\Robert\Desktop\Internet Explorer (64-bit).lnk
2012-09-18 20:53 - 2012-09-09 22:50 - 00034922 ____A C:\Windows\IE9_main.log
2012-09-18 20:44 - 2012-09-18 20:42 - 38487400 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\BOIE9_ENUS_BO0085_WIN764.EXE
2012-09-18 12:16 - 2012-06-22 07:57 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-17 15:02 - 2011-02-10 11:10 - 00797314 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-17 15:01 - 2012-09-17 15:01 - 12621696 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\mseinstall (1).exe
2012-09-17 12:25 - 2012-09-17 12:24 - 74473552 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\msert.exe
2012-09-16 15:33 - 2012-09-16 15:33 - 00894952 ____A (Oracle Corporation) C:\Users\Robert\Downloads\chromeinstall-7u7.exe
2012-09-15 19:15 - 2012-09-15 19:15 - 00007607 ____A C:\Users\Robert\Local Settings\Resmon.ResmonCfg
2012-09-15 19:15 - 2012-09-15 19:15 - 00007607 ____A C:\Users\Robert\Local Settings\Application Data\Resmon.ResmonCfg
2012-09-15 19:15 - 2012-09-15 19:15 - 00007607 ____A C:\Users\Robert\AppData\Local\Resmon.ResmonCfg
2012-09-12 23:31 - 2011-10-07 22:12 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 03695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2012-09-10 22:30 - 2012-09-10 22:30 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-09-10 22:30 - 2012-09-10 22:30 - 00697344 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00603648 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00580608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-09-10 22:30 - 2012-09-10 22:30 - 00434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-09-10 22:30 - 2012-09-10 22:30 - 00353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00249344 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00227840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieaksie.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00223232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00222208 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00203776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00165888 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakui.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00162304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00152064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00145920 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00135168 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00130560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakeng.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00123392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00118784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00114176 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00111616 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00101888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admparse.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00091648 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00089088 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00089088 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00086528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00078848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00076800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-09-10 22:30 - 2012-09-10 22:30 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00074240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00066048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00063488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2012-09-10 22:30 - 2012-09-10 22:30 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00054272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00049664 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00035840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00031744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-09-10 22:30 - 2012-09-10 22:30 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-09-10 22:30 - 2012-09-10 22:30 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-09-10 00:57 - 2012-09-10 00:57 - 00347424 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\MicrosoftFixit.wu.MATSKB.Run.exe
2012-09-10 00:08 - 2012-09-10 00:08 - 00070072 ____A C:\Users\Robert\My Documents\bookmark.htm
2012-09-10 00:08 - 2012-09-10 00:08 - 00070072 ____A C:\Users\Robert\Documents\bookmark.htm
2012-09-09 23:05 - 2012-09-09 23:05 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Robert\Downloads\mbam-setup-1.62.0.1300.exe
