Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible ZeroAccess rootkit infection


  • This topic is locked This topic is locked
45 replies to this topic

#1 xSOSx

xSOSx

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 22 February 2013 - 11:10 PM

I believe my computer had the Zero Access rootkit. I took many steps to remove it, including deleting many malicious files, and I want to be sure my computer is now clean.

 

Here is my DDS log. Thanks in advance.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.13.2
Run by peter at 21:37:55 on 2013-02-22
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.1787.587 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ATT\8.2.1.6\ma\bin\MAHostService.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\ATT\8.2.1.6\ma\bin\node.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\Motive\pcCMService.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Windows\SysWOW64\PGPserv.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe
C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe
C:\Users\peter\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Coupon Companion Plugin: {11111111-1111-1111-1111-110211181104} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [DymoQuickPrint] "C:\Program Files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [DLSService] "C:\Program Files (x86)\DYMO\DYMO Label Software\DLSService.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [ScanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [SMessaging] C:\Users\peter\AppData\Local\Strongvault Online Backup\SMessaging.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\peter\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\Users\peter\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\peter\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\peter\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\_UNINS~1.LNK - C:\Users\peter\AppData\Local\Temp\_uninst_46063751.bat
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUDIBL~1.LNK - C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
LSP: C:\Windows\System32\PGPlsp.dll
Trusted Zone: $talisma_url$
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{0D04A0FC-3742-4DD7-99AD-8C633B5A0934} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{5F12F270-7CAF-4F3E-834C-CD7FB6D78340} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\16474777966696 : DHCPNameServer = 192.168.5.1
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\2656C6B696E6534376 : DHCPNameServer = 192.168.2.1 75.75.75.75 75.75.76.76
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\374716D60736964797 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\4414953594E4E402A4143455A5A594 : DHCPNameServer = 10.1.10.1
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\7594E4F566938303 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\C456745616E647 : DHCPNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{BDCC9DC7-E0AA-4992-A2DB-25E053033D84}\C696E6B6379737 : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
SSODL: WebCheck - <orphaned>
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
x64-Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\dt630rd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\ATT\8.2.1.6\ma\bin\npMotive.dll
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotiveRequest.dll
FF - plugin: C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_168.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-01-27 21:48; firefox@unfriendfinder.com; C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\dt630rd6.default\extensions\firefox@unfriendfinder.com.xpi
FF - ExtSQL: 2013-01-29 16:39; extension21804@extension21804.com; C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\dt630rd6.default\extensions\extension21804@extension21804.com
FF - ExtSQL: 2013-02-08 01:54; mcciwbch@motive.com; C:\Program Files (x86)\Mozilla Firefox\extensions\mcciwbch@motive.com.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 46063751;46063751;C:\Windows\System32\drivers\46063751.sys [2013-2-19 460888]
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-11-15 111968]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R0 pgpfs;PGP File Sharing;C:\Windows\System32\drivers\PGPfsfd.sys [2009-12-17 169080]
R0 Pgpwdefs;Pgpwdefs;C:\Windows\System32\drivers\PGPwdefs.sys [2009-12-17 14456]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-9-22 98208]
R2 ATT MAHostService;ATT MAHostService;C:\Program Files (x86)\ATT\8.2.1.6\ma\bin\MAHostService.exe [2013-1-23 319488]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-15 5814904]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DirMngr;DirMngr;C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [2011-3-2 224256]
R2 DymoPnpService;DYMO PnP Service;C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [2011-8-10 32336]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 pcCMService;pcCMService;C:\Program Files (x86)\Common Files\Motive\pcCMService.exe [2013-2-8 369152]
R2 pcCMService64;pcCMService64;C:\Program Files\Common Files\Motive\pcCMService.exe [2013-2-8 460288]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-2-8 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-9-22 347680]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-9-22 38456]
S2 !SASCORE;SAS Core Service;"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" --> C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [?]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\Windows\System32\drivers\BVRPMPR5a64.SYS [2012-3-14 35840]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 optousb;OPTO ELECTRONICS optousb;C:\Windows\System32\drivers\optousb.sys [2010-3-24 27264]
S3 optovcm;OPTO ELECTRONICS optovcm;C:\Windows\System32\drivers\optovcm.sys [2010-3-24 34304]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-24 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe --> C:\Windows\System32\atiesrxx.exe [?]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
FileExt: .js: JSFile=C:\Windows\System32\WScript.exe "%1" %* [UserChoice]
.
=============== Created Last 30 ================
.
2013-02-22 22:50:44    --------    d-----w-    C:\$RECYCLE.BIN
2013-02-22 07:22:33    9162192    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6DFD9B82-E3EB-42AE-88D7-EA24077220AE}\mpengine.dll
2013-02-20 06:11:15    24176    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-02-20 06:11:15    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-20 05:16:36    --------    d-----w-    C:\ProgramData\Kaspersky Lab
2013-02-20 05:14:32    460888    ----a-w-    C:\Windows\System32\drivers\46063751.sys
2013-02-15 09:22:23    --------    d-----r-    C:\Users\peter\Dropbox
2013-02-15 09:17:37    --------    d-----w-    C:\Users\peter\AppData\Roaming\Dropbox
2013-02-15 06:22:21    --------    d-----w-    C:\Users\peter\AppData\Local\GNU
2013-02-15 06:22:06    --------    d-----w-    C:\Users\peter\.kde
2013-02-15 05:38:53    --------    d-----w-    C:\Users\peter\AppData\Roaming\gnupg
2013-02-15 05:38:49    --------    d-----w-    C:\ProgramData\GNU
2013-02-15 05:38:31    --------    d-----w-    C:\Program Files (x86)\GNU
2013-02-14 01:30:26    95648    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-14 01:25:48    0    ----a-w-    C:\Windows\SysWow64\RENA93D.tmp
2013-02-14 01:25:48    0    ----a-w-    C:\Windows\SysWow64\RENA92C.tmp
2013-02-13 23:43:47    --------    d-----w-    C:\Windows\EBC90C68FCB64C18950C85F6650976D7.TMP
2013-02-13 21:51:52    --------    d-----w-    C:\Users\peter\EBC90C68FCB64C18950C85F6650976D7.TMP
2013-02-13 09:07:35    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 09:07:35    768000    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 05:47:59    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-02-08 07:47:37    --------    d-----w-    C:\Program Files (x86)\ATT
2013-02-08 07:46:17    --------    d-----w-    C:\Program Files\Common Files\Motive
2013-02-05 05:07:37    --------    d-----w-    C:\Program Files (x86)\Audible
2013-02-01 05:49:39    33240    ----a-w-    C:\Windows\System32\drivers\GEARAspiWDM.sys
2013-02-01 05:47:41    --------    d-----w-    C:\Program Files\iPod
2013-02-01 05:47:09    --------    d-----w-    C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-01 05:47:09    --------    d-----w-    C:\Program Files\iTunes
2013-02-01 05:47:09    --------    d-----w-    C:\Program Files (x86)\iTunes
2013-02-01 05:41:36    --------    d-----w-    C:\Program Files\Bonjour
2013-02-01 05:41:36    --------    d-----w-    C:\Program Files (x86)\Bonjour
2013-02-01 03:46:30    --------    d-----w-    C:\Program Files (x86)\Alleycode
2013-01-29 22:44:48    --------    d-----w-    C:\Users\peter\AppData\Roaming\Strongvault
2013-01-29 22:42:55    --------    d-----w-    C:\Users\peter\AppData\Local\Stronghold_LLC
2013-01-29 22:41:55    --------    d-sh--w-    C:\Windows\SysWow64\AI_RecycleBin
2013-01-29 22:40:00    --------    d-----w-    C:\Users\peter\AppData\Local\Coupon Companion Plugin
2013-01-29 22:39:45    --------    d-----w-    C:\Users\peter\AppData\Local\Updater21804
2013-01-29 22:39:18    --------    d-----w-    C:\Program Files (x86)\Coupon Companion Plugin
2013-01-29 22:03:51    --------    d-----w-    C:\Program Files (x86)\Common Files\Mobipocket Shared
2013-01-29 22:03:45    --------    d-----w-    C:\Program Files (x86)\Mobipocket.com
.
==================== Find3M  ====================
.
2013-02-14 09:28:10    71024    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-14 09:28:10    691568    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-14 01:30:04    861088    ----a-w-    C:\Windows\SysWow64\npDeployJava1.dll
2013-02-14 01:30:04    782240    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2013-01-17 07:28:58    273840    ------w-    C:\Windows\System32\MpSigStub.exe
2013-01-16 19:53:49    0    ----a-w-    C:\Windows\SysWow64\sho6C69.tmp
2013-01-09 01:19:09    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-01-09 01:12:03    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-01-09 01:11:06    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-01-09 01:07:51    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-01-09 01:07:47    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-01-09 01:04:42    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-01-08 22:11:21    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-01-08 22:03:20    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-01-08 22:03:12    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-01-08 21:59:02    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-01-08 21:58:29    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-01-08 21:56:23    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-01-05 05:57:43    5500776    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:02:17    3957608    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:02:17    3902312    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 05:41:01    1893224    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-01-04 05:40:54    287576    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-01-04 05:37:01    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2013-01-04 05:37:00    243200    ----a-w-    C:\Windows\System32\wow64.dll
2013-01-04 05:37:00    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2013-01-04 05:36:33    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-01-04 05:33:49    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2013-01-04 05:30:34    424960    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-01-04 05:27:03    6144    ---ha-w-    C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-01-04 05:27:03    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 05:27:03    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-01-04 05:27:02    4608    ---ha-w-    C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 05:27:02    4096    ---ha-w-    C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-01-04 05:27:02    4096    ---ha-w-    C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-01-04 05:27:01    3584    ---ha-w-    C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-01-04 05:27:01    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-01-04 05:27:00    4608    ---ha-w-    C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-01-04 05:27:00    3584    ---ha-w-    C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-01-04 05:27:00    3072    ---ha-w-    C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-01-04 04:51:09    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-01-04 04:51:08    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2013-01-04 03:22:49    3150848    ----a-w-    C:\Windows\System32\win32k.sys
2013-01-04 03:19:55    338432    ----a-w-    C:\Windows\System32\conhost.exe
2013-01-04 02:48:37    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-01-04 02:48:34    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-01-04 02:48:33    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-01-04 02:43:35    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 02:43:34    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-01-04 02:43:34    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 02:43:34    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-12-20 06:40:29    107816    ----a-w-    C:\Windows\SysWow64\SynTPCOM.dll
2012-12-20 06:40:28    215336    ----a-w-    C:\Windows\System32\SynTPAPI.dll
2012-12-20 06:40:28    147752    ----a-w-    C:\Windows\System32\SynTPCo4.dll
2012-12-20 06:40:28    1390640    ----a-w-    C:\Windows\System32\drivers\SynTP.sys
2012-12-20 06:40:25    400168    ----a-w-    C:\Windows\System32\SynCOM.dll
2012-12-20 06:40:25    271144    ----a-w-    C:\Windows\System32\SynCtrl.dll
2012-12-20 06:40:25    214312    ----a-w-    C:\Windows\SysWow64\SynCtrl.dll
2012-12-20 06:40:25    173352    ----a-w-    C:\Windows\SysWow64\SynCOM.dll
2012-12-16 16:52:02    46080    ----a-w-    C:\Windows\System32\atmlib.dll
2012-12-16 14:40:45    367616    ----a-w-    C:\Windows\System32\atmfd.dll
2012-12-16 14:25:27    295424    ----a-w-    C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:25:19    34304    ----a-w-    C:\Windows\SysWow64\atmlib.dll
2012-12-07 05:41:16    441856    ----a-w-    C:\Windows\System32\Wpc.dll
2012-12-07 05:35:34    2745856    ----a-w-    C:\Windows\System32\gameux.dll
2012-12-07 05:04:20    308736    ----a-w-    C:\Windows\SysWow64\Wpc.dll
2012-12-07 04:57:38    2576384    ----a-w-    C:\Windows\SysWow64\gameux.dll
2012-12-07 03:21:08    45568    ----a-w-    C:\Windows\SysWow64\oflc-nz.rs
.
============= FINISH: 21:39:32.35 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:01 AM

