Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Moneypak virus help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 joec4571

joec4571

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 09 September 2013 - 12:42 PM

I have the moneypak virus and its preventing me from getting into safe mode and everything else.  I have attached my FRST64 log as suggested in other posts, please advise!  Thank you!
 
Attached File  FRST.txt   40.46KB   3 downloads
 
Mod Edit: Copy/pasted FRST log below. ~bloopie

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-09-2013 01
Ran by SYSTEM on MININT-B8CNR6O on 09-09-2013 13:31:21
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BeatsOSDApp] - C:\Program Files\IDT\WDM\beats64.exe [37888 2010-10-21] (Hewlett-Packard )
HKLM\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-04-24] (IDT, Inc.)
HKLM\...\Run: [RpcPing] - C:\Users\Joe Christopher\AppData\Local\Microsoft\Windows\3695\RpcPing.exe
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2012-11-29] (LogMeIn, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Shell] cmd.exe [302592 2010-11-20] (Microsoft Corporation) <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell] cmd.exe [302592 2010-11-20] (Microsoft Corporation) <=== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$3a18518c51724e5fa47a3f0ae477a6ea\n. ATTENTION! ====> ZeroAccess?
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM-x32\...\Command Processor: "C:\Users\Christopher\AppData\Local\PG4q3ReeO\nQi6b6EhKh.exe" <======= ATTENTION
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Google Desktop Search] - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2012-02-23] (Google)
HKLM-x32\...\Run: [Carbonite Backup] - C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1059472 2012-02-03] (Carbonite, Inc.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [815512 2012-01-03] (Adobe Systems Inc.)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [SearchSettings] - C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe [1360192 2013-09-02] (Spigot, Inc.)
HKLM-x32\...\Run: [h6dTbbiM.exe] - C:\Users\Joe Christopher\AppData\Local\TGI1u5Cs\h6dTbbiM.exe [79872 2013-09-09] ()
HKLM-x32\...\Run: [nQi6b6EhKh.exe] - C:\Users\Christopher\AppData\Local\PG4q3ReeO\nQi6b6EhKh.exe [79872 2013-09-09] ()
HKU\Christopher\...\Run: [nQi6b6EhKh.exe] - C:\Users\Christopher\AppData\Local\PG4q3ReeO\nQi6b6EhKh.exe [79872 2013-09-09] ()
HKU\Christopher\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Christopher\...\Command Processor: "C:\Users\Christopher\AppData\Local\PG4q3ReeO\nQi6b6EhKh.exe" <===== ATTENTION!
HKU\Joe Christopher\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-11-15] (Google Inc.)
HKU\Joe Christopher\...\Run: [h6dTbbiM.exe] - C:\Users\Joe Christopher\AppData\Local\TGI1u5Cs\h6dTbbiM.exe [79872 2013-09-09] ()
HKU\Joe Christopher\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Joe Christopher\...\Command Processor: "C:\Users\Joe Christopher\AppData\Local\TGI1u5Cs\h6dTbbiM.exe" <===== ATTENTION!
AppInit_DLLs-x32: C:\PROGRA~2\Google\GOOGLE~1\GO36F4~1.DLL [123392 2012-02-23] (Google)
Startup: C:\Users\Joe Christopher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk -> (No File)

==================== Services (Whitelisted) =================

S2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-06-17] (Portrait Displays, Inc.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2012-02-23] (Google)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2013-06-08] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2013-06-08] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2012-11-29] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MSSQL$INVENIAS; C:\Program Files\Microsoft SQL Server\MSSQL10_50.INVENIAS\MSSQL\Binn\sqlservr.exe [62111072 2011-06-17] (Microsoft Corporation)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
S4 SQLAgent$INVENIAS; C:\Program Files\Microsoft SQL Server\MSSQL10_50.INVENIAS\MSSQL\Binn\SQLAGENT.EXE [431456 2011-06-17] (Microsoft Corporation)
S3 MSSQLFDLauncher$INVENIAS; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.INVENIAS\MSSQL\Binn\fdlauncher.exe" -s MSSQL10_50.INVENIAS [x]