2012-09-09 23:01 - 2012-09-09 23:01 - 00000042 ___RH C:\Users\Robert\Downloads\stinger.opt
2012-09-09 22:45 - 2012-09-03 20:14 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-09-09 22:26 - 2012-09-09 22:26 - 09962600 ____A (McAfee Inc.) C:\Users\Robert\Downloads\stinger.exe
2012-09-09 14:55 - 2012-09-09 14:55 - 00010157 ____A C:\Users\Robert\My Documents\santoro+class+list.xlsx
2012-09-09 14:55 - 2012-09-09 14:55 - 00010157 ____A C:\Users\Robert\Documents\santoro+class+list.xlsx
2012-09-06 14:35 - 2012-09-04 16:29 - 02311493 ____A () C:\Users\Robert\Desktop\Homework Mayhem.exe
2012-09-06 14:35 - 2012-09-04 16:22 - 00038713 ____A C:\Users\Robert\Desktop\Homework Mayhem.gmk
2012-09-05 18:27 - 2012-09-05 18:27 - 04655953 ____A () C:\Users\Robert\Desktop\Robots Vs. Dragons.exe
2012-09-05 18:26 - 2012-09-05 18:26 - 04679539 ____A () C:\Users\Robert\Desktop\Robots Vs. Dragons 3.exe
2012-09-05 18:26 - 2012-09-05 17:38 - 02269733 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons 3.gmk
2012-09-05 17:38 - 2012-09-05 17:38 - 02255567 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons 3.gb1
2012-09-05 14:40 - 2012-09-05 14:40 - 12621696 ____A (Microsoft Corporation) C:\Users\Robert\Downloads\mseinstall.exe
2012-09-04 16:29 - 2012-09-04 16:22 - 00031637 ____A C:\Users\Robert\Desktop\Homework Mayhem.gb1
2012-09-04 15:08 - 2012-09-04 14:22 - 02258587 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons 2.gmk
2012-09-04 15:02 - 2012-09-04 14:22 - 02256319 ____A C:\Users\Robert\Desktop\Robots Vs. Dragons 2.gb1
2012-09-03 20:26 - 2012-09-03 20:23 - 00002238 ____A C:\Users\Robert\Desktop\unhide.txt
2012-09-03 20:05 - 2012-09-03 20:05 - 07758424 ____A (SurfRight B.V.) C:\Users\Robert\Downloads\HitmanPro36.exe
2012-09-03 10:54 - 2012-09-02 22:34 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-03 10:27 - 2012-09-03 10:27 - 00000368 ____A C:\Users\All Users\Application Data\6p2ahoMWKsYWSV
2012-09-03 10:27 - 2012-09-03 10:27 - 00000368 ____A C:\Users\All Users\6p2ahoMWKsYWSV
2012-09-03 10:27 - 2012-09-03 10:27 - 00000184 ____A C:\Users\All Users\Application Data\-6p2ahoMWKsYWSVr
2012-09-03 10:27 - 2012-09-03 10:27 - 00000184 ____A C:\Users\All Users\-6p2ahoMWKsYWSVr
2012-09-03 10:27 - 2012-09-03 10:27 - 00000168 ____A C:\Users\All Users\Application Data\-6p2ahoMWKsYWSV
2012-09-03 10:27 - 2012-09-03 10:27 - 00000168 ____A C:\Users\All Users\-6p2ahoMWKsYWSV
2012-08-24 12:03 - 2012-08-24 12:03 - 00407693 ____A C:\Users\Robert\My Documents\Crazy Castle.SV6
2012-08-24 12:03 - 2012-08-24 12:03 - 00407693 ____A C:\Users\Robert\Documents\Crazy Castle.SV6
2012-08-22 13:55 - 2012-08-19 10:46 - 00036571 ____A C:\Users\Robert\Desktop\hjgig.gmk
2012-08-22 13:12 - 2012-09-12 08:05 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 13:12 - 2012-09-12 08:05 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 13:12 - 2012-09-12 08:05 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 13:12 - 2012-09-12 08:05 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 12:01 - 2012-09-25 05:05 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-08-21 12:01 - 2011-08-24 20:07 - 00125872 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
2012-08-21 12:01 - 2011-08-24 20:07 - 00106928 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
2012-08-20 13:13 - 2011-10-30 11:06 - 00557198 ____A C:\Users\Robert\My Documents\Bumbly Beach.SV4
2012-08-20 13:13 - 2011-10-30 11:06 - 00557198 ____A C:\Users\Robert\Documents\Bumbly Beach.SV4
2012-08-20 12:55 - 2011-10-29 16:47 - 00364781 ____A C:\Users\Robert\My Documents\Dynamite Dunes.SV4
2012-08-20 12:55 - 2011-10-29 16:47 - 00364781 ____A C:\Users\Robert\Documents\Dynamite Dunes.SV4
2012-08-19 10:46 - 2012-08-19 10:46 - 00030511 ____A C:\Users\Robert\Desktop\hjgig.gb1
2012-08-17 14:18 - 2012-08-17 14:18 - 00027968 ____A C:\Users\Robert\Desktop\tag.gmk
2012-08-17 14:14 - 2012-08-17 14:14 - 02308788 ____A () C:\Users\Robert\Desktop\tag.exe
2012-08-17 13:50 - 2012-08-17 13:50 - 00000430 ____A C:\Users\Robert\Desktop\CD Drive - Shortcut.lnk
2012-08-17 12:27 - 2012-08-17 12:27 - 02326678 ____A () C:\Users\Robert\Desktop\the adventures of smiley.exe
2012-08-17 12:27 - 2012-08-17 12:27 - 00055118 ____A C:\Users\Robert\Desktop\the adventures of smiley.gmk
2012-08-16 14:04 - 2012-08-16 14:04 - 02400111 ____A () C:\Users\Robert\Desktop\ghost escape.exe
2012-08-16 11:36 - 2012-08-16 11:36 - 00111533 ____A C:\Users\Robert\Desktop\ghost escape.gmk