Posted 22 February 2013 - 11:13 PM

Hi and welcome to Bleeping Computer!  :welcome:  My name is Jeff and I would be more than happy to help you with your malware related problems.

 

 

Please download aswMBR to your desktop.
 
  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
  •  
    Click the image to enlarge it

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #3 xSOSx

    xSOSx
    • Topic Starter

    • Members
    • 19 posts
    • OFFLINE
    •  
    • Local time:06:01 AM

    Posted 23 February 2013 - 01:03 AM

    Thanks for your quick response.

     

    aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
    Run date: 2013-02-22 22:42:32
    -----------------------------
    22:42:32.388    OS Version: Windows x64 6.1.7600
    22:42:32.388    Number of processors: 1 586 0x603
    22:42:32.388    ComputerName: PETER-HP  UserName: peter
    22:42:33.387    Initialize success
    22:43:53.327    AVAST engine defs: 13022201
    22:46:39.171    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
    22:46:39.171    Disk 0 Vendor: ST925031 0005 Size: 238475MB BusType: 11
    22:46:39.202    Disk 0 MBR read successfully
    22:46:39.202    Disk 0 MBR scan
    22:46:39.265    Disk 0 unknown MBR code
    22:46:39.280    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
    22:46:39.311    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       221571 MB offset 409600
    22:46:39.358    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        16600 MB offset 454187008
    22:46:39.374    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 488183808
    22:46:39.483    Disk 0 scanning C:\Windows\system32\drivers
    22:46:56.425    Service scanning
    22:47:57.781    Modules scanning
    22:47:57.812    Disk 0 trace - called modules:
    22:47:58.451    ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
    22:47:58.498    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80025fb060]
    22:47:58.514    3 CLASSPNP.SYS[fffff8800219543f] -> nt!IofCallDriver -> [0xfffffa80025a4040]
    22:47:58.529    5 amdxata.sys[fffff88000dbb7a8] -> nt!IofCallDriver -> \Device\00000063[0xfffffa800259e060]
    22:47:59.933    AVAST engine scan C:\Windows
    22:48:06.673    AVAST engine scan C:\Windows\system32
    22:54:55.832    AVAST engine scan C:\Windows\system32\drivers
    22:55:19.809    AVAST engine scan C:\Users\peter
    23:36:32.119    AVAST engine scan C:\ProgramData
    23:46:29.228    Scan finished successfully
    23:46:50.980    Disk 0 MBR has been saved successfully to "C:\Users\peter\Desktop\MBR.dat"
    23:46:51.000    The log file has been saved successfully to "C:\Users\peter\Desktop\aswMBR.txt"

     



    #4 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 23 February 2013 - 09:17 AM

    Hi,

     

    It looks like you did have the ZeroAccess infection on your system and there might be parts of it still there...

     

     

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
     
    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
     
    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.  smile.png
    ----------
     

    ComboFix
     
    Download Combofix from the link below, and save it to your desktop.  
     
    **Note:  It is important that it is saved directly to your desktop**
     If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
     
    --------------------------------------------------------------------
     
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
     
    --------------------------------------------------------------------
     
    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.  
    • Please post the C:\ComboFix.txt for further review.
    ----------

     


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #5 xSOSx

    xSOSx
    • Topic Starter

    • Members
    • 19 posts
    • OFFLINE
    •  
    • Local time:06:01 AM

    Posted 24 February 2013 - 12:54 AM

    Thanks for your reply. As I suspected.

     

    I ran ComboFix prior to your latest post, so I hope a log that is a couple days old will still be relevant.

     

    I don't know if you are able to answer questions that do not relate directly to removal, but I am very interested to know if this is the type of Trojan that can be picked up through casual interenet use, or if I am likely to have been specifically targeted by somone.

     

    Thanks again, here is the log:

     