==================== Drivers (Whitelisted) ====================

S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32000 2013-08-14] ()
S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-28] (LogMeIn, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 NWVoltron; C:\Windows\System32\DRIVERS\NWVoltron.sys [28920 2013-01-22] ()
S3 NWWakeFilterV; C:\Windows\system32\drivers\NWWakeFilterV.sys [16152 2011-05-25] (n/a)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-10-12] ()
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-10-12] ()
S1 A2DDA; \??\C:\Users\Joe Christopher\Desktop\Run\a2ddax64.sys [x]
S3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S4 LMIRfsClientNP; No ImagePath
S0 SMR322; System32\drivers\SMR322.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-09 13:31 - 2013-09-09 13:31 - 00000000 ____D C:\FRST
2013-09-09 09:20 - 2013-09-09 09:20 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\wBfH0ZjVIy
2013-09-09 09:20 - 2013-09-09 09:20 - 00183296 _____ C:\Users\Christopher\AppData\Local\9eiZE6yJ
2013-09-09 09:20 - 2013-09-09 09:20 - 00183296 _____ C:\ProgramData\TvBVdkdw
2013-09-09 09:17 - 2013-09-09 09:17 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\ncvgTPbPZ
2013-09-09 09:17 - 2013-09-09 09:17 - 00183296 _____ C:\Users\Christopher\AppData\Local\H06HlejRx
2013-09-09 09:17 - 2013-09-09 09:17 - 00183296 _____ C:\ProgramData\GbWkhPJOP
2013-09-09 08:49 - 2013-09-09 08:49 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\3xpOXlE3O
2013-09-09 08:49 - 2013-09-09 08:49 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\cKIHmhbbK
2013-09-09 08:49 - 2013-09-09 08:49 - 00183296 _____ C:\ProgramData\1SEcp7Oj
2013-09-09 08:43 - 2013-09-09 08:43 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\hxlhG5uHjh
2013-09-09 08:43 - 2013-09-09 08:43 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\E4KNAwlQ1ss
2013-09-09 08:43 - 2013-09-09 08:43 - 00183296 _____ C:\ProgramData\zooN5ZDf
2013-09-09 08:09 - 2013-09-09 08:09 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\Qwdf1JGXG
2013-09-09 08:09 - 2013-09-09 08:09 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\ulc6qgyx
2013-09-09 08:09 - 2013-09-09 08:09 - 00183296 _____ C:\ProgramData\oaJ5fbq6
2013-09-09 08:02 - 2013-09-09 08:02 - 00003160 ____N C:\bootsqm.dat
2013-09-09 08:01 - 2013-09-09 08:01 - 00000000 __SHD C:\found.003
2013-09-09 07:54 - 2013-09-09 09:16 - 00000000 ____D C:\Users\Christopher\AppData\Local\PG4q3ReeO
2013-09-09 07:54 - 2013-09-09 07:54 - 00000000 ____D C:\Windows\System32\%LOCALAPPDATA%
2013-09-09 07:50 - 2013-09-09 07:50 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\xtvcvqp3qn
2013-09-09 07:50 - 2013-09-09 07:50 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\0PD7DnsvlYo
2013-09-09 07:50 - 2013-09-09 07:50 - 00183296 _____ C:\ProgramData\qEzgLbWAhc
2013-09-09 07:41 - 2013-09-09 07:42 - 00000000 ____D C:\Users\Christopher\AppData\Local\NPE
2013-09-09 07:41 - 2013-09-09 07:41 - 02986440 _____ (Symantec Corporation) C:\Users\Christopher\Desktop\NPE.exe
2013-09-09 07:41 - 2013-09-09 07:41 - 00000298 ____H C:\Windows\Tasks\User_Feed_Synchronization-{004EB8D7-4984-441D-94BA-ABC1C4CA81A5}.job
2013-09-09 06:42 - 2013-09-09 06:42 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\Lht6v2L8wk
2013-09-09 06:42 - 2013-09-09 06:42 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\h9IXxeTUr
2013-09-09 06:42 - 2013-09-09 06:42 - 00183296 _____ C:\ProgramData\U4B7zWHf
2013-09-09 06:38 - 2013-09-09 06:42 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\TGI1u5Cs
2013-09-09 06:38 - 2013-09-09 06:38 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\Dde0v4BlV
2013-09-09 06:38 - 2013-09-09 06:38 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\V8V6Dr7VAUU
2013-09-09 06:38 - 2013-09-09 06:38 - 00183296 _____ C:\ProgramData\BexVD37Y
2013-09-08 13:48 - 2013-09-08 13:49 - 00000000 ____D C:\Users\Joe Christopher\Desktop\100OLYMP
2013-09-06 14:02 - 2013-09-07 04:53 - 00000372 _____ C:\Windows\Tasks\HPCeeScheduleForJoe Christopher.job
