Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD after MBR virus :(


  • Please log in to reply
13 replies to this topic

#1 JohnJh

JohnJh

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 03 April 2013 - 01:35 PM

I certainly hope someone can help me. My laptop windows 7 64bit fully updated. Was infected bad, all browsers were redirecting, malwarebytes and microsoft security essentials came back clean. I tried running TDSSkiller but would not run. I ran hitman pro it found two viruses and one suspicious DLL. two viruses were in the MBR when i went to clean it and restart it automatically causes a BSOD and reboots so quick I can't see the BSOD long enough to get the error code. I tried doing the startup recovery with no luck i tried fixing the MBR with no luck.

 I have so many important files on the computer that I really need to get this resolved ASAP. I really hope someone can help  me!!


Edited by hamluis, 03 April 2013 - 02:06 PM.
Moved from Malware Removal Logs to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:36 PM

Posted 03 April 2013 - 09:02 PM

I'll report this topic to appropriate helpers.

Hold on...


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 JohnJh

JohnJh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 03 April 2013 - 09:10 PM

Oh I'm holding, I have a farbar scan all ready too hoping this can get resolved tonight. keeping my fingers crossed.  

 

Thank you for reporting this to appropriate helpers. 



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:36 PM

Posted 03 April 2013 - 09:50 PM

:welcome:

Please post the farbar' Scan log.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JohnJh

JohnJh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 03 April 2013 - 09:58 PM

YOu made my night here it is.
you may see remnants of combo fix on there.. Combofix got to stage4 before i ended it. fyi...
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 21 days old)
Ran by SYSTEM at 03-04-2013 21:42:59
Running from G:\
Windows 7 Home Premium   (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM-x32\...\Run: []  [x]
HKU\ATAcer1\...\Run: [AdobeBridge]  [x]
HKU\Dale\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Dale\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-21] ()
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [162336 2009-07-21] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.5.1 8.8.8.8 8.8.4.4
 
==================== Services (Whitelisted) ===================
 
2 HitmanPro37CrusaderBoot; "C:\My Downloads\HitmanPro_x64.exe" /crusader:boot [9741664 2013-04-03] (SurfRight B.V.)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22056 2013-01-27] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [379360 2013-01-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) =====================
 