     ComboFix 13-02-18.02 - peter 02/22/2013  15:38:49.4.1 - x64
    Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.1787.767 [GMT -6:00]
    Running from: c:\users\peter\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\program files (x86)\Coupon Companion Plugin\CoUPon companion plugin.dll
    c:\users\peter\AppData\Local\Temp\0016283\2837717.exe
    c:\users\peter\AppData\Local\Temp\0016283\advdis.ppl
    c:\users\peter\AppData\Local\Temp\0016283\avlib.ppl
    c:\users\peter\AppData\Local\Temp\0016283\avpgs.ppl
    c:\users\peter\AppData\Local\Temp\0016283\avpgui.ppl
    c:\users\peter\AppData\Local\Temp\0016283\avs.ppl
    c:\users\peter\AppData\Local\Temp\0016283\avspm.ppl
    c:\users\peter\AppData\Local\Temp\0016283\avzkrnl.dll
    c:\users\peter\AppData\Local\Temp\0016283\avzscan.ppl
    c:\users\peter\AppData\Local\Temp\0016283\base64.ppl
    c:\users\peter\AppData\Local\Temp\0016283\base64p.ppl
    c:\users\peter\AppData\Local\Temp\0016283\basegui.ppl
    c:\users\peter\AppData\Local\Temp\0016283\bases\arkmon.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\avengine.dll
    c:\users\peter\AppData\Local\Temp\0016283\bases\avpcure.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\bsshlp2.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\kavbase.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\kavsys.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\kjim.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\klavemu.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\mark.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\pbs.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\qscan.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bases\vlns.kdl
    c:\users\peter\AppData\Local\Temp\0016283\bl.ppl
    c:\users\peter\AppData\Local\Temp\0016283\btdisk.ppl
    c:\users\peter\AppData\Local\Temp\0016283\btimages.ppl
    c:\users\peter\AppData\Local\Temp\0016283\buffer.ppl
    c:\users\peter\AppData\Local\Temp\0016283\clldr.dll
    c:\users\peter\AppData\Local\Temp\0016283\crpthlpr.ppl
    c:\users\peter\AppData\Local\Temp\0016283\dbghelp.dll
    c:\users\peter\AppData\Local\Temp\0016283\deflate.ppl
    c:\users\peter\AppData\Local\Temp\0016283\diffs.dll
    c:\users\peter\AppData\Local\Temp\0016283\dmap.ppl
    c:\users\peter\AppData\Local\Temp\0016283\dtreg.ppl
    c:\users\peter\AppData\Local\Temp\0016283\filemap.ppl
    c:\users\peter\AppData\Local\Temp\0016283\fsdrvplg.ppl
    c:\users\peter\AppData\Local\Temp\0016283\fssync.dll
    c:\users\peter\AppData\Local\Temp\0016283\hashmd5.ppl
    c:\users\peter\AppData\Local\Temp\0016283\hashsha1.ppl
    c:\users\peter\AppData\Local\Temp\0016283\icheck3.ppl
    c:\users\peter\AppData\Local\Temp\0016283\inflate.ppl
    c:\users\peter\AppData\Local\Temp\0016283\inifile.ppl
    c:\users\peter\AppData\Local\Temp\0016283\kldw.exe
    c:\users\peter\AppData\Local\Temp\0016283\klsrlsvc.ppl
    c:\users\peter\AppData\Local\Temp\0016283\mailmsg.ppl
    c:\users\peter\AppData\Local\Temp\0016283\mdb.ppl
    c:\users\peter\AppData\Local\Temp\0016283\mdmap.ppl
    c:\users\peter\AppData\Local\Temp\0016283\memmng.dll
    c:\users\peter\AppData\Local\Temp\0016283\memmodsc.ppl
    c:\users\peter\AppData\Local\Temp\0016283\memscan.ppl
    c:\users\peter\AppData\Local\Temp\0016283\minizip.ppl
    c:\users\peter\AppData\Local\Temp\0016283\mkavio.ppl
    c:\users\peter\AppData\Local\Temp\0016283\msoe.ppl
    c:\users\peter\AppData\Local\Temp\0016283\msvcm80.dll
    c:\users\peter\AppData\Local\Temp\0016283\msvcp80.dll
    c:\users\peter\AppData\Local\Temp\0016283\msvcr80.dll
    c:\users\peter\AppData\Local\Temp\0016283\ndetect.ppl
    c:\users\peter\AppData\Local\Temp\0016283\netdtls.ppl
    c:\users\peter\AppData\Local\Temp\0016283\nfio.ppl
    c:\users\peter\AppData\Local\Temp\0016283\ntfsstrm.ppl
    c:\users\peter\AppData\Local\Temp\0016283\ods.ppl
    c:\users\peter\AppData\Local\Temp\0016283\params.ppl
    c:\users\peter\AppData\Local\Temp\0016283\passdmap.ppl
    c:\users\peter\AppData\Local\Temp\0016283\prloader.dll
    c:\users\peter\AppData\Local\Temp\0016283\procmon.ppl
    c:\users\peter\AppData\Local\Temp\0016283\propmap.ppl
    c:\users\peter\AppData\Local\Temp\0016283\proxydet.ppl
    c:\users\peter\AppData\Local\Temp\0016283\prremote.dll
    c:\users\peter\AppData\Local\Temp\0016283\prseqio.ppl
    c:\users\peter\AppData\Local\Temp\0016283\prtransp.ppl
    c:\users\peter\AppData\Local\Temp\0016283\prutil.ppl
    c:\users\peter\AppData\Local\Temp\0016283\pxstub.ppl
    c:\users\peter\AppData\Local\Temp\0016283\qb.ppl
    c:\users\peter\AppData\Local\Temp\0016283\quantum.ppl
    c:\users\peter\AppData\Local\Temp\0016283\regmap.ppl
    c:\users\peter\AppData\Local\Temp\0016283\report.ppl
    c:\users\peter\AppData\Local\Temp\0016283\reportdb.ppl
    c:\users\peter\AppData\Local\Temp\0016283\resip.ppl
    c:\users\peter\AppData\Local\Temp\0016283\schedule.ppl
    c:\users\peter\AppData\Local\Temp\0016283\sfdb.ppl
    c:\users\peter\AppData\Local\Temp\0016283\stat.ppl
    c:\users\peter\AppData\Local\Temp\0016283\stdcomp.ppl
    c:\users\peter\AppData\Local\Temp\0016283\stenum2.ppl
    c:\users\peter\AppData\Local\Temp\0016283\superio.ppl
    c:\users\peter\AppData\Local\Temp\0016283\syswatch.ppl
    c:\users\peter\AppData\Local\Temp\0016283\thpimpl.ppl
    c:\users\peter\AppData\Local\Temp\0016283\timer.ppl
    c:\users\peter\AppData\Local\Temp\0016283\tm.ppl
    c:\users\peter\AppData\Local\Temp\0016283\uniarc.ppl
    c:\users\peter\AppData\Local\Temp\0016283\updater.dll
    c:\users\peter\AppData\Local\Temp\0016283\urlflt.ppl
    c:\users\peter\AppData\Local\Temp\0016283\ushata.dll
    c:\users\peter\AppData\Local\Temp\0016283\volenum.ppl
    c:\users\peter\AppData\Local\Temp\0016283\wdiskio.ppl
    c:\users\peter\AppData\Local\Temp\0016283\winreg.ppl
    c:\users\peter\AppData\Local\Temp\0016283\wmihlpr.ppl
    c:\users\peter\AppData\Local\Temp\0016283\x64\wmi64.exe
    c:\users\peter\AppData\Local\Temp\0016283\xorio.ppl
    .
    -- Previous Run --
    .
    c:\windows\regedit.exe . . . is infected!!
    .
    --------
    .
    c:\windows\regedit.exe . . . is infected!!
    .
    c:\windows\SysWOW64\regedit.exe . . . is infected!!
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-01-22 to 2013-02-22  )))))))))))))))))))))))))))))))
    .
    .
    2013-02-22 22:04 . 2013-02-22 22:04    --------    d-----w-    c:\users\Guest\AppData\Local\temp
    2013-02-22 22:04 . 2013-02-22 22:04    --------    d-----w-    c:\users\Default\AppData\Local\temp
    2013-02-22 07:22 . 2013-02-08 00:28    9162192    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{6DFD9B82-E3EB-42AE-88D7-EA24077220AE}\mpengine.dll
    2013-02-20 06:11 . 2013-02-20 06:11    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-02-20 06:11 . 2012-12-14 22:49    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
    2013-02-20 05:16 . 2013-02-20 05:16    --------    d-----w-    c:\programdata\Kaspersky Lab
    2013-02-20 05:14 . 2013-02-20 14:18    460888    ----a-w-    c:\windows\system32\drivers\46063751.sys
    2013-02-15 09:22 . 2013-02-22 22:51    --------    d-----r-    c:\users\peter\Dropbox
    2013-02-15 09:17 . 2013-02-22 22:51    --------    d-----w-    c:\users\peter\AppData\Roaming\Dropbox
    2013-02-15 06:22 . 2013-02-15 06:22    --------    d-----w-    c:\users\peter\AppData\Local\GNU
    2013-02-15 06:22 . 2013-02-15 06:22    --------    d-----w-    c:\users\peter\.kde
    2013-02-15 05:38 . 2013-02-15 09:17    --------    d-----w-    c:\users\peter\AppData\Roaming\gnupg
    2013-02-15 05:38 . 2013-02-15 05:38    --------    d-----w-    c:\programdata\GNU
    2013-02-15 05:38 . 2013-02-15 05:38    --------    d-----w-    c:\program files (x86)\GNU
    2013-02-14 01:30 . 2013-02-14 01:30    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2013-02-14 01:29 . 2013-02-14 01:29    --------    d-----w-    c:\program files (x86)\Java
    2013-02-14 01:25 . 2013-02-14 01:25    0    ----a-w-    c:\windows\SysWow64\RENA93D.tmp
    2013-02-14 01:25 . 2013-02-14 01:25    0    ----a-w-    c:\windows\SysWow64\RENA92C.tmp
    2013-02-13 23:43 . 2013-02-13 23:44    --------    d-----w-    c:\windows\EBC90C68FCB64C18950C85F6650976D7.TMP
    2013-02-13 21:51 . 2013-02-13 22:41    --------    d-----w-    c:\users\peter\EBC90C68FCB64C18950C85F6650976D7.TMP
    2013-02-13 09:07 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
    2013-02-13 09:07 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
    2013-02-13 09:01 . 2013-01-09 01:48    17812992    ----a-w-    c:\windows\system32\mshtml.dll
    2013-02-13 09:01 . 2013-01-09 01:22    10925568    ----a-w-    c:\windows\system32\ieframe.dll
    2013-02-13 05:47 . 2013-01-04 05:37    243200    ----a-w-    c:\windows\system32\wow64.dll
    2013-02-08 07:47 . 2013-02-08 07:47    --------    d-----w-    c:\program files (x86)\ATT
    2013-02-08 07:46 . 2013-02-08 07:47    --------    d-----w-    c:\program files\Common Files\Motive
    2013-02-05 05:07 . 2013-02-05 05:07    --------    d-----w-    c:\program files (x86)\Audible
    2013-02-01 05:49 . 2012-08-21 19:01    33240    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
    2013-02-01 05:47 . 2013-02-01 05:47    --------    d-----w-    c:\program files\iPod
    2013-02-01 05:47 . 2013-02-01 05:49    --------    d-----w-    c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
    2013-02-01 05:47 . 2013-02-01 05:49    --------    d-----w-    c:\program files\iTunes
    2013-02-01 05:47 . 2013-02-01 05:49    --------    d-----w-    c:\program files (x86)\iTunes
    2013-02-01 05:43 . 2013-02-01 05:43    --------    d-----w-    c:\program files (x86)\Apple Software Update
    2013-02-01 05:42 . 2013-02-01 05:42    --------    d-----w-    c:\program files\Common Files\Apple
    2013-02-01 05:41 . 2013-02-01 05:41    --------    d-----w-    c:\program files\Bonjour
    2013-02-01 05:41 . 2013-02-01 05:41    --------    d-----w-    c:\program files (x86)\Bonjour
    2013-02-01 03:46 . 2013-02-01 03:46    --------    d-----w-    c:\program files (x86)\Alleycode
    2013-01-29 22:44 . 2013-01-29 22:44    --------    d-----w-    c:\users\peter\AppData\Roaming\Strongvault
    2013-01-29 22:42 . 2013-01-29 22:42    --------    d-----w-    c:\users\peter\AppData\Local\Stronghold_LLC
    2013-01-29 22:41 . 2013-01-31 03:52    --------    d-sh--w-    c:\windows\SysWow64\AI_RecycleBin
    2013-01-29 22:40 . 2013-01-29 22:40    --------    d-----w-    c:\users\peter\AppData\Local\Coupon Companion Plugin
    2013-01-29 22:39 . 2013-01-29 22:39    --------    d-----w-    c:\users\peter\AppData\Local\Updater21804
    2013-01-29 22:39 . 2013-02-22 22:06    --------    d-----w-    c:\program files (x86)\Coupon Companion Plugin
    2013-01-29 22:03 . 2013-01-29 22:03    --------    d-----w-    c:\program files (x86)\Common Files\Mobipocket Shared