2012-08-16 09:54 - 2009-07-13 23:45 - 00403136 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 04:38 - 2012-08-16 04:38 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-16 04:38 - 2011-08-05 14:34 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-08 18:29 - 2012-08-08 18:29 - 00196747 ____A C:\Users\Robert\My Documents\EPIC POKEMON FUSIONS.pptx
2012-08-08 18:29 - 2012-08-08 18:29 - 00196747 ____A C:\Users\Robert\Documents\EPIC POKEMON FUSIONS.pptx
2012-08-08 10:11 - 2012-08-08 10:11 - 00014433 ____A C:\Users\Robert\My Documents\Eligible+Papers+-+2012+Phase+3 L Brown.xlsx
2012-08-08 10:11 - 2012-08-08 10:11 - 00014433 ____A C:\Users\Robert\Documents\Eligible+Papers+-+2012+Phase+3 L Brown.xlsx
2012-08-03 16:11 - 2012-08-03 16:11 - 02400089 ____A () C:\Users\Robert\Desktop\cyclops suvivor 2.exe
2012-08-03 16:10 - 2012-08-03 16:07 - 00107275 ____A C:\Users\Robert\Desktop\cyclops suvivor 2.gmk
2012-08-03 16:07 - 2012-08-03 16:07 - 00107149 ____A C:\Users\Robert\Desktop\cyclops suvivor 2.gb1
2012-08-03 15:06 - 2012-08-03 15:06 - 02386868 ____A () C:\Users\Robert\Desktop\cyclops servivor.exe
2012-08-02 12:58 - 2012-09-12 08:05 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 11:57 - 2012-09-12 08:05 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-30 11:21 - 2012-07-30 11:15 - 02390857 ____A () C:\Users\Robert\Desktop\the easiest vampire game of doom.exe
2012-07-30 11:14 - 2012-07-30 11:14 - 02368958 ____A () C:\Users\Robert\the easiest vampire game of doom.exe
2012-07-28 11:47 - 2012-07-28 11:47 - 02799224 ____A (YoYoGames Ltd) C:\Users\Robert\treasure.exe
2012-07-28 09:53 - 2012-07-28 09:53 - 00001040 ____A C:\Users\Robert\Desktop\Game Maker.lnk
2012-07-28 09:53 - 2012-07-28 09:53 - 00000000 ____A C:\Windows\SwSys2.bmp
2012-07-28 09:53 - 2012-07-28 09:53 - 00000000 ____A C:\Windows\SwSys1.bmp
2012-07-27 14:27 - 2012-07-28 11:58 - 02482685 ____A () C:\Users\Robert\My Documents\helven.exe
2012-07-27 14:27 - 2012-07-28 11:58 - 02482685 ____A () C:\Users\Robert\Documents\helven.exe
2012-07-27 13:50 - 2012-07-28 11:57 - 02404474 ____A () C:\Users\Robert\My Documents\BurgerGhost.exe
2012-07-27 13:50 - 2012-07-28 11:57 - 02404474 ____A () C:\Users\Robert\Documents\BurgerGhost.exe
2012-07-27 13:29 - 2012-07-28 12:14 - 03573742 ____A () C:\Users\Robert\My Documents\Dragon Age.exe
2012-07-27 13:29 - 2012-07-28 12:14 - 03573742 ____A () C:\Users\Robert\Documents\Dragon Age.exe
2012-07-27 13:24 - 2012-07-28 11:57 - 03654397 ____A () C:\Users\Robert\My Documents\gostly game of souls.exe
2012-07-27 13:24 - 2012-07-28 11:57 - 03654397 ____A () C:\Users\Robert\Documents\gostly game of souls.exe
2012-07-27 13:23 - 2012-09-05 18:52 - 05414645 ____A () C:\Users\Robert\Desktop\punchyface.exe
2012-07-27 13:23 - 2012-08-17 13:42 - 02403499 ____A () C:\Users\Robert\Desktop\The Revenge of Bloop.exe
2012-07-27 12:37 - 2012-07-28 11:56 - 02416922 ____A () C:\Users\Robert\My Documents\Army Rocket.exe
2012-07-27 12:37 - 2012-07-28 11:56 - 02416922 ____A () C:\Users\Robert\Documents\Army Rocket.exe
2012-07-27 12:25 - 2012-07-28 12:14 - 04659631 ____A () C:\Users\Robert\My Documents\Robots Vs. Dragons.exe
2012-07-27 12:25 - 2012-07-28 12:14 - 04659631 ____A () C:\Users\Robert\Documents\Robots Vs. Dragons.exe
2012-07-27 11:37 - 2012-07-28 11:57 - 02411791 ____A () C:\Users\Robert\My Documents\joey gianfrancesco.exe
2012-07-27 11:37 - 2012-07-28 11:57 - 02411791 ____A () C:\Users\Robert\Documents\joey gianfrancesco.exe
2012-07-24 22:32 - 2012-07-24 22:32 - 00016868 ____A C:\Users\Robert\My Documents\Eligible+Papers+-+2012+Phase+2+Assignments - L Brown.xlsx
2012-07-24 22:32 - 2012-07-24 22:32 - 00016868 ____A C:\Users\Robert\Documents\Eligible+Papers+-+2012+Phase+2+Assignments - L Brown.xlsx
2012-07-24 22:32 - 2012-07-16 23:08 - 00017578 ____A C:\Users\Robert\My Documents\Eligible+Papers+-+2012+Phase+2+Assignments (1).xlsx
2012-07-24 22:32 - 2012-07-16 23:08 - 00017578 ____A C:\Users\Robert\Documents\Eligible+Papers+-+2012+Phase+2+Assignments (1).xlsx
2012-07-23 08:39 - 2012-07-23 08:39 - 00011117 ____A C:\Users\Robert\Downloads\Standard+Statement (2).html
2012-07-20 12:24 - 2011-08-05 14:41 - 00002826 ____A C:\Users\Public\Desktop\WildTangent Games App - dell.lnk
2012-07-20 12:24 - 2011-08-05 14:41 - 00002826 ____A C:\Users\All Users\Desktop\WildTangent Games App - dell.lnk
2012-07-19 19:59 - 2012-07-19 19:59 - 00011236 ____A C:\Users\Robert\Downloads\Standard+Statement (1).html
2012-07-18 13:15 - 2012-08-16 04:43 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