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
3 s125bus; C:\Windows\System32\Drivers\s125bus.sys [108296 2007-04-24] (MCCI Corporation)
3 s125mdfl; C:\Windows\System32\Drivers\s125mdfl.sys [19720 2007-04-24] (MCCI Corporation)
3 s125mdm; C:\Windows\System32\Drivers\s125mdm.sys [144648 2007-04-24] (MCCI Corporation)
3 s125mgmt; C:\Windows\System32\Drivers\s125mgmt.sys [126216 2007-04-24] (MCCI Corporation)
3 s125obex; C:\Windows\System32\Drivers\s125obex.sys [123656 2007-04-24] (MCCI Corporation)
4 hitmanpro37; \??\C:\Windows\system32\drivers\hitmanpro37.sys [x]
4 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHD64.sys [x]
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [x]
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-04-03 21:42 - 2013-04-03 21:42 - 00000000 ____D C:\FRST
2013-04-03 09:47 - 2013-04-03 09:47 - 00035278 ____A C:\Windows\System32\.crusader
2013-04-03 09:36 - 2013-04-03 09:48 - 00000000 ____D C:\ProgramData\HitmanPro
2013-04-03 09:30 - 2013-04-03 09:31 - 00004136 ____A C:\Users\ATAcer1\Desktop\Rkill.txt
2013-04-03 09:30 - 2013-04-03 09:30 - 00000000 ____D C:\Users\ATAcer1\Desktop\rkill
2013-04-03 09:03 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2013-04-03 09:03 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2013-04-03 09:03 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-04-03 09:03 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-04-03 09:03 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-04-03 09:03 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2013-04-03 09:03 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2013-04-03 09:03 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2013-04-03 09:02 - 2013-04-03 09:23 - 00000000 ___SD C:\ComboFix
2013-04-03 09:00 - 2013-04-03 09:02 - 00000000 ____D C:\Qoobox
2013-04-03 08:58 - 2013-04-03 08:58 - 00000000 ____D C:\Windows\erdnt
2013-04-03 08:58 - 2013-04-03 07:15 - 05046606 ____R (Swearware) C:\Users\ATAcer1\Desktop\ComboFix.exe
2013-04-03 07:57 - 2013-04-03 07:57 - 00146170 ____A C:\Users\ATAcer1\AppData\Local\census.cache
2013-04-03 07:56 - 2013-04-03 07:56 - 00099710 ____A C:\Users\ATAcer1\AppData\Local\ars.cache
2013-04-03 07:40 - 2012-06-04 23:37 - 00256904 ____A (Trend Micro Inc.) C:\Windows\SysWOW64\Drivers\tmcomm.sys
2013-04-03 07:39 - 2013-04-03 07:39 - 00000036 ____A C:\Users\ATAcer1\AppData\Local\housecall.guid.cache
2013-04-03 07:17 - 2013-04-03 07:17 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Malwarebytes
2013-04-03 07:16 - 2013-04-03 07:16 - 00000000 ____D C:\Users\Dale\AppData\Roaming\WinRAR
2013-04-03 07:02 - 2013-04-03 07:02 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Mozilla
2013-04-03 07:02 - 2013-04-03 07:02 - 00000000 ____D C:\Users\Dale\AppData\Local\Mozilla
2013-04-03 02:22 - 2013-04-03 02:22 - 00002664 ____A C:\Users\ATAcer1\Desktop\LetterToAssociation.txt
2013-04-02 18:16 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-04-02 18:16 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2013-04-02 18:16 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2013-04-02 18:16 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2013-04-02 18:00 - 2012-12-16 08:52 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-04-02 18:00 - 2012-12-16 06:40 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-04-02 18:00 - 2012-12-16 06:25 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-04-02 18:00 - 2012-12-16 06:25 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-04-02 18:00 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2013-04-02 18:00 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2013-04-02 18:00 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2013-04-02 18:00 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2013-04-02 18:00 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2013-04-02 18:00 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2013-04-02 18:00 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2013-04-02 18:00 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2013-04-02 17:58 - 2013-02-01 23:31 - 17815040 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-02 17:58 - 2013-02-01 22:58 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-02 17:58 - 2013-02-01 22:57 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-02 17:58 - 2013-02-01 22:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-02 17:58 - 2013-02-01 22:47 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-02 17:58 - 2013-02-01 22:47 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-02 17:58 - 2013-02-01 22:46 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-02 17:58 - 2013-02-01 22:43 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-02 17:58 - 2013-02-01 22:42 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-02 17:58 - 2013-02-01 22:42 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-02 17:58 - 2013-02-01 22:41 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-02 17:58 - 2013-02-01 22:40 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-02 17:58 - 2013-02-01 22:39 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-02 17:58 - 2013-02-01 22:38 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-02 17:58 - 2013-02-01 22:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-02 17:58 - 2013-02-01 22:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-02 17:58 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-02 17:58 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-02 17:58 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-02 17:58 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-02 17:58 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-02 17:58 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-02 17:58 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-02 17:58 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-02 17:58 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-02 17:58 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-02 17:58 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-02 17:58 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-02 17:58 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-02 17:58 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-02 17:58 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-02 17:58 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-02 17:55 - 2013-04-02 17:55 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-04-02 17:55 - 2013-04-02 17:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-04-02 17:43 - 2012-11-29 15:21 - 00420032 ____A C:\Windows\SysWOW64\locale.nls
2013-04-02 17:43 - 2012-11-29 15:19 - 00420032 ____A C:\Windows\System32\locale.nls