    2013-01-29 22:03 . 2013-01-29 22:03    --------    d-----w-    c:\program files (x86)\Mobipocket.com
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-14 09:28 . 2012-11-16 06:29    691568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
    2013-02-14 09:28 . 2011-05-24 19:35    71024    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-14 01:30 . 2013-01-16 06:29    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
    2013-02-14 01:30 . 2010-07-11 03:58    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
    2013-01-17 07:28 . 2011-05-22 22:30    273840    ------w-    c:\windows\system32\MpSigStub.exe
    2013-01-16 19:53 . 2013-01-16 19:53    0    ----a-w-    c:\windows\SysWow64\sho6C69.tmp
    2013-01-04 04:43 . 2013-02-13 05:48    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
    2012-12-20 06:40 . 2012-12-20 06:41    107816    ----a-w-    c:\windows\SysWow64\SynTPCOM.dll
    2012-12-20 06:40 . 2012-12-20 06:41    147752    ----a-w-    c:\windows\system32\SynTPCo4.dll
    2012-12-20 06:40 . 2012-12-20 06:41    215336    ----a-w-    c:\windows\system32\SynTPAPI.dll
    2012-12-20 06:40 . 2012-12-20 06:41    1390640    ----a-w-    c:\windows\system32\drivers\SynTP.sys
    2012-12-20 06:40 . 2012-12-20 06:41    214312    ----a-w-    c:\windows\SysWow64\SynCtrl.dll
    2012-12-20 06:40 . 2012-12-20 06:41    271144    ----a-w-    c:\windows\system32\SynCtrl.dll
    2012-12-20 06:40 . 2012-12-20 06:41    173352    ----a-w-    c:\windows\SysWow64\SynCOM.dll
    2012-12-20 06:40 . 2012-12-20 06:41    400168    ----a-w-    c:\windows\system32\SynCOM.dll
    2012-12-16 16:52 . 2012-12-21 09:02    46080    ----a-w-    c:\windows\system32\atmlib.dll
    2012-12-16 14:40 . 2012-12-21 09:02    367616    ----a-w-    c:\windows\system32\atmfd.dll
    2012-12-16 14:25 . 2012-12-21 09:02    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
    2012-12-16 14:25 . 2012-12-21 09:02    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
    2012-12-07 05:41 . 2013-01-11 04:24    441856    ----a-w-    c:\windows\system32\Wpc.dll
    2012-12-07 05:35 . 2013-01-11 04:24    2745856    ----a-w-    c:\windows\system32\gameux.dll
    2012-12-07 05:04 . 2013-01-11 04:24    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
    2012-12-07 04:57 . 2013-01-11 04:24    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
    2012-12-07 03:45 . 2013-01-11 04:24    43520    ----a-w-    c:\windows\system32\csrr.rs
    2012-12-07 03:45 . 2013-01-11 04:24    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
    2012-12-07 03:45 . 2013-01-11 04:24    30720    ----a-w-    c:\windows\system32\usk.rs
    2012-12-07 03:45 . 2013-01-11 04:24    23552    ----a-w-    c:\windows\system32\oflc.rs
    2012-12-07 03:45 . 2013-01-11 04:24    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
    2012-12-07 03:45 . 2013-01-11 04:24    40960    ----a-w-    c:\windows\system32\cob-au.rs
    2012-12-07 03:45 . 2013-01-11 04:24    21504    ----a-w-    c:\windows\system32\grb.rs
    2012-12-07 03:45 . 2013-01-11 04:24    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
    2012-12-07 03:45 . 2013-01-11 04:24    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
    2012-12-07 03:45 . 2013-01-11 04:24    46592    ----a-w-    c:\windows\system32\fpb.rs
    2012-12-07 03:45 . 2013-01-11 04:24    20480    ----a-w-    c:\windows\system32\pegi.rs
    2012-12-07 03:45 . 2013-01-11 04:24    15360    ----a-w-    c:\windows\system32\djctq.rs
    2012-12-07 03:45 . 2013-01-11 04:24    55296    ----a-w-    c:\windows\system32\cero.rs
    2012-12-07 03:45 . 2013-01-11 04:24    51712    ----a-w-    c:\windows\system32\esrb.rs
    2012-12-07 03:21 . 2013-01-11 04:24    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
    2012-12-07 03:21 . 2013-01-11 04:24    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
    2012-12-07 03:21 . 2013-01-11 04:24    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
    2012-12-07 03:21 . 2013-01-11 04:24    30720    ----a-w-    c:\windows\SysWow64\usk.rs
    2012-12-07 03:21 . 2013-01-11 04:24    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
    2012-12-07 03:21 . 2013-01-11 04:24    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
    2012-12-07 03:21 . 2013-01-11 04:24    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
    2012-12-07 03:21 . 2013-01-11 04:24    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
    2012-12-07 03:21 . 2013-01-11 04:24    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
    2012-12-07 03:21 . 2013-01-11 04:24    21504    ----a-w-    c:\windows\SysWow64\grb.rs
    2012-12-07 03:21 . 2013-01-11 04:24    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
    2012-12-07 03:21 . 2013-01-11 04:24    55296    ----a-w-    c:\windows\SysWow64\cero.rs
    2012-12-07 03:21 . 2013-01-11 04:24    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
    2012-12-07 03:21 . 2013-01-11 04:24    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{11111111-1111-1111-1111-110211181104}]
    c:\program files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll [BU]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    129272    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    129272    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    129272    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
    @="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
    [HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
    2009-12-17 21:14    613496    ----a-w-    c:\windows\SysWOW64\PGPfsshl.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
    "DymoQuickPrint"="c:\program files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2011-08-10 1865808]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "EPSON WorkForce 840 Series"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATIGMA.EXE" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [BU]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
    "DLSService"="c:\program files (x86)\DYMO\DYMO Label Software\DLSService.exe" [BU]
    "TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-11-14 273528]
    "ScanSnap WIA Service Checker"="c:\windows\SSDriver\fi5110\SsWiaChecker.exe" [2009-09-30 86016]
    "AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
    "SMessaging"="c:\users\peter\AppData\Local\Strongvault Online Backup\SMessaging.exe" [BU]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    c:\users\peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    Dropbox.lnk - c:\users\peter\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-2-14 29428904]
    _uninst_46063751.lnk - c:\users\peter\AppData\Local\Temp\_uninst_46063751.bat [N/A]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Audible Download Manager.lnk - c:\program files (x86)\Audible\Bin\AudibleDownloadHelper.exe [2011-3-14 2125472]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2011-06-23 35840]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
    R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    R3 optousb;OPTO ELECTRONICS optousb;c:\windows\system32\DRIVERS\optousb.sys [2010-03-24 27264]
    R3 optovcm;OPTO ELECTRONICS optovcm;c:\windows\system32\DRIVERS\optovcm.sys [2010-03-24 34304]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-24 1255736]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
    R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S0 46063751;46063751;c:\windows\system32\DRIVERS\46063751.sys [2013-02-20 460888]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]
    S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]
    S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-11-16 111968]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]
    S0 pgpfs;PGP File Sharing;c:\windows\System32\Drivers\PGPfsfd.sys [2009-12-17 169080]
    S0 Pgpwdefs;Pgpwdefs;c:\windows\system32\DRIVERS\Pgpwdefs.sys [2009-12-17 14456]
    S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-21 200032]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
    S2 ATT MAHostService;ATT MAHostService;c:\program files (x86)\ATT\8.2.1.6\ma\bin\MAHostService.exe [2013-01-23 319488]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-16 5814904]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe [2011-03-02 224256]
    S2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [2011-08-10 32336]
    S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
    S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
    S2 pcCMService;pcCMService;c:\program files (x86)\Common Files\Motive\pcCMService.exe [2012-10-05 369152]
    S2 pcCMService64;pcCMService64;c:\program files\Common Files\Motive\pcCMService.exe [2012-10-05 460288]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 347680]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 38456]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-22 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-16 09:28]
    .
    2013-02-20 c:\windows\Tasks\HPCeeScheduleForpeter.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    162552    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    162552    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    162552    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32    162552    ----a-w-    c:\users\peter\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
    @="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
    [HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
    2009-12-17 21:14    538744    ----a-w-    c:\windows\System32\PGPfsshl.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]
    "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\PGPlsp.dll
    Trusted Zone: $talisma_url$
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\dt630rd6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: network.proxy.type - 0
    FF - ExtSQL: 2013-01-27 21:48; firefox@unfriendfinder.com; c:\users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\dt630rd6.default\extensions\firefox@unfriendfinder.com.xpi
    FF - ExtSQL: 2013-01-29 16:39; extension21804@extension21804.com; c:\users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\dt630rd6.default\extensions\extension21804@extension21804.com
    FF - ExtSQL: 2013-02-08 01:54; mcciwbch@motive.com; c:\program files (x86)\Mozilla Firefox\extensions\mcciwbch@motive.com.xpi
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\ATT\8.2.1.6\ma\bin\node.exe
    c:\windows\SysWOW64\PGPserv.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    .
    **************************************************************************
    .
    Completion time: 2013-02-22  18:50:44 - machine was rebooted
    ComboFix-quarantined-files.txt  2013-02-23 00:50
    .
    Pre-Run: 144,989,437,952 bytes free
    Post-Run: 144,778,584,064 bytes free
    .
    - - End Of File - - 20EED4867FC76F191AE43F2DBBA397D7
     