2013-09-05 10:11 - 2013-09-05 10:11 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\IDT
2013-09-05 09:50 - 2013-09-05 12:42 - 00000667 _____ C:\Users\Joe Christopher\Desktop\Summer 2013 Season Stats.csv
2013-09-05 06:27 - 2013-09-05 06:27 - 00003118 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2013-09-05 06:27 - 2013-09-05 06:27 - 00003092 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2013-09-05 06:27 - 2013-09-05 06:27 - 00003090 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2013-09-05 06:27 - 2013-09-05 06:27 - 00003062 _____ C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2013-09-05 06:26 - 2013-09-05 06:26 - 00003060 _____ C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2013-09-05 06:26 - 2013-09-05 06:26 - 00000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_point64_01011.Wdf
2013-09-05 06:22 - 2013-09-05 06:24 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center
2013-09-05 06:18 - 2013-09-05 06:18 - 00000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2013-09-05 06:16 - 2013-09-05 06:16 - 00000000 ____D C:\Program Files (x86)\Vuze Remote Toolbar
2013-09-05 06:16 - 2013-09-05 06:16 - 00000000 ____D C:\Program Files (x86)\Application Updater
2013-09-05 05:56 - 2013-09-05 05:56 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\cmun9H15u0R
2013-09-05 05:56 - 2013-09-05 05:56 - 00183296 _____ C:\Users\Christopher\AppData\Local\wiwMBEqOvKP
2013-09-05 05:56 - 2013-09-05 05:56 - 00183296 _____ C:\ProgramData\bnWLZHY0
2013-09-05 05:52 - 2013-09-05 05:52 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\otmJrmrJ
2013-09-05 05:52 - 2013-09-05 05:52 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\6BOI3FgpZP
2013-09-05 05:52 - 2013-09-05 05:52 - 00183296 _____ C:\ProgramData\KJxwBjfCUPr
2013-09-05 05:39 - 2013-09-05 05:39 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\aNShvnDeow
2013-09-05 05:39 - 2013-09-05 05:39 - 00183296 _____ C:\Users\Christopher\AppData\Local\FH8p5xlNsJ
2013-09-05 05:39 - 2013-09-05 05:39 - 00183296 _____ C:\ProgramData\8I0vonhBnX
2013-09-05 04:16 - 2013-09-05 04:16 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\HqYtDsUjY
2013-09-05 04:16 - 2013-09-05 04:16 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\kL7qNhQOQ1
2013-09-05 04:16 - 2013-09-05 04:16 - 00183296 _____ C:\ProgramData\rQClBjCfOP
2013-09-02 06:59 - 2013-09-02 06:59 - 00000000 ____D C:\Users\Joe Christopher\Desktop\PTO
2013-08-29 14:11 - 2013-09-05 10:06 - 00000000 ____D C:\Program Files (x86)\Fitbit Connect
2013-08-29 14:11 - 2013-08-29 14:11 - 00000000 ____D C:\ProgramData\FitbitConnect
2013-08-21 11:10 - 2013-08-21 11:10 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-21 11:10 - 2013-08-21 11:10 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-21 08:26 - 2013-08-26 11:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-19 11:18 - 2013-08-19 11:19 - 00013853 _____ C:\Users\Joe Christopher\Desktop\Pret RubyTues cold call list.xlsx
2013-08-16 08:23 - 2013-08-16 08:23 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\Slick Savings
2013-08-16 08:23 - 2013-08-16 08:23 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\Slick Savings
2013-08-15 05:44 - 2013-08-15 05:44 - 02038348 ____T C:\Users\Joe Christopher\Desktop\Alex1.jpeg
2013-08-15 05:44 - 2013-08-15 05:44 - 02021198 _____ C:\Users\Joe Christopher\Desktop\Alex3.jpeg
2013-08-15 05:44 - 2013-08-15 05:44 - 01829051 _____ C:\Users\Joe Christopher\Desktop\Alex2.jpeg
2013-08-15 05:44 - 2013-08-15 05:44 - 01251308 _____ C:\Users\Joe Christopher\Desktop\Alex4.jpeg
2013-08-14 23:32 - 2013-08-14 23:32 - 00000000 __SHD C:\found.002