2013-04-02 17:42 - 2012-12-06 21:41 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll
2013-04-02 17:42 - 2012-12-06 21:35 - 02745856 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll
2013-04-02 17:42 - 2012-12-06 21:04 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll
2013-04-02 17:42 - 2012-12-06 20:57 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll
2013-04-02 17:42 - 2012-12-06 19:45 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs
2013-04-02 17:42 - 2012-12-06 19:45 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs
2013-04-02 17:42 - 2012-12-06 19:21 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs
2013-04-02 17:42 - 2012-11-01 21:27 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2013-04-02 17:42 - 2012-11-01 20:48 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2013-04-02 17:41 - 2013-01-03 21:37 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-04-02 17:41 - 2013-01-03 21:37 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-04-02 17:41 - 2013-01-03 21:37 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-04-02 17:41 - 2013-01-03 21:36 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-04-02 17:41 - 2013-01-03 21:33 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-04-02 17:41 - 2013-01-03 21:30 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-04-02 17:41 - 2013-01-03 21:30 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:27 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 21:26 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:51 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-04-02 17:41 - 2013-01-03 20:51 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-04-02 17:41 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 20:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 19:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-04-02 17:41 - 2013-01-03 18:48 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-04-02 17:41 - 2013-01-03 18:48 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-04-02 17:41 - 2013-01-03 18:48 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-04-02 17:41 - 2013-01-03 18:48 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-04-02 17:41 - 2013-01-03 18:43 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 18:43 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 18:43 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-04-02 17:41 - 2013-01-03 18:43 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-04-02 17:41 - 2012-11-01 21:30 - 02001408 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-04-02 17:41 - 2012-11-01 21:30 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2013-04-02 17:41 - 2012-11-01 20:50 - 01388544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2013-04-02 17:41 - 2012-11-01 20:50 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2013-04-02 17:38 - 2013-01-04 21:57 - 05500776 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-02 17:38 - 2013-01-04 21:02 - 03957608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-02 17:38 - 2013-01-04 21:02 - 03902312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-02 17:36 - 2013-01-03 21:41 - 01893224 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-04-02 17:36 - 2013-01-03 21:40 - 00287576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-04-02 17:36 - 2012-11-08 21:34 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-04-02 17:36 - 2012-11-08 20:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-04-02 17:36 - 2012-09-06 09:38 - 00295792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys
2013-04-02 17:35 - 2013-01-03 19:22 - 03150848 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-02 17:35 - 2012-11-22 02:32 - 00801280 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll
2013-04-02 17:35 - 2012-11-22 01:33 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2013-04-02 17:34 - 2012-11-08 21:34 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-04-02 17:34 - 2012-11-08 20:49 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-04-02 17:30 - 2012-11-19 21:55 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-04-02 17:30 - 2012-11-19 21:10 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-04-02 17:26 - 2012-09-25 14:39 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2013-04-02 17:26 - 2012-09-25 13:55 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2013-04-02 17:05 - 2013-04-02 17:05 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-04-02 17:05 - 2013-04-02 17:05 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-04-02 17:05 - 2013-04-02 17:05 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-04-02 17:05 - 2013-04-02 17:05 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-04-02 08:58 - 2013-04-03 09:24 - 00000312 ____A C:\Windows\Tasks\FreeFixer background scan.job
2013-04-02 08:58 - 2013-04-02 09:59 - 00000000 ____D C:\Users\ATAcer1\AppData\Roaming\FreeFixer
2013-04-02 08:58 - 2013-04-02 09:10 - 00000000 ____D C:\Users\ATAcer1\AppData\Local\FreeFixer
2013-04-02 08:58 - 2013-04-02 08:58 - 00000000 ____D C:\Program Files\FreeFixer
2013-04-02 08:48 - 2013-04-02 08:51 - 00001912 ____A C:\Users\ATAcer1\Desktop\Virus_Delete.txt
2013-04-02 08:38 - 2013-04-02 08:38 - 00000000 ____D C:\Program Files (x86)\Bazooka Scanner
2013-03-26 20:27 - 2013-03-27 02:46 - 00000464 ____A C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-03-26 20:27 - 2013-03-26 20:27 - 00002531 ____A C:\Users\Public\Desktop\TurboTax 2011.lnk
2013-03-26 17:21 - 2013-03-26 17:21 - 00002531 ____A C:\Users\Public\Desktop\TurboTax 2010.lnk
2013-03-23 12:28 - 2013-03-23 12:28 - 00000000 ____D C:\Users\ATAcer1\Citrix
2013-03-22 06:51 - 2013-03-22 06:51 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-03-22 06:51 - 2012-08-21 09:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2013-03-22 06:49 - 2013-03-22 06:51 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-03-22 06:49 - 2013-03-22 06:51 - 00000000 ____D C:\Program Files\iTunes
2013-03-22 06:49 - 2013-03-22 06:51 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-03-22 06:49 - 2013-03-22 06:49 - 00000000 ____D C:\Program Files\iPod
2013-03-17 08:35 - 2013-03-17 08:35 - 00013455 ____A C:\Users\ATAcer1\Desktop\iexplore.exe - Shortcut.lnk
2013-03-13 16:06 - 2013-03-13 16:06 - 00000000 ____D C:\Program Files\Microsoft Games
2013-03-10 10:16 - 2013-03-10 10:16 - 00000000 ____D C:\Users\ATAcer1\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2013-03-10 10:09 - 2013-03-10 10:09 - 00000000 ____D C:\Users\ATAcer1\Documents\Adobe
2013-03-07 13:56 - 2013-03-07 17:11 - 00000000 ____D C:\VacationRental
 