    #6 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 24 February 2013 - 01:44 PM

    Well...this is unfortunately a very common and very nasty infection that people are getting these days.  
     
    Please download SystemLook from one of the links below and save it to your Desktop.
    Link 1
    Link 2
    • Right-click and Run as Administrator SystemLook.exe to run it.
    • Copy the content within the following codebox into the main textfield:
    :filefind
    regedit.exe
    
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #7 xSOSx

    xSOSx
    • Topic Starter

    • Members
    • 19 posts
    • OFFLINE
    •  
    • Local time:06:01 AM

    Posted 25 February 2013 - 10:07 PM

    Thank you for your help. Here it is:

     

    SystemLook 30.07.11 by jpshortstuff
    Log created at 20:56 on 25/02/2013 by peter
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "regedit.exe"
    C:\Windows\regedit.exe    --a---- 427008 bytes    [23:27 13/07/2009]    [01:39 14/07/2009] 2E2C937846A0B8789E5E91739284D17A
    C:\Windows\erdnt\cache86\regedit.exe    --a---- 427008 bytes    [07:36 20/02/2013]    [01:39 14/07/2009] 2E2C937846A0B8789E5E91739284D17A
    C:\Windows\SysWOW64\regedit.exe    --a---- 427008 bytes    [23:17 13/07/2009]    [01:14 14/07/2009] BEF066FE76DBA64F6D44F059DFF517CD
    C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedit.exe    --a---- 427008 bytes    [23:27 13/07/2009]    [01:39 14/07/2009] 2E2C937846A0B8789E5E91739284D17A
    C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe    --a---- 427008 bytes    [23:17 13/07/2009]    [01:14 14/07/2009] BEF066FE76DBA64F6D44F059DFF517CD

    -= EOF =-



    #8 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 26 February 2013 - 08:01 AM

    Hi,

     

    Good job getting me those....

     

     

    Please go to: VirusTotal
    On the page you'll find a "Choose File" button.
    Click on the Choose File button.
    In the Choose File to Upload window which opens, copy and paste these (one at a time) into the File Name box.
     
    c:\windows\regedit.exe
     
    c:\windows\SysWOW64\regedit.exe
     
     
    Next, click the Open button.
    Then click the "Scan It!" button just below.
    This will scan the file. Please be patient.
    If you get a message saying File has already been analyzed: click Reanalyze file now
    Once scanned, copy and paste the link to the results page in your next reply.
    ----------

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #9 xSOSx

    xSOSx
    • Topic Starter

    • Members
    • 19 posts
    • OFFLINE
    •  
    • Local time:06:01 AM

    Posted 26 February 2013 - 10:09 PM

    Here are the results. Thanks again.

     

    https://www.virustotal.com/en/file/eaaf8b7cdb72b0e8686432ff4e29d7ebd8206ccd6c3c4df452db71463ae7af41/analysis/1361934312/

     

    https://www.virustotal.com/en/file/eaaf8b7cdb72b0e8686432ff4e29d7ebd8206ccd6c3c4df452db71463ae7af41/analysis/1361934514/



    #10 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 27 February 2013 - 05:20 PM

    Hi,

     

     

    FRST
     
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.
  •  
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
     
    Plug the flash drive into the infected PC.
     
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
  •  
    If you are using Vista or Windows 7 enter System Recovery Options
     
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  •  
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
     
     
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  •  
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
     
    Select Command Prompt
     
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter 
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  • [/list]

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #11 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 02 March 2013 - 05:03 PM

    Still need help?


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #12 xSOSx

    xSOSx
    • Topic Starter

    • Members
    • 19 posts
    • OFFLINE
    •  
    • Local time:06:01 AM

    Posted 02 March 2013 - 10:30 PM

    Hi, I'm sorry for the delay. I wanted to get a clean flash drive before doing the next step. I should have that and be able to post the results by tomorrow evening. Thanks.



    #13 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 02 March 2013 - 10:31 PM

    Sounds good. Thanks for letting me know. :)

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #14 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:06:01 AM

    Posted 05 March 2013 - 08:16 AM

    Still with us?

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #15 xSOSx

    xSOSx
    • Topic Starter

    • Members
    • 19 posts
    • OFFLINE
    •  
    • Local time:06:01 AM

    Posted 07 March 2013 - 04:04 AM

    Sorry. Thanks for your patience. I had to get a flash drive that I knew was clean.

     

    Anything with "ATI" in th name seems to be a culprit, and I noitced at least two whilelisted entries here that are ATI .exe files. Let me know what you think.