ZeroAccess:
C:\Users\Robert\AppData\Local\{f32d5b06-5a90-7c6f-d75a-cde998de7673}
C:\Users\Robert\AppData\Local\{f32d5b06-5a90-7c6f-d75a-cde998de7673}\L
C:\Users\Robert\AppData\Local\{f32d5b06-5a90-7c6f-d75a-cde998de7673}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-23 19:34:28
Restore point made on: 2012-09-30 04:07:24
Restore point made on: 2012-10-06 03:00:44

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 6056.63 MB
Available physical RAM: 5362.54 MB
Total Pagefile: 6054.83 MB
Available Pagefile: 5363.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:916.65 GB) (Free:800.47 GB) NTFS
2 Drive d: (Repair disc 64-bit) (CDROM) (Total:0.17 GB) (Free:0 GB) UDF
3 Drive e: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:6.48 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 961 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 916 GB 14 GB
Partition 4 Primary 10 MB 931 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 916 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 960 MB 764 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT Removable 960 MB Healthy

=========================================================

Last Boot: 2012-10-05 23:28

==================== End Of Log =============================

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 15 October 2012 - 01:02 PM

Well done. :thumbup2:

My initial diagnosis was confirmed. We will fix the MBR/Partition infection then remove the rest. Please make sure the fix is done in recovery environment as instructed.

Please download the x64 version of Listparts
Save it to the flash drive.

Download Attached File  fix.txt   33bytes   6 downloads
The fix.list should be saved in the same directory as ListParts64.
Boot to the System Recovery Option and select Command Prompt.
Run ListParts, by typing f:\listparts64 in the command windows and pressing Enter.
Click Fix.
When it is finished close the application and restart the computer.
When booted to normal mode, run ListParts again, check "List BCD" click Scan and post the Result.txt to your reply.

#7 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 03:59 PM

All done and I saw changes...

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 15 October 2012 - 04:10 PM

Well done. The main infection is not active any more. We will delete the malware partition, remove a bad folder and run MBAM.

All the fixes should be done in normal mode.

Please copy and paste the logs instead of attaching. :)

  • Download Attached File  fix.txt   27bytes   6 downloads
    The fix.list should be saved in the same directory as ListParts64.
    Run ListParts64, click Fix.
    When it is finished click Scan and post the log (Result.txt) it makes.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Please download Attached File  fixlist.txt   68bytes   6 downloads
    Save it in the same directory FRST64 is located.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log (Fixlog.txt) in the same directory please post it to your reply.
  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by Farbar, 15 October 2012 - 04:10 PM.


#9 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 04:26 PM

OK here goes:

Step 1:
ListParts by Farbar Version: 14-10-2012
Ran by Robert (administrator) on 15-10-2012 at 17:22:11
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 28%
Total physical RAM: 6056.63 MB
Available physical RAM: 4337.15 MB
Total Pagefile: 12111.45 MB
Available Pagefile: 9576.7 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:916.65 GB) (Free:800.43 GB) NTFS
2 Drive d: (Repair disc 64-bit) (CDROM) (Total:0.17 GB) (Free:0 GB) UDF
4 Drive f: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT
6 Drive y: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:6.48 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 13 MB
Disk 1 No Media 0 B 0 B
Disk 2 Online 961 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 916 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 RECOVERY NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 916 GB Healthy Boot

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 960 MB 764 KB

======================================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT Removable 960 MB Healthy

======================================================================================================

****** End Of Log ******

Step 2:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-10-2012
Ran by Robert at 2012-10-15 17:25:15 Run:1
Running from F:\

ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==============================================

C:\Users\Robert\AppData\Local\{f32d5b06-5a90-7c6f-d75a-cde998de7673} moved successfully.