==================== One Month Modified Files and Folders =======
 
2013-04-03 21:42 - 2013-04-03 21:42 - 00000000 ____D C:\FRST
2013-04-03 09:48 - 2013-04-03 09:36 - 00000000 ____D C:\ProgramData\HitmanPro
2013-04-03 09:47 - 2013-04-03 09:47 - 00035278 ____A C:\Windows\System32\.crusader
2013-04-03 09:31 - 2013-04-03 09:30 - 00004136 ____A C:\Users\ATAcer1\Desktop\Rkill.txt
2013-04-03 09:30 - 2013-04-03 09:30 - 00000000 ____D C:\Users\ATAcer1\Desktop\rkill
2013-04-03 09:28 - 2009-07-13 21:13 - 00731314 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-03 09:24 - 2013-04-02 08:58 - 00000312 ____A C:\Windows\Tasks\FreeFixer background scan.job
2013-04-03 09:24 - 2009-11-06 19:48 - 00806066 ____A C:\Windows\PFRO.log
2013-04-03 09:23 - 2013-04-03 09:02 - 00000000 ___SD C:\ComboFix
2013-04-03 09:03 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-03 09:03 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-03 09:02 - 2013-04-03 09:00 - 00000000 ____D C:\Qoobox
2013-04-03 08:58 - 2013-04-03 08:58 - 00000000 ____D C:\Windows\erdnt
2013-04-03 08:53 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-03 08:53 - 2009-07-13 20:51 - 00158463 ____A C:\Windows\setupact.log
2013-04-03 08:26 - 2012-03-23 18:41 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2547905160-2564912410-455020132-1001UA.job
2013-04-03 08:07 - 2009-12-08 23:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-03 07:57 - 2013-04-03 07:57 - 00146170 ____A C:\Users\ATAcer1\AppData\Local\census.cache
2013-04-03 07:56 - 2013-04-03 07:56 - 00099710 ____A C:\Users\ATAcer1\AppData\Local\ars.cache
2013-04-03 07:39 - 2013-04-03 07:39 - 00000036 ____A C:\Users\ATAcer1\AppData\Local\housecall.guid.cache
2013-04-03 07:30 - 2009-12-08 19:33 - 00000000 ____D C:\Users\ATAcer1\AppData\Roaming\Skype
2013-04-03 07:17 - 2013-04-03 07:17 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Malwarebytes
2013-04-03 07:16 - 2013-04-03 07:16 - 00000000 ____D C:\Users\Dale\AppData\Roaming\WinRAR
2013-04-03 07:15 - 2013-04-03 08:58 - 05046606 ____R (Swearware) C:\Users\ATAcer1\Desktop\ComboFix.exe
2013-04-03 07:02 - 2013-04-03 07:02 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Mozilla
2013-04-03 07:02 - 2013-04-03 07:02 - 00000000 ____D C:\Users\Dale\AppData\Local\Mozilla
2013-04-03 07:01 - 2011-03-21 16:49 - 00084864 ____A C:\Users\Dale\AppData\Local\GDIPFONTCACHEV1.DAT
2013-04-03 07:01 - 2011-03-21 16:49 - 00000000 ____D C:\Users\Dale\AppData\Roaming\Apple Computer
2013-04-03 03:38 - 2009-11-13 01:22 - 02068104 ____A C:\Windows\WindowsUpdate.log
2013-04-03 03:25 - 2012-09-17 16:53 - 00084864 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-04-03 03:21 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-04-03 02:28 - 2009-07-13 20:45 - 04987368 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-03 02:22 - 2013-04-03 02:22 - 00002664 ____A C:\Users\ATAcer1\Desktop\LetterToAssociation.txt
2013-04-03 00:34 - 2012-03-23 18:41 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2547905160-2564912410-455020132-1001Core.job
2013-04-02 18:29 - 2009-11-06 19:25 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-02 18:28 - 2012-03-18 11:53 - 00000039 ____A C:\Windows\vbaddin.ini
2013-04-02 18:04 - 2011-01-27 03:45 - 00001945 ____A C:\Windows\epplauncher.mif
2013-04-02 18:03 - 2012-09-18 03:19 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-04-02 18:03 - 2011-01-27 03:45 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-04-02 17:55 - 2013-04-02 17:55 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-04-02 17:55 - 2013-04-02 17:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-04-02 17:54 - 2009-07-13 18:34 - 00000553 ____A C:\Windows\win.ini
2013-04-02 17:33 - 2009-07-13 21:08 - 00032650 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-02 17:12 - 2009-11-06 19:43 - 00000000 ____D C:\ProgramData\Adobe