     

    Here is the log:

     

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-02-2013 (ATTENTION: FRST version is 7 days old)
    Ran by SYSTEM at 07-03-2013 02:52:25
    Running from H:\
    Windows 7 Home Premium   (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-12-19] (Synaptics Incorporated)
    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6245408 2010-05-25] (Realtek Semiconductor)
    HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
    HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [660360 2007-05-31] (Microsoft Corporation)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [x]
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [DLSService] "C:\Program Files (x86)\DYMO\DYMO Label Software\DLSService.exe" [x]
    HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273528 2011-11-14] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [ScanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exe [86016 2009-09-30] (PFU LIMITED)
    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [SMessaging] C:\Users\peter\AppData\Local\Strongvault Online Backup\SMessaging.exe [x]
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
    HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
    HKU\Guest\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
    HKU\peter\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
    HKU\peter\...\Run: [DymoQuickPrint] "C:\Program Files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup [1865808 2011-08-10] (Sanford, L.P.)
    HKU\peter\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
    HKU\peter\...\Run: [EPSON WorkForce 840 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGMA.EXE /FU "C:\Windows\TEMP\E_SB63F.tmp" /EF "HKCU" [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Audible Download Manager.lnk
    ShortcutTarget: Audible Download Manager.lnk -> C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Microsoft Office.lnk
    ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
    Startup: C:\Users\peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
    ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    Startup: C:\Users\peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk ->  (No File)
    Startup: C:\Users\peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_46063751.lnk
    ShortcutTarget: _uninst_46063751.lnk ->  (No File)

    ==================== Services (Whitelisted) ===================

    3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [72704 2013-01-22] (Adobe Systems)
    2 ATT MAHostService; "C:\Program Files (x86)\ATT\8.2.1.6\ma\bin\MAHostService.exe" [319488 2013-01-23] (Alcatel-Lucent)
    2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
    2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
    2 DirMngr; "C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe" --service [224256 2011-03-02] ()
    2 DymoPnpService; "C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe" [32336 2011-08-10] (Sanford, L.P.)
    2 pcCMService64; "C:\Program Files\Common Files\Motive\pcCMService.exe" [460288 2012-10-05] (Alcatel-Lucent)
    2 PGPserv; C:\Windows\SysWOW64\PGPserv.exe [135288 2009-12-17] (PGP Corporation)
    2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [x]
    4 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [x]
    2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [x]
    3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [x]

    ==================== Drivers (Whitelisted) =====================

    0 46063751; C:\Windows\System32\Drivers\46063751.sys [460888 2013-02-20] (Kaspersky Lab ZAO)
    1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
    0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
    1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
    0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
    0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
    0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
    1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
    3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [43008 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA))
    3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [40960 2010-02-02] (Printing Communications Assoc., Inc. (PCAUSA))
    2 PGPdisk; C:\Windows\System32\Drivers\PGPdisk.sys [274552 2009-12-17] (PGP Corporation)
    0 pgpfs; C:\Windows\System32\Drivers\PGPfsfd.sys [169080 2009-12-17] (PGP Corporation)
    2 PGPsdkDriver; C:\Windows\System32\Drivers\PGPsdk.sys [50296 2009-12-17] (PGP Corporation)
    0 PGPwded; C:\Windows\System32\Drivers\PGPwded.sys [332408 2009-12-17] (PGP Corporation)
    0 Pgpwdefs; C:\Windows\System32\Drivers\Pgpwdefs.sys [14456 2009-12-17] (PGP Corporation)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]
    3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
    3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
    3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2013-03-05 14:31 - 2013-03-07 00:06 - 00000161 ____A C:\Users\peter\Desktop\Travel expenses 2012.txt
    2013-03-05 13:59 - 2013-03-05 13:59 - 00013824 ____A C:\Users\peter\Desktop\Disbursements 2012.xls
    2013-03-05 13:49 - 2013-03-05 13:49 - 00546251 ____A C:\Users\peter\Desktop\report3.txt
    2013-03-05 13:16 - 2013-03-05 14:25 - 00000286 ____A C:\Users\peter\Desktop\Disbursements 2012.txt
    2013-03-05 12:05 - 2013-03-05 12:05 - 00017996 ____A C:\Users\peter\Desktop\report(1).txt
    2013-03-05 11:03 - 2013-03-05 11:03 - 00097217 ____A C:\Users\peter\Desktop\report.txt
    2013-03-05 04:02 - 2013-03-05 04:02 - 00000363 ____A C:\Users\peter\Desktop\Taxes.txt
    2013-03-05 01:32 - 2013-03-05 01:32 - 00001119 ____A C:\Users\peter\Desktop\text.txt.pgp
    2013-03-03 14:08 - 2013-03-03 14:08 - 00530539 ____A C:\Users\peter\Desktop\9637913073.txt
    2013-03-03 12:49 - 2013-03-06 20:57 - 00033792 ____A C:\Users\peter\Documents\cost log 2012.xls
    2013-03-01 00:43 - 2013-03-01 00:43 - 00354180 ____A C:\Users\peter\Desktop\R512e974a99280.txt
    2013-02-28 22:46 - 2013-02-28 23:56 - 00000000 ____D C:\Users\peter\AppData\Roaming\SellerEngine Plus
    2013-02-28 22:44 - 2013-02-28 22:46 - 17618671 ____A (SellerEngine                                                ) C:\Users\peter\Desktop\seplus_us_3.2.4.exe
    2013-02-26 21:35 - 2013-03-01 00:18 - 00000252 ____A C:\Users\peter\Desktop\repricers.txt
    2013-02-25 18:52 - 2013-02-25 18:52 - 00007605 ____A C:\Users\peter\AppData\Local\Resmon.ResmonCfg
    2013-02-23 04:02 - 2013-02-27 14:36 - 00000347 ____A C:\Users\peter\Desktop\geneva convention.txt
    2013-02-22 16:50 - 2013-02-22 16:50 - 00033641 ____A C:\ComboFix.txt
    2013-02-19 22:16 - 2013-02-19 22:16 - 00000069 ____A C:\Users\peter\AppData\Roaming\mbam.context.scan
    2013-02-19 22:11 - 2013-02-19 22:11 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-02-19 22:11 - 2012-12-14 14:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-02-19 21:16 - 2013-02-19 21:16 - 00000000 ____D C:\ProgramData\Kaspersky Lab
    2013-02-19 21:14 - 2013-02-20 06:18 - 00460888 ____A (Kaspersky Lab ZAO) C:\Windows\System32\Drivers\46063751.sys
    2013-02-19 19:58 - 2013-02-19 20:08 - 00000000 ____D C:\Users\peter\Desktop\VIDEO_TS
    2013-02-19 19:58 - 2013-02-19 19:58 - 00000000 ____D C:\Users\peter\Desktop\ALF DVD
    2013-02-19 19:58 - 2012-09-13 13:20 - 00000000 ____D C:\Users\peter\Desktop\AUDIO_TS
    2013-02-15 15:27 - 2013-02-23 02:27 - 00000000 ____A C:\Users\peter\Desktop\~aa booksalefinder ~h4532q.idlk
    2013-02-15 01:22 - 2013-03-04 13:41 - 00000000 ___RD C:\Users\peter\Dropbox
    2013-02-15 01:22 - 2013-02-15 01:22 - 00001039 ____A C:\Users\peter\Desktop\Dropbox.lnk
    2013-02-15 01:17 - 2013-03-04 13:41 - 00000000 ____D C:\Users\peter\AppData\Roaming\Dropbox
    2013-02-14 22:22 - 2013-02-14 22:22 - 00000000 ____D C:\Users\peter\AppData\Local\GNU
    2013-02-14 22:22 - 2013-02-14 22:22 - 00000000 ____D C:\Users\peter\.kde
    2013-02-14 21:38 - 2013-02-15 01:17 - 00000000 ____D C:\Users\peter\AppData\Roaming\gnupg
    2013-02-14 21:38 - 2013-02-14 21:38 - 00000000 ____D C:\ProgramData\GNU
    2013-02-14 21:38 - 2013-02-14 21:38 - 00000000 ____D C:\Program Files (x86)\GNU
    2013-02-14 21:37 - 2013-02-14 21:38 - 39332992 ____A (g10 Code GmbH) C:\Users\peter\Desktop\gpg4win-2.1.0.exe
    2013-02-14 02:11 - 2013-02-14 02:11 - 00000503 ____A C:\Users\peter\Desktop\map plugin fix.txt
    2013-02-13 20:16 - 2013-02-13 20:16 - 00002031 ____A C:\Users\peter\Desktop\google.csv
    2013-02-13 17:31 - 2013-02-13 17:30 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2013-02-13 17:30 - 2013-02-13 17:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2013-02-13 17:30 - 2013-02-13 17:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2013-02-13 17:30 - 2013-02-13 17:30 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2013-02-13 17:29 - 2013-02-13 17:29 - 00000000 ____D C:\Program Files (x86)\Java
    2013-02-13 17:25 - 2013-02-13 17:25 - 00000000 ____A C:\Windows\SysWOW64\RENA93D.tmp
    2013-02-13 17:25 - 2013-02-13 17:25 - 00000000 ____A C:\Windows\SysWOW64\RENA92C.tmp
    2013-02-13 15:43 - 2013-02-13 15:44 - 00000000 ____D C:\Windows\EBC90C68FCB64C18950C85F6650976D7.TMP
    2013-02-13 13:51 - 2013-02-13 14:41 - 00000000 ____D C:\Users\peter\EBC90C68FCB64C18950C85F6650976D7.TMP
    2013-02-13 13:01 - 2013-02-13 13:01 - 00002571 ____A C:\Users\peter\Desktop\PGP Viewer.exe.lnk
    2013-02-13 12:49 - 2013-02-13 12:49 - 02606639 ____A C:\Users\peter\Desktop\gnupg-1.4.11-1.4.12.diff
    2013-02-13 11:47 - 2013-02-13 11:47 - 00000363 ____A C:\Users\peter\Desktop\PGP Shredder - Shortcut.lnk
    2013-02-13 11:43 - 2013-02-13 11:43 - 00002477 ____A C:\Users\peter\Desktop\PGP Desktop.lnk
    2013-02-13 01:02 - 2013-01-08 17:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-02-13 01:02 - 2013-01-08 17:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-02-13 01:02 - 2013-01-08 17:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-02-13 01:02 - 2013-01-08 17:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-02-13 01:02 - 2013-01-08 17:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-02-13 01:02 - 2013-01-08 17:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-02-13 01:02 - 2013-01-08 17:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-02-13 01:02 - 2013-01-08 17:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2013-02-13 01:02 - 2013-01-08 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-02-13 01:02 - 2013-01-08 17:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-02-13 01:02 - 2013-01-08 17:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-02-13 01:02 - 2013-01-08 17:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-02-13 01:02 - 2013-01-08 17:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-02-13 01:02 - 2013-01-08 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-02-13 01:02 - 2013-01-08 14:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2013-02-13 01:02 - 2013-01-08 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2013-02-13 01:02 - 2013-01-08 14:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2013-02-13 01:02 - 2013-01-08 14:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2013-02-13 01:02 - 2013-01-08 14:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2013-02-13 01:02 - 2013-01-08 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2013-02-13 01:02 - 2013-01-08 14:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2013-02-13 01:02 - 2013-01-08 13:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2013-02-13 01:02 - 2013-01-08 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2013-02-13 01:02 - 2013-01-08 13:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2013-02-13 01:02 - 2013-01-08 13:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2013-02-13 01:02 - 2013-01-08 13:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2013-02-13 01:02 - 2013-01-08 13:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2013-02-13 01:02 - 2013-01-08 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2013-02-13 01:02 - 2013-01-08 13:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2013-02-13 01:01 - 2013-01-08 17:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-02-13 01:01 - 2013-01-08 17:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-02-13 01:01 - 2013-01-08 14:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2013-02-12 21:48 - 2013-01-04 21:57 - 05500776 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2013-02-12 21:48 - 2013-01-04 21:02 - 03957608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2013-02-12 21:48 - 2013-01-04 21:02 - 03902312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2013-02-12 21:48 - 2013-01-03 21:37 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
    2013-02-12 21:48 - 2013-01-03 21:36 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
    2013-02-12 21:48 - 2013-01-03 21:33 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
    2013-02-12 21:48 - 2013-01-03 21:30 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
    2013-02-12 21:48 - 2013-01-03 21:30 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
    2013-02-12 21:48 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
    2013-02-12 21:48 - 2013-01-03 20:51 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
    2013-02-12 21:48 - 2013-01-03 20:51 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
    2013-02-12 21:48 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
    2013-02-12 21:48 - 2013-01-03 19:22 - 03150848 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-02-12 21:48 - 2013-01-03 19:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
    2013-02-12 21:48 - 2013-01-03 18:48 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2013-02-12 21:47 - 2013-01-03 21:41 - 01893224 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-02-12 21:47 - 2013-01-03 21:40 - 00287576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    2013-02-12 21:47 - 2013-01-03 21:37 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
    2013-02-12 21:47 - 2013-01-03 21:37 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 18:48 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2013-02-12 21:47 - 2013-01-03 18:48 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2013-02-12 21:47 - 2013-01-03 18:48 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2013-02-12 21:47 - 2013-01-03 18:43 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 18:43 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 18:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
    2013-02-12 21:47 - 2013-01-03 18:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
    2013-02-07 23:47 - 2013-02-07 23:47 - 00000000 ____D C:\Program Files (x86)\ATT
    2013-02-07 23:46 - 2013-02-07 23:47 - 00000000 ____D C:\Program Files\Common Files\Motive