2013-08-14 23:08 - 2013-07-25 21:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-14 23:08 - 2013-07-25 21:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-14 23:08 - 2013-07-25 21:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-14 23:08 - 2013-07-25 21:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-14 23:08 - 2013-07-25 21:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-14 23:08 - 2013-07-25 19:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-14 23:08 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 23:08 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 23:08 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 23:08 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 23:08 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 23:08 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 23:08 - 2013-07-25 18:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-14 23:08 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 14:48 - 2013-08-14 14:48 - 02986440 _____ (Symantec Corporation) C:\Users\Joe Christopher\Desktop\NPE.exe
2013-08-14 14:43 - 2013-08-14 14:43 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-08-14 14:27 - 2013-08-14 14:27 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Malwarebytes
2013-08-14 14:24 - 2013-08-14 14:25 - 00000000 ____D C:\Users\Christopher\AppData\Local\Adobe
2013-08-14 14:24 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Apple Computer
2013-08-14 14:24 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Local\LogMeIn
2013-08-14 14:24 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Local\Google
2013-08-14 14:22 - 2013-08-14 14:22 - 00003974 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{004EB8D7-4984-441D-94BA-ABC1C4CA81A5}
2013-08-14 14:21 - 2013-08-14 14:25 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Adobe
2013-08-14 14:20 - 2013-08-14 14:20 - 00000000 ____D C:\Users\Christopher\AppData\Local\TouchSmartData
2013-08-14 14:18 - 2013-08-14 14:18 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Symantec
2013-08-14 14:17 - 2013-09-05 10:06 - 00000000 ____D C:\users\Christopher
2013-08-14 14:17 - 2013-08-14 14:17 - 00000020 ___SH C:\Users\Christopher\ntuser.ini
2013-08-14 14:17 - 2011-10-12 14:50 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Macromedia
2013-08-14 14:17 - 2011-10-12 14:50 - 00000000 ____D C:\Users\Christopher\AppData\Local\Hewlett-Packard
2013-08-14 14:08 - 2013-08-14 14:42 - 00001950 _____ C:\Windows\System32\.crusader
2013-08-14 03:06 - 2013-07-25 01:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 03:06 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 03:06 - 2013-07-18 17:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 03:06 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 03:06 - 2013-07-08 22:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-14 03:06 - 2013-07-08 21:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-14 03:06 - 2013-07-08 21:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-14 03:06 - 2013-07-08 21:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 03:06 - 2013-07-08 21:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 03:06 - 2013-07-08 21:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 03:06 - 2013-07-08 21:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 03:06 - 2013-07-08 21:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 03:06 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 03:06 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 03:06 - 2013-07-08 20:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 03:06 - 2013-07-08 20:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 03:06 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 03:06 - 2013-07-08 20:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 03:06 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 03:06 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 03:06 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 03:06 - 2013-07-08 18:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 03:06 - 2013-07-08 18:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 03:06 - 2013-07-08 18:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 03:06 - 2013-07-08 18:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 03:06 - 2013-06-14 20:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-08-14 03:05 - 2013-07-05 22:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