==== End of Fixlog ====

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 15 October 2012 - 04:29 PM

The first two things are taken care of. :thumbup2:

Now the Quick Scan with MBAM.

#11 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 04:38 PM

It didn't seem to find anything with the quick scan. I decided to go ahead and start a full scan. I'm going to cook dinner while it finishes :)


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.15.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Robert :: ROBERT-PC [administrator]

10/15/2012 5:28:18 PM
mbam-log-2012-10-15 (17-28-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 204784
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 15 October 2012 - 04:49 PM

The Full Scan isn't doing much. MBAM quick scan is all that is needed.

Instead please do the following if you are there, otherwise make the cooking.:)

  • Please download AdwCleaner and save it to your desktop.
    • Close all open programs.
    • Double click on AdwCleaner.exe to run it.
    • Click on Search.
    • Please post the content of the log to your reply.
    • A copy of the log will be saved at C:\AdwCleaner[R1].txt.
  • Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Copy and paste OTL.txt and attach Extra.txt to your reply.


#13 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 05:41 PM

OK the kids are fed so I can get back to this.

AdwCleaner says:
# AdwCleaner v2.005 - Logfile created 10/15/2012 at 18:26:37
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Robert - ROBERT-PC
# Boot Mode : Normal
# Running from : C:\Users\Robert\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKU\S-1-5-21-142841763-1285199829-3490562073-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v22.0.1229.94

File : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1198 octets] - [15/10/2012 18:26:37]

########## EOF - C:\AdwCleaner[R1].txt - [1258 octets] #########


OTL says:
OTL logfile created on: 10/15/2012 6:30:09 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Robert\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.91 Gb Total Physical Memory | 3.84 Gb Available Physical Memory | 64.96% Memory free
11.83 Gb Paging File | 9.08 Gb Available in Paging File | 76.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 916.65 Gb Total Space | 800.41 Gb Free Space | 87.32% Space Free | Partition Type: NTFS
Drive D: | 169.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 960.00 Mb Total Space | 957.73 Mb Free Space | 99.76% Space Free | Partition Type: FAT
Drive Y: | 14.81 Gb Total Space | 6.48 Gb Free Space | 43.73% Space Free | Partition Type: NTFS

Computer Name: ROBERT-PC | User Name: Robert | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/15 18:29:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Downloads\OTL (1).exe
PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/06/11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) -- C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE
PRC - [2012/02/01 11:50:58 | 000,968,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
PRC - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/09/09 10:44:52 | 000,048,128 | ---- | M] (FS) -- C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe
PRC - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2011/08/18 11:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
PRC - [2011/08/18 11:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
PRC - [2011/08/01 13:56:48 | 000,460,096 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
PRC - [2011/05/04 08:58:10 | 000,150,920 | ---- | M] (Dell Products, LP.) -- C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
PRC - [2008/06/26 20:09:36 | 000,167,936 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-624UB\WlanWpsSvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/11 08:48:25 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/05/11 08:48:23 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/05/11 08:48:22 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/05/11 08:48:17 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012/02/01 11:50:58 | 000,968,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
MOD - [2012/02/01 11:44:34 | 008,151,040 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtGui4.dll
MOD - [2012/02/01 11:44:34 | 002,278,400 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtCore4.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/08/18 11:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe


========== Services (SafeList) ==========

SRV:64bit: - [2012/09/10 17:47:50 | 000,383,608 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV:64bit: - [2012/07/11 14:54:58 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2012/06/22 07:38:04 | 000,177,144 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2012/06/22 07:34:52 | 000,218,320 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV:64bit: - [2012/06/22 07:33:12 | 000,237,920 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV:64bit: - [2012/05/11 06:31:46 | 000,200,728 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV:64bit: - [2010/09/22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2008/06/26 20:09:36 | 000,167,936 | ---- | M] () [Auto | Running] -- C:\Program Files\TRENDnet\TEW-624UB\WlanWpsSvc.exe -- (WlanWpsSvc)
SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/06/11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012/06/11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc)
SRV - [2012/03/19 23:44:20 | 000,276,248 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs)
SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/09/09 10:44:52 | 000,048,128 | ---- | M] (FS) [Auto | Running] -- C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe -- (SpyroService)
SRV - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2011/08/18 11:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe -- (SftService)
SRV - [2011/05/04 08:58:10 | 000,150,920 | ---- | M] (Dell Products, LP.) [Auto | Running] -- C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe -- (DellDigitalDelivery)
SRV - [2010/11/25 06:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 06:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/10/12 13:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2010/08/25 21:28:54 | 002,823,000 | ---- | M] (Dell, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe -- (NOBU)
SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/09 13:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/06/22 07:40:58 | 000,069,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cfwids.sys -- (cfwids)
DRV:64bit: - [2012/06/22 07:38:16 | 000,335,784 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2012/06/22 07:36:54 | 000,106,112 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2012/06/22 07:36:12 | 000,752,672 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2012/06/22 07:35:02 | 000,513,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)
DRV:64bit: - [2012/06/22 07:34:22 | 000,300,392 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2012/06/22 07:34:00 | 000,169,320 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2012/04/20 16:40:58 | 000,196,440 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HipShieldK.sys -- (HipShieldK)
DRV:64bit: - [2012/03/19 23:32:04 | 014,745,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/08/05 17:25:04 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/08/05 17:25:04 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/07/22 12:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 17:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/03/10 19:27:32 | 001,576,576 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2010/11/25 06:59:16 | 000,694,888 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL8192su.sys -- (RTL8192su)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/19 20:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2010/10/15 04:28:16 | 000,317,440 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2010/03/19 04:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2006/11/01 13:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..\SearchScopes\{3270F542-549C-41A5-83B0-D339D97C4F82}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?FORM=UP50DF&PC=UP50&q={searchTerms}&src=IE-SearchBox
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~2\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\9\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Robert\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Robert\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Robert\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor [2012/09/10 03:00:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\msktbird@mcafee.com: C:\Program Files\McAfee\MSK [2012/09/28 05:55:22 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - homepage: http://my.earthlink.net/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://my.earthlink.net/
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Robert\AppData\Local\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Robert\AppData\Local\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Robert\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Robert\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: AmazonMP3DownloaderPlugin (Enabled) = C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Robert\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Robert\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~2\mcafee\msc\npmcsn~1.dll
CHR - Extension: SiteAdvisor = C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AccuWeatherWidget] C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe (Dell, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-142841763-1285199829-3490562073-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-142841763-1285199829-3490562073-1000\..Trusted Domains: robotgalaxy.com ([www] http in Trusted sites)
O16 - DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab (IGDTester Class)
O16 - DPF: RGFCPlugin http://www.robotgalaxy.com/images/plugin/RGFCPlugin.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0759B54-E45D-4140-A822-5056720F9EF4}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\gopher - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/30 18:01:00 | 000,000,053 | -HS- | M] () - Y:\AUTORUN.INF -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/15 17:27:32 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/10/15 16:54:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/10/15 14:37:16 | 000,000,000 | ---D | C] -- C:\FRST
[2012/10/10 15:26:57 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\SUPERAntiSpyware.com
[2012/10/10 15:26:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/10/10 15:26:48 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/10/10 15:26:48 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/10/10 12:19:20 | 000,000,000 | ---D | C] -- C:\Users\Robert\Documents\Autoruns
[2012/09/28 20:55:41 | 000,000,000 | ---D | C] -- C:\Users\Robert\Documents\New folder
[2012/09/27 22:50:30 | 000,196,440 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\HipShieldK.sys
[2012/09/25 19:20:51 | 002,815,696 | ---- | C] (YoYoGames Ltd) -- C:\Users\Robert\Desktop\MAZE of ORBS.exe
[2012/09/25 06:05:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/09/25 06:05:17 | 000,033,240 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys
[2012/09/25 06:04:44 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/09/25 06:04:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012/09/25 06:04:44 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/09/25 06:04:44 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2012/09/25 06:02:28 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/09/25 06:01:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/09/25 06:01:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2012/09/24 13:41:59 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/09/21 19:53:04 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\{9BC619FB-57F3-49C0-BCDB-2CD8EDB59E16}