    1376-545-00 63031:16384 - 1376-545-00 63031:16384 - 00000000 ____A C:\Users\peter\Documents\Untitled 1.odt

    ==================== One Month Modified Files and Folders =======

    2013-03-07 00:47 - 2013-01-15 22:14 - 01619259 ____A C:\Windows\WindowsUpdate.log
    2013-03-07 00:46 - 2013-01-18 02:10 - 00000000 ____D C:\Users\peter\AppData\Roaming\TweetAdder3
    2013-03-07 00:18 - 2012-10-22 13:57 - 00000955 ____A C:\Users\peter\Desktop\to do.txt
    2013-03-07 00:17 - 2012-11-15 22:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-03-07 00:17 - 2011-05-30 22:00 - 00000000 ____D C:\Users\peter\AppData\Roaming\OpenOffice.org2
    2013-03-07 00:06 - 2013-03-05 14:31 - 00000161 ____A C:\Users\peter\Desktop\Travel expenses 2012.txt
    2013-03-06 20:57 - 2013-03-03 12:49 - 00033792 ____A C:\Users\peter\Documents\cost log 2012.xls
    2013-03-06 20:04 - 2013-01-15 22:10 - 00003258 ____A C:\Windows\setupact.log
    2013-03-05 14:25 - 2013-03-05 13:16 - 00000286 ____A C:\Users\peter\Desktop\Disbursements 2012.txt
    2013-03-05 13:59 - 2013-03-05 13:59 - 00013824 ____A C:\Users\peter\Desktop\Disbursements 2012.xls
    2013-03-05 13:49 - 2013-03-05 13:49 - 00546251 ____A C:\Users\peter\Desktop\report3.txt
    2013-03-05 12:05 - 2013-03-05 12:05 - 00017996 ____A C:\Users\peter\Desktop\report(1).txt
    2013-03-05 11:03 - 2013-03-05 11:03 - 00097217 ____A C:\Users\peter\Desktop\report.txt
    2013-03-05 01:34 - 2011-05-24 16:08 - 00000000 ____D C:\Users\peter\Documents\PGP
    2013-03-05 01:32 - 2013-03-05 01:32 - 00001119 ____A C:\Users\peter\Desktop\text.txt.pgp
    2013-03-05 00:15 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-03-05 00:15 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-03-04 23:10 - 2011-07-03 17:39 - 00000000 ____D C:\Users\peter\Desktop\LEGAL
    2013-03-04 14:24 - 2013-01-29 11:19 - 00000000 ____D C:\Users\peter\Desktop\Kevin letters
    2013-03-04 13:41 - 2013-02-15 01:22 - 00000000 ___RD C:\Users\peter\Dropbox
    2013-03-04 13:41 - 2013-02-15 01:17 - 00000000 ____D C:\Users\peter\AppData\Roaming\Dropbox
    2013-03-04 13:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-03-04 13:19 - 2011-05-31 19:31 - 00000000 ____D C:\Users\peter\Documents\Special Docs
    2013-03-03 14:08 - 2013-03-03 14:08 - 00530539 ____A C:\Users\peter\Desktop\9637913073.txt
    2013-03-03 11:50 - 2011-05-22 14:46 - 00000376 ____A C:\Windows\ODBC.INI
    2013-03-03 11:49 - 2011-05-22 14:45 - 00000000 ____D C:\Windows\ShellNew
    2013-03-03 11:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system
    2013-03-03 11:40 - 2011-09-09 17:35 - 00000000 ____D C:\Users\peter\Desktop\Books in Progress
    2013-03-01 18:05 - 2013-01-29 14:39 - 00000000 ____D C:\Program Files (x86)\Coupon Companion Plugin
    2013-03-01 18:05 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-03-01 00:43 - 2013-03-01 00:43 - 00354180 ____A C:\Users\peter\Desktop\R512e974a99280.txt
    2013-03-01 00:18 - 2013-02-26 21:35 - 00000252 ____A C:\Users\peter\Desktop\repricers.txt
    2013-02-28 23:56 - 2013-02-28 22:46 - 00000000 ____D C:\Users\peter\AppData\Roaming\SellerEngine Plus
    2013-02-28 22:46 - 2013-02-28 22:44 - 17618671 ____A (SellerEngine                                                ) C:\Users\peter\Desktop\seplus_us_3.2.4.exe
    2013-02-27 14:36 - 2013-02-23 04:02 - 00000347 ____A C:\Users\peter\Desktop\geneva convention.txt
    2013-02-26 19:21 - 2012-11-15 22:29 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-02-26 19:21 - 2011-05-24 11:35 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-02-25 18:52 - 2013-02-25 18:52 - 00007605 ____A C:\Users\peter\AppData\Local\Resmon.ResmonCfg
    2013-02-23 02:27 - 2013-02-15 15:27 - 00000000 ____A C:\Users\peter\Desktop\~aa booksalefinder ~h4532q.idlk
    2013-02-22 20:21 - 2013-01-18 13:24 - 00000418 ____A C:\Users\peter\Desktop\Virus location + details.txt
    2013-02-22 19:50 - 2013-01-29 14:44 - 00000000 ____D C:\Users\peter\AppData\Roaming\Strongvault
    2013-02-22 16:50 - 2013-02-22 16:50 - 00033641 ____A C:\ComboFix.txt
    2013-02-22 16:50 - 2013-01-16 12:23 - 00000000 ____D C:\Qoobox
    2013-02-22 16:50 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
    2013-02-22 14:51 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
    2013-02-22 14:50 - 2013-01-16 12:23 - 00000000 ____D C:\Windows\erdnt
    2013-02-22 14:06 - 2013-01-15 22:10 - 00318936 ____A C:\Windows\PFRO.log
    2013-02-20 06:18 - 2013-02-19 21:14 - 00460888 ____A (Kaspersky Lab ZAO) C:\Windows\System32\Drivers\46063751.sys
    2013-02-19 22:16 - 2013-02-19 22:16 - 00000069 ____A C:\Users\peter\AppData\Roaming\mbam.context.scan
    2013-02-19 22:11 - 2013-02-19 22:11 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-02-19 22:11 - 2012-03-05 19:28 - 00000000 ____D C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
    2013-02-19 21:16 - 2013-02-19 21:16 - 00000000 ____D C:\ProgramData\Kaspersky Lab
    2013-02-19 21:07 - 2011-05-22 19:14 - 00000000 ____D C:\users\peter
    2013-02-19 20:08 - 2013-02-19 19:58 - 00000000 ____D C:\Users\peter\Desktop\VIDEO_TS
    2013-02-19 19:58 - 2013-02-19 19:58 - 00000000 ____D C:\Users\peter\Desktop\ALF DVD
    2013-02-19 14:22 - 2012-08-21 07:56 - 00000233 ____A C:\Users\peter\Desktop\send.txt
    2013-02-18 13:11 - 2009-07-13 21:13 - 00005376 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-02-15 01:22 - 2013-02-15 01:22 - 00001039 ____A C:\Users\peter\Desktop\Dropbox.lnk
    2013-02-15 01:17 - 2013-02-14 21:38 - 00000000 ____D C:\Users\peter\AppData\Roaming\gnupg
    2013-02-14 22:22 - 2013-02-14 22:22 - 00000000 ____D C:\Users\peter\AppData\Local\GNU
    2013-02-14 22:22 - 2013-02-14 22:22 - 00000000 ____D C:\Users\peter\.kde
    2013-02-14 21:38 - 2013-02-14 21:38 - 00000000 ____D C:\ProgramData\GNU
    2013-02-14 21:38 - 2013-02-14 21:38 - 00000000 ____D C:\Program Files (x86)\GNU
    2013-02-14 21:38 - 2013-02-14 21:37 - 39332992 ____A (g10 Code GmbH) C:\Users\peter\Desktop\gpg4win-2.1.0.exe
    2013-02-14 14:03 - 2011-05-24 18:39 - 00000426 ____A C:\Windows\BRWMARK.INI