==================== One Month Modified Files and Folders =======

2013-09-09 13:13 - 2012-03-08 10:11 - 00000000 ____D C:\ProgramData\Recovery
2013-09-09 09:20 - 2013-09-09 09:20 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\wBfH0ZjVIy
2013-09-09 09:20 - 2013-09-09 09:20 - 00183296 _____ C:\Users\Christopher\AppData\Local\9eiZE6yJ
2013-09-09 09:20 - 2013-09-09 09:20 - 00183296 _____ C:\ProgramData\TvBVdkdw
2013-09-09 09:20 - 2012-02-25 05:18 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-09 09:19 - 2012-03-21 04:23 - 00000236 _____ C:\Windows\Tasks\AutoKMS.job
2013-09-09 09:19 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-09 09:19 - 2009-07-13 20:51 - 00057152 _____ C:\Windows\setupact.log
2013-09-09 09:17 - 2013-09-09 09:17 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\ncvgTPbPZ
2013-09-09 09:17 - 2013-09-09 09:17 - 00183296 _____ C:\Users\Christopher\AppData\Local\H06HlejRx
2013-09-09 09:17 - 2013-09-09 09:17 - 00183296 _____ C:\ProgramData\GbWkhPJOP
2013-09-09 09:17 - 2011-10-12 14:31 - 01728737 _____ C:\Windows\WindowsUpdate.log
2013-09-09 09:16 - 2013-09-09 07:54 - 00000000 ____D C:\Users\Christopher\AppData\Local\PG4q3ReeO
2013-09-09 08:49 - 2013-09-09 08:49 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\3xpOXlE3O
2013-09-09 08:49 - 2013-09-09 08:49 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\cKIHmhbbK
2013-09-09 08:49 - 2013-09-09 08:49 - 00183296 _____ C:\ProgramData\1SEcp7Oj
2013-09-09 08:43 - 2013-09-09 08:43 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\hxlhG5uHjh
2013-09-09 08:43 - 2013-09-09 08:43 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\E4KNAwlQ1ss
2013-09-09 08:43 - 2013-09-09 08:43 - 00183296 _____ C:\ProgramData\zooN5ZDf
2013-09-09 08:09 - 2013-09-09 08:09 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\Qwdf1JGXG
2013-09-09 08:09 - 2013-09-09 08:09 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\ulc6qgyx
2013-09-09 08:09 - 2013-09-09 08:09 - 00183296 _____ C:\ProgramData\oaJ5fbq6
2013-09-09 08:06 - 2012-02-25 05:18 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-09 08:02 - 2013-09-09 08:02 - 00003160 ____N C:\bootsqm.dat
2013-09-09 08:01 - 2013-09-09 08:01 - 00000000 __SHD C:\found.003
2013-09-09 07:54 - 2013-09-09 07:54 - 00000000 ____D C:\Windows\System32\%LOCALAPPDATA%
2013-09-09 07:50 - 2013-09-09 07:50 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\xtvcvqp3qn
2013-09-09 07:50 - 2013-09-09 07:50 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\0PD7DnsvlYo
2013-09-09 07:50 - 2013-09-09 07:50 - 00183296 _____ C:\ProgramData\qEzgLbWAhc
2013-09-09 07:42 - 2013-09-09 07:41 - 00000000 ____D C:\Users\Christopher\AppData\Local\NPE
2013-09-09 07:41 - 2013-09-09 07:41 - 02986440 _____ (Symantec Corporation) C:\Users\Christopher\Desktop\NPE.exe
2013-09-09 07:41 - 2013-09-09 07:41 - 00000298 ____H C:\Windows\Tasks\User_Feed_Synchronization-{004EB8D7-4984-441D-94BA-ABC1C4CA81A5}.job
2013-09-09 06:42 - 2013-09-09 06:42 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\Lht6v2L8wk
2013-09-09 06:42 - 2013-09-09 06:42 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\h9IXxeTUr
2013-09-09 06:42 - 2013-09-09 06:42 - 00183296 _____ C:\ProgramData\U4B7zWHf
2013-09-09 06:42 - 2013-09-09 06:38 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\TGI1u5Cs
2013-09-09 06:38 - 2013-09-09 06:38 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\Dde0v4BlV
2013-09-09 06:38 - 2013-09-09 06:38 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\V8V6Dr7VAUU
2013-09-09 06:38 - 2013-09-09 06:38 - 00183296 _____ C:\ProgramData\BexVD37Y
2013-09-09 06:34 - 2011-07-16 16:34 - 00000000 ____D C:\Users\Joe Christopher\Documents\Outlook Files
2013-09-09 06:33 - 2007-12-04 09:06 - 00000000 ____D C:\Users\Joe Christopher\Documents\Resumes
2013-09-09 04:54 - 2012-02-28 12:07 - 00000000 ____D C:\ProgramData\LogMeIn
2013-09-09 01:38 - 2012-02-23 10:16 - 00003990 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E9BF3D8B-89B7-4F63-A7A0-6C2B444DA2E1}
2013-09-08 20:10 - 2011-10-12 14:57 - 00000000 ____D C:\ProgramData\truesuite
2013-09-08 13:49 - 2013-09-08 13:48 - 00000000 ____D C:\Users\Joe Christopher\Desktop\100OLYMP
2013-09-07 23:23 - 2012-12-12 00:23 - 00003230 _____ C:\Windows\System32\Tasks\HPCeeScheduleForJOECHRISTOPHER$
2013-09-07 23:23 - 2012-12-12 00:23 - 00000354 _____ C:\Windows\Tasks\HPCeeScheduleForJOECHRISTOPHER$.job