2013-04-02 17:05 - 2013-04-02 17:05 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-04-02 17:05 - 2013-04-02 17:05 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-04-02 17:05 - 2013-04-02 17:05 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-04-02 17:05 - 2013-04-02 17:05 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-04-02 17:05 - 2013-02-28 10:25 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-04-02 17:05 - 2010-07-07 12:49 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-04-02 17:04 - 2009-12-08 20:34 - 00000000 ____D C:\Program Files (x86)\Java
2013-04-02 09:59 - 2013-04-02 08:58 - 00000000 ____D C:\Users\ATAcer1\AppData\Roaming\FreeFixer
2013-04-02 09:10 - 2013-04-02 08:58 - 00000000 ____D C:\Users\ATAcer1\AppData\Local\FreeFixer
2013-04-02 08:58 - 2013-04-02 08:58 - 00000000 ____D C:\Program Files\FreeFixer
2013-04-02 08:51 - 2013-04-02 08:48 - 00001912 ____A C:\Users\ATAcer1\Desktop\Virus_Delete.txt
2013-04-02 08:38 - 2013-04-02 08:38 - 00000000 ____D C:\Program Files (x86)\Bazooka Scanner
2013-04-02 03:05 - 2012-03-03 13:24 - 00010685 ____A C:\Users\ATAcer1\Documents\Book1.xlsx
2013-04-02 02:34 - 2009-12-08 19:22 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-01 10:49 - 2010-11-26 13:11 - 00006144 ____A C:\Users\ATAcer1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-03-30 15:27 - 2010-12-15 04:04 - 00000000 ___HD C:\Users\ATAcer1\AppData\Local\CutePDF Writer
2013-03-29 08:27 - 2012-03-23 18:45 - 00002380 ____A C:\Users\ATAcer1\Desktop\Google Chrome.lnk
2013-03-27 10:00 - 2012-08-23 13:46 - 00000000 ____D C:\Users\ATAcer1\Documents\TurboTax
2013-03-27 08:43 - 2010-10-24 10:11 - 00000000 ___HD C:\Users\ATAcer1\AppData\Local\Paint.NET
2013-03-27 02:46 - 2013-03-26 20:27 - 00000464 ____A C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-03-26 20:27 - 2013-03-26 20:27 - 00002531 ____A C:\Users\Public\Desktop\TurboTax 2011.lnk
2013-03-26 20:26 - 2012-08-23 13:39 - 00000000 ____D C:\Program Files (x86)\TurboTax
2013-03-26 17:25 - 2012-09-18 03:45 - 00084408 ____A C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2013-03-26 17:21 - 2013-03-26 17:21 - 00002531 ____A C:\Users\Public\Desktop\TurboTax 2010.lnk
2013-03-26 14:28 - 2012-02-25 06:33 - 00152448 ___AH C:\Windows\SysWOW64\mlfcache.dat
2013-03-24 19:32 - 2011-06-20 09:31 - 00000000 ____D C:\Marketing
2013-03-24 19:14 - 2012-10-20 17:18 - 00000000 ____D C:\Catalog
2013-03-23 12:28 - 2013-03-23 12:28 - 00000000 ____D C:\Users\ATAcer1\Citrix
2013-03-23 12:28 - 2009-12-08 18:52 - 00000000 ____D C:\users\ATAcer1
2013-03-22 06:51 - 2013-03-22 06:51 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-03-22 06:51 - 2013-03-22 06:49 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-03-22 06:51 - 2013-03-22 06:49 - 00000000 ____D C:\Program Files\iTunes
2013-03-22 06:51 - 2013-03-22 06:49 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-03-22 06:49 - 2013-03-22 06:49 - 00000000 ____D C:\Program Files\iPod
2013-03-17 14:23 - 2010-11-16 14:23 - 00000000 ____D C:\Users\ATAcer1\Documents\Camtasia Studio
2013-03-17 08:35 - 2013-03-17 08:35 - 00013455 ____A C:\Users\ATAcer1\Desktop\iexplore.exe - Shortcut.lnk
2013-03-15 12:51 - 2012-09-18 04:01 - 00005477 ____A C:\Windows\IE9_main.log
2013-03-13 16:06 - 2013-03-13 16:06 - 00000000 ____D C:\Program Files\Microsoft Games
2013-03-12 09:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-03-10 10:16 - 2013-03-10 10:16 - 00000000 ____D C:\Users\ATAcer1\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2013-03-10 10:16 - 2009-12-08 19:04 - 00000000 ____D C:\Users\ATAcer1\AppData\Roaming\Adobe
2013-03-10 10:12 - 2012-09-22 07:45 - 00000132 ____A C:\Users\ATAcer1\AppData\Roaming\Adobe IllExport Filter CS6 Prefs
2013-03-10 10:09 - 2013-03-10 10:09 - 00000000 ____D C:\Users\ATAcer1\Documents\Adobe
2013-03-07 17:11 - 2013-03-07 13:56 - 00000000 ____D C:\VacationRental
2013-03-05 06:17 - 2010-12-19 06:43 - 00045056 __ASH C:\Users\ATAcer1\Thumbs.db
2013-03-04 10:53 - 2009-12-08 19:22 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
 