    2013-02-14 02:11 - 2013-02-14 02:11 - 00000503 ____A C:\Users\peter\Desktop\map plugin fix.txt
    2013-02-14 01:28 - 2010-07-10 18:57 - 00000000 ____D C:\ProgramData\Adobe
    2013-02-13 20:16 - 2013-02-13 20:16 - 00002031 ____A C:\Users\peter\Desktop\google.csv
    2013-02-13 17:30 - 2013-02-13 17:31 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2013-02-13 17:30 - 2013-02-13 17:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2013-02-13 17:30 - 2013-02-13 17:30 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2013-02-13 17:30 - 2013-02-13 17:30 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2013-02-13 17:30 - 2013-01-15 22:29 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
    2013-02-13 17:30 - 2010-07-10 19:58 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
    2013-02-13 17:29 - 2013-02-13 17:29 - 00000000 ____D C:\Program Files (x86)\Java
    2013-02-13 17:25 - 2013-02-13 17:25 - 00000000 ____A C:\Windows\SysWOW64\RENA93D.tmp
    2013-02-13 17:25 - 2013-02-13 17:25 - 00000000 ____A C:\Windows\SysWOW64\RENA92C.tmp
    2013-02-13 15:44 - 2013-02-13 15:43 - 00000000 ____D C:\Windows\EBC90C68FCB64C18950C85F6650976D7.TMP
    2013-02-13 14:41 - 2013-02-13 13:51 - 00000000 ____D C:\Users\peter\EBC90C68FCB64C18950C85F6650976D7.TMP
    2013-02-13 13:01 - 2013-02-13 13:01 - 00002571 ____A C:\Users\peter\Desktop\PGP Viewer.exe.lnk
    2013-02-13 12:49 - 2013-02-13 12:49 - 02606639 ____A C:\Users\peter\Desktop\gnupg-1.4.11-1.4.12.diff
    2013-02-13 11:47 - 2013-02-13 11:47 - 00000363 ____A C:\Users\peter\Desktop\PGP Shredder - Shortcut.lnk
    2013-02-13 11:43 - 2013-02-13 11:43 - 00002477 ____A C:\Users\peter\Desktop\PGP Desktop.lnk
    2013-02-13 01:47 - 2012-12-06 20:15 - 00333728 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-02-13 01:38 - 2011-07-02 16:09 - 00000000 ____D C:\Users\peter\AppData\Roaming\SoftGrid Client
    2013-02-10 22:44 - 2011-05-31 19:31 - 00000000 ____D C:\Users\peter\Documents\Personal
    2013-02-08 21:13 - 2013-01-18 13:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-02-07 23:47 - 2013-02-07 23:47 - 00000000 ____D C:\Program Files (x86)\ATT
    2013-02-07 23:47 - 2013-02-07 23:46 - 00000000 ____D C:\Program Files\Common Files\Motive
    2013-02-06 01:42 - 2013-02-06 01:42 - 00000000 ____D C:\Users\peter\Desktop\Declassified Archives
    2013-02-06 01:41 - 2013-01-29 01:07 - 00000000 ____D C:\Users\peter\Desktop\AA FINAL FILES

    1376-545-00 63031:16384 - 1376-545-00 63031:16384 - 00000000 ____A C:\Users\peter\Documents\Untitled 1.odt

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points  =========================

    Restore point made on: 2013-02-19 03:34:03
    Restore point made on: 2013-02-22 13:36:05
    Restore point made on: 2013-02-26 03:18:19
    Restore point made on: 2013-03-01 04:38:04
    Restore point made on: 2013-03-03 11:48:54
    Restore point made on: 2013-03-05 04:20:44

    ==================== Memory info ===========================

    Percentage of memory in use: 33%
    Total physical RAM: 1786.9 MB
    Available physical RAM: 1182.99 MB
    Total Pagefile: 1786.9 MB
    Available Pagefile: 1168.3 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:216.38 GB) (Free:133.98 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive e: (RECOVERY) (Fixed) (Total:16.21 GB) (Free:2.34 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
    4 Drive g: (MSOFFS9) (CDROM) (Total:0.48 GB) (Free:0 GB) CDFS
    5 Drive h: (KINGSTON) (Removable) (Total:3.65 GB) (Free:3.53 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

      Disk ###  Status         Size     Free     Dyn  Gpt
      --------  -------------  -------  -------  ---  ---
      Disk 0    Online          232 GB      0 B         
      Disk 1    Online         3745 MB      0 B         

    Partitions of Disk 0:
    ===============

    Disk ID: 4BE9BCC0

      Partition ###  Type              Size     Offset
      -------------  ----------------  -------  -------
      Partition 1    Primary            199 MB  1024 KB
      Partition 2    Primary            216 GB   200 MB
      Partition 3    Primary             16 GB   216 GB
      Partition 4    Primary            103 MB   232 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type  : 07
    Hidden: No
    Active: Yes

      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
    * Volume 1     Y   SYSTEM       NTFS   Partition    199 MB  Healthy            

    =========================================================

    Disk: 0
    Partition 2
    Type  : 07
    Hidden: No
    Active: No

      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
    * Volume 2     C                NTFS   Partition    216 GB  Healthy            

    =========================================================

    Disk: 0
    Partition 3
    Type  : 07
    Hidden: No
    Active: No

      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
    * Volume 3     E   RECOVERY     NTFS   Partition     16 GB  Healthy            

    =========================================================

    Disk: 0
    Partition 4
    Type  : 0C
    Hidden: No
    Active: No

      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
    * Volume 4     F   HP_TOOLS     FAT32  Partition    103 MB  Healthy            
        C:\HP_TOOLS_mountHPSF\

    =========================================================

    Partitions of Disk 1:
    ===============

    Disk ID: C3072E18

      Partition ###  Type              Size     Offset
      -------------  ----------------  -------  -------
      Partition 1    Primary           3741 MB  4032 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type  : 0C
    Hidden: No
    Active: Yes

      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
    * Volume 5     H   KINGSTON     FAT32  Removable   3741 MB  Healthy            

    =========================================================

    Last Boot: 2013-03-05 00:08

    ==================== End Of Log =============================






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users