[2012/09/20 14:39:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/09/20 14:39:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/09/20 09:08:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/20 09:08:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/09/15 23:20:50 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\{505A6D44-6C42-4BD8-BC03-385D3C222623}
[2012/07/28 12:47:40 | 002,799,224 | ---- | C] (YoYoGames Ltd) -- C:\Users\Robert\treasure.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Robert\Documents\*.tmp files -> C:\Users\Robert\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/15 18:22:21 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-142841763-1285199829-3490562073-1000UA.job
[2012/10/15 17:27:39 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/15 16:56:27 | 000,021,296 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/15 16:56:27 | 000,021,296 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/15 16:54:17 | 000,001,790 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Security Center.lnk
[2012/10/15 16:53:15 | 000,780,220 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/10/15 16:53:15 | 000,660,732 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/10/15 16:53:15 | 000,121,402 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/10/15 16:48:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/15 16:48:43 | 468,156,415 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/13 02:22:01 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-142841763-1285199829-3490562073-1000Core.job
[2012/10/11 16:27:12 | 000,002,645 | ---- | M] () -- C:\Users\Public\Documents\Global.sw2
[2012/10/10 21:41:49 | 000,000,000 | ---- | M] () -- C:\Users\Robert\defogger_reenable
[2012/10/10 20:23:37 | 000,002,493 | ---- | M] () -- C:\Users\Robert\Desktop\Google Chrome.lnk
[2012/10/10 16:59:05 | 000,836,461 | ---- | M] () -- C:\Users\Robert\AppData\Local\census.cache
[2012/10/10 16:58:35 | 000,110,364 | ---- | M] () -- C:\Users\Robert\AppData\Local\ars.cache
[2012/10/10 16:53:49 | 000,000,036 | ---- | M] () -- C:\Users\Robert\AppData\Local\housecall.guid.cache
[2012/10/10 15:26:50 | 000,001,770 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/10/10 12:43:08 | 002,790,920 | ---- | M] () -- C:\Users\Robert\Documents\AutoRuns.arn
[2012/10/09 19:25:34 | 000,000,784 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/09/25 19:20:52 | 002,815,696 | ---- | M] (YoYoGames Ltd) -- C:\Users\Robert\Desktop\MAZE of ORBS.exe
[2012/09/25 19:20:19 | 000,525,737 | ---- | M] () -- C:\Users\Robert\Desktop\MAZE of ORBS.gmk
[2012/09/25 06:05:32 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/09/25 06:01:18 | 000,001,847 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/09/22 21:08:16 | 004,683,943 | ---- | M] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.exe
[2012/09/22 21:08:10 | 002,264,650 | ---- | M] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.gmk
[2012/09/22 18:03:49 | 000,000,915 | ---- | M] () -- C:\Users\Robert\Desktop\Install TDL Rootkit Detector.lnk
[2012/09/20 21:34:16 | 000,006,226 | ---- | M] () -- C:\Users\Robert\Documents\cc_20120920_213354.reg
[2012/09/20 20:43:18 | 004,684,672 | ---- | M] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.exe
[2012/09/20 20:43:11 | 002,266,999 | ---- | M] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.gmk
[2012/09/20 15:18:12 | 000,111,152 | ---- | M] () -- C:\Users\Robert\Documents\cc_20120920_151552.reg
[2012/09/19 08:46:00 | 000,001,439 | ---- | M] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/09/19 08:45:59 | 000,001,371 | ---- | M] () -- C:\Users\Robert\Desktop\Internet Explorer (64-bit).lnk
[2012/09/18 13:16:10 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/09/17 16:02:36 | 000,797,314 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/09/15 20:15:44 | 000,007,607 | ---- | M] () -- C:\Users\Robert\AppData\Local\Resmon.ResmonCfg
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Robert\Documents\*.tmp files -> C:\Users\Robert\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/14 18:23:51 | 000,001,371 | ---- | C] () -- C:\Users\Robert\Desktop\Internet Explorer (64-bit).lnk
[2012/10/10 21:41:49 | 000,000,000 | ---- | C] () -- C:\Users\Robert\defogger_reenable
[2012/10/10 16:59:05 | 000,836,461 | ---- | C] () -- C:\Users\Robert\AppData\Local\census.cache
[2012/10/10 16:58:35 | 000,110,364 | ---- | C] () -- C:\Users\Robert\AppData\Local\ars.cache
[2012/10/10 16:53:49 | 000,000,036 | ---- | C] () -- C:\Users\Robert\AppData\Local\housecall.guid.cache
[2012/10/10 15:26:50 | 000,001,770 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/10/10 12:43:08 | 002,790,920 | ---- | C] () -- C:\Users\Robert\Documents\AutoRuns.arn
[2012/09/25 19:20:19 | 000,525,737 | ---- | C] () -- C:\Users\Robert\Desktop\MAZE of ORBS.gmk
[2012/09/25 06:05:32 | 000,001,785 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/09/25 06:01:18 | 000,001,847 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/09/22 21:08:15 | 004,683,943 | ---- | C] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.exe
[2012/09/22 21:08:09 | 002,264,650 | ---- | C] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons final clash.gmk
[2012/09/22 18:03:49 | 000,000,915 | ---- | C] () -- C:\Users\Robert\Desktop\Install TDL Rootkit Detector.lnk
[2012/09/20 21:33:56 | 000,006,226 | ---- | C] () -- C:\Users\Robert\Documents\cc_20120920_213354.reg
[2012/09/20 20:43:16 | 004,684,672 | ---- | C] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.exe
[2012/09/20 20:43:10 | 002,266,999 | ---- | C] () -- C:\Users\Robert\Desktop\Robots Vs. Dragons 2.0.gmk
[2012/09/20 15:16:04 | 000,111,152 | ---- | C] () -- C:\Users\Robert\Documents\cc_20120920_151552.reg
[2012/09/20 14:39:09 | 000,000,784 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/09/20 09:08:31 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/19 08:45:59 | 000,001,371 | ---- | C] () -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2012/09/19 08:45:58 | 000,001,445 | ---- | C] () -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/09/19 08:45:58 | 000,001,439 | ---- | C] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/09/15 20:15:44 | 000,007,607 | ---- | C] () -- C:\Users\Robert\AppData\Local\Resmon.ResmonCfg
[2012/09/03 11:27:44 | 000,000,184 | ---- | C] () -- C:\ProgramData\-6p2ahoMWKsYWSVr
[2012/09/03 11:27:44 | 000,000,168 | ---- | C] () -- C:\ProgramData\-6p2ahoMWKsYWSV
[2012/09/03 11:27:35 | 000,000,368 | ---- | C] () -- C:\ProgramData\6p2ahoMWKsYWSV
[2012/07/30 12:14:09 | 002,368,958 | ---- | C] () -- C:\Users\Robert\the easiest vampire game of doom.exe
[2012/06/17 00:58:29 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2012/03/19 23:31:16 | 000,963,912 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2012/03/19 23:31:16 | 000,261,208 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2012/03/19 23:25:58 | 000,058,880 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2012/03/19 22:21:14 | 013,212,672 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
[2012/01/31 23:11:35 | 000,000,469 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
[2011/12/29 19:12:42 | 000,011,788 | -HS- | C] () -- C:\Users\Robert\AppData\Local\vu77n761xljc078kjd3vtvsbev506y40h8h41513v
[2011/12/29 19:12:42 | 000,011,788 | -HS- | C] () -- C:\ProgramData\vu77n761xljc078kjd3vtvsbev506y40h8h41513v
[2011/08/27 11:56:18 | 000,000,227 | ---- | C] () -- C:\Windows\PowerReg.dat
[2011/08/27 11:56:14 | 000,045,568 | ---- | C] () -- C:\Windows\UniFish3.exe
[2011/08/05 17:06:12 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2011/02/10 12:10:51 | 000,797,314 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