==================== Known DLLs (Whitelisted) =================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
TDL4: custom:26000022 <===== ATTENTION!
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-03-30 19:07:33
Restore point made on: 2013-04-02 17:04:03
Restore point made on: 2013-04-02 17:04:51
Restore point made on: 2013-04-02 17:50:46
 
==================== Memory info =========================== 
 
Percentage of memory in use: 17%
Total physical RAM: 4025.98 MB
Available physical RAM: 3328.94 MB
Total Pagefile: 4024.13 MB
Available Pagefile: 3318.96 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Partitions =============================
 
1 Drive c: (Acer) (Fixed) (Total:285.97 GB) (Free:117.74 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:2.12 GB) NTFS
4 Drive g: (NEW VOLUME) (Removable) (Total:7.45 GB) (Free:2.68 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB    13 MB         
  Disk 1    Online         7643 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 69FF6118
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            12 GB    31 KB
  Partition 2    Primary            101 MB    12 GB
  Partition 3    Primary            285 GB    12 GB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     12 GB  Healthy    Hidden  
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM RESE  NTFS   Partition    101 MB  Healthy            
 
=========================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   Acer         NTFS   Partition    285 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 0000D15F
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7642 MB    31 KB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G   NEW VOLUME   FAT32  Removable   7642 MB  Healthy            
 
=========================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: 69FF6118
 
Partition 1:
=========
Hex: 0001010027FEFFFF3F000000201F8001
Active: NO
Type: 27
Size: 12 GB
 
Partition 2:
=========
Hex: 80FEFFFF07FEFFFF5F1F8001CD2F0300
Active: YES
Type: 07 (NTFS)
Size: 102 MB
 
Partition 3:
=========
Hex: 00FEFFFF07FEFFFF2C4F83018423BF23
Active: NO
Type: 07 (NTFS)
Size: 286 GB
 
==============================
Partitions of Disk 1:
===============
Disk ID: 0000D15F
 
Partition 1:
=========
Hex: 800101000BF6FEFD3E0000001ED0EE00
Active: YES
Type: 0B
Size: 7 GB
 
 
Last Boot: 2013-03-24 20:42
 
==================== End Of Log =============================


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:36 PM

Posted 04 April 2013 - 10:43 AM

Download the enclosed file. [attachment=136608:fixlist.txt]

Save it next to FRST64.

Run FRST64 as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it in your reply.

Start in Normal Mode. If successful, run TDSSKiller as follows:


Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JohnJh

JohnJh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 04 April 2013 - 11:05 AM

ah so good to see a desktop.
 
Text was too long I don't see how to attach it



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:36 PM

Posted 04 April 2013 - 11:25 AM

Upload the report here.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JohnJh

JohnJh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 04 April 2013 - 11:28 AM

file uploaded



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:36 PM

Posted 04 April 2013 - 11:43 AM

The report was clear. Lets scan for remnants:
 
Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post its contents in a reply.
 
bf_new.gif Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 
 
Please run a Bitdefender Online Virus Scan by following the instructions below:
  • Click this link to visit the Bitdeneder Online Virus Scan website.
  • Click on the green start scanner button in the middle of the screen.
  • Click the gray Continue button to the left.
  • Click the green Scan now button (you may need to scroll down to see it).
  • A little yellowish bar may pop up at the top of the page to notify you that the website is trying to install an add-on. Click on that yellowish bar and select to install the add-on.
  • If you had to install the add-on, then Internet Explorer will reload the page, and you will be back on step 2. Repeat steps 2 thru 4 again.
  • You may now be presented with a Security Warning popup asking if you want to install something from Bitdefender. Go ahead and click the Install button.
  • You should now be asked to accept the license agreement. You will need to click the I ACCEPT box in the lower-left corner before you can click on the OK button to continue.
  • The scan will begin running. This could take more than a few minutes.
  • Once it is done, it will tell you whether or not it found anything. Avoid removing anything for now, and click on the View report link.
  • Notepad will open with a copy of the report. Please save this on your desktop, and post its contents in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JohnJh

JohnJh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 04 April 2013 - 02:13 PM

they all found nothing. :)

 

# AdwCleaner v2.200 - Logfile created 04/04/2013 at 12:50:29
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Home Premium  (64 bits)
# User : ATAcer1 - ATACER1-PC
# Boot Mode : Normal
# Running from : C:\Users\ATAcer1\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla Firefox\.autoreg
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\ATAcer1\AppData\Local\Temp\boost_interprocess

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v3.5.19 (en-US)

File : C:\Users\ATAcer1\AppData\Roaming\Mozilla\Firefox\Profiles\98a91luy.default\prefs.js

C:\Users\ATAcer1\AppData\Roaming\Mozilla\Firefox\Profiles\98a91luy.default\user.js ... Deleted !

[OK] File is clean.

File : C:\Users\Dale\AppData\Roaming\Mozilla\Firefox\Profiles\daitm558.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.43

File : C:\Users\ATAcer1\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1688 octets] - [04/04/2013 12:50:29]

########## EOF - C:\AdwCleaner[S1].txt - [1748 octets] ##########

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.04.04.05

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
ATAcer1 :: ATACER1-PC [administrator]

4/4/2013 12:58:28 PM
mbam-log-2013-04-04 (12-58-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240478
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:36 PM

Posted 04 April 2013 - 03:45 PM

Run Bitdefender Online scan and let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JohnJh

JohnJh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 04 April 2013 - 04:59 PM

bit defender came back with no threats



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:36 PM

Posted 04 April 2013 - 08:57 PM

Congratulations.


Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

The following will implement some cleanup procedures as well as reset System Restore points:
  • Press the Windows key + R. At the Run command type or copy and paste the following:

    Combofix /uninstall

    Remove the C:\FRST folder

    Manually remove any tool left.

    Here are some suggestions.
    • Always keep your JAVA updated. Older versions will make your computer vulnerable.
    • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

    Best wishes! :hello:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users