========== ZeroAccess Check ==========

[2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 01:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 00:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 23:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:01 AM

Posted 15 October 2012 - 06:09 PM

The kids come always first. :)

It looks good and you are good to go. :thumbup2:

  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :otl
      [2012/09/03 11:27:44 | 000,000,184 | ---- | C] () -- C:\ProgramData\-6p2ahoMWKsYWSVr
      [2012/09/03 11:27:44 | 000,000,168 | ---- | C] () -- C:\ProgramData\-6p2ahoMWKsYWSV
      [2012/09/03 11:27:35 | 000,000,368 | ---- | C] () -- C:\ProgramData\6p2ahoMWKsYWSV
      [2011/12/29 19:12:42 | 000,011,788 | -HS- | C] () -- C:\Users\Robert\AppData\Local\vu77n761xljc078kjd3vtvsbev506y40h8h41513v
      [2011/12/29 19:12:42 | 000,011,788 | -HS- | C] () -- C:\ProgramData\vu77n761xljc078kjd3vtvsbev506y40h8h41513v
      
      
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. If it says successfully deleted (4 times) we are done here.
  • Please run OTL.
    • Click Clean Up button.
    • Accept any prompts.
    • This will remove OTL, and will require a reboot.
  • You may delete any tool or log we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
    • Go to Start => Right-click "Computer" and select "Properties".
    • In the left pane select "System Protection".
    • Press "Configure".
    • Select "Delete". Then press "Continue" close and "OK".
    • Select your drive (drive C) and press "Create".
      Fill in a name for the restore point and press "Create".
      After finished press "Close".
Happy Surfing bobshare. :)

#15 bobshare

bobshare
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 October 2012 - 06:39 PM

All done - except OTL says the files were "successfully moved", not deleted. I hope that is just as good.

Thanks so much again Farbar for your help. I never would have figured this out on my own.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users