2013-09-07 05:06 - 2009-07-13 20:45 - 00024608 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-07 05:06 - 2009-07-13 20:45 - 00024608 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-07 04:53 - 2013-09-06 14:02 - 00000372 _____ C:\Windows\Tasks\HPCeeScheduleForJoe Christopher.job
2013-09-07 04:52 - 2010-11-20 19:47 - 02182690 _____ C:\Windows\PFRO.log
2013-09-06 14:02 - 2013-02-22 14:09 - 00003246 _____ C:\Windows\System32\Tasks\HPCeeScheduleForJoe Christopher
2013-09-06 14:00 - 2012-02-24 17:20 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-09-06 13:59 - 2012-05-04 13:05 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-09-06 13:58 - 2012-02-24 17:19 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\HP Support Assistant
2013-09-06 13:58 - 2012-02-24 11:04 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\HpUpdate
2013-09-06 06:18 - 2012-02-25 08:46 - 00001057 _____ C:\Users\Joe Christopher\AppData\Roaming\vso_ts_preview.xml
2013-09-06 06:18 - 2012-02-25 08:46 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\Vso
2013-09-05 22:09 - 2012-08-23 05:27 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-09-05 15:04 - 2012-07-16 05:50 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\NPE
2013-09-05 12:42 - 2013-09-05 09:50 - 00000667 _____ C:\Users\Joe Christopher\Desktop\Summer 2013 Season Stats.csv
2013-09-05 10:11 - 2013-09-05 10:11 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\IDT
2013-09-05 10:06 - 2013-08-29 14:11 - 00000000 ____D C:\Program Files (x86)\Fitbit Connect
2013-09-05 10:06 - 2013-08-14 14:17 - 00000000 ____D C:\users\Christopher
2013-09-05 10:06 - 2013-06-21 14:11 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-05 10:06 - 2013-06-21 14:11 - 00000000 ____D C:\Program Files\iTunes
2013-09-05 10:06 - 2013-06-21 14:11 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-09-05 10:06 - 2012-05-14 11:45 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-09-05 10:06 - 2012-02-23 18:23 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\Azureus
2013-09-05 10:06 - 2011-10-12 14:42 - 00000000 ____D C:\ProgramData\RoxioNow
2013-09-05 10:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-09-05 10:05 - 2013-06-21 14:12 - 00000000 ____D C:\Program Files\iPod
2013-09-05 10:05 - 2012-03-21 07:04 - 00000000 __RHD C:\MSOCache
2013-09-05 09:36 - 2012-02-23 10:16 - 00130752 _____ C:\Users\Joe Christopher\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-05 07:09 - 2009-07-13 20:45 - 05024648 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-05 06:27 - 2013-09-05 06:27 - 00003118 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2013-09-05 06:27 - 2013-09-05 06:27 - 00003092 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2013-09-05 06:27 - 2013-09-05 06:27 - 00003090 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2013-09-05 06:27 - 2013-09-05 06:27 - 00003062 _____ C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2013-09-05 06:26 - 2013-09-05 06:26 - 00003060 _____ C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2013-09-05 06:26 - 2013-09-05 06:26 - 00000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_point64_01011.Wdf
2013-09-05 06:24 - 2013-09-05 06:22 - 00000000 ____D C:\Program Files\Microsoft Mouse and Keyboard Center
2013-09-05 06:23 - 2012-06-13 08:16 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\Skype
2013-09-05 06:21 - 2012-02-23 10:23 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-05 06:18 - 2013-09-05 06:18 - 00000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2013-09-05 06:17 - 2012-06-13 08:15 - 00002515 _____ C:\Users\Public\Desktop\Skype.lnk
2013-09-05 06:17 - 2012-06-13 08:15 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-09-05 06:17 - 2012-06-13 08:14 - 00000000 ____D C:\ProgramData\Skype
2013-09-05 06:16 - 2013-09-05 06:16 - 00000000 ____D C:\Program Files (x86)\Vuze Remote Toolbar
2013-09-05 06:16 - 2013-09-05 06:16 - 00000000 ____D C:\Program Files (x86)\Application Updater
2013-09-05 06:10 - 2012-04-09 05:18 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-05 06:10 - 2012-02-23 10:12 - 00000000 ____D C:\users\Joe Christopher
2013-09-05 05:56 - 2013-09-05 05:56 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\cmun9H15u0R
2013-09-05 05:56 - 2013-09-05 05:56 - 00183296 _____ C:\Users\Christopher\AppData\Local\wiwMBEqOvKP
2013-09-05 05:56 - 2013-09-05 05:56 - 00183296 _____ C:\ProgramData\bnWLZHY0
2013-09-05 05:52 - 2013-09-05 05:52 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\otmJrmrJ
2013-09-05 05:52 - 2013-09-05 05:52 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\6BOI3FgpZP
2013-09-05 05:52 - 2013-09-05 05:52 - 00183296 _____ C:\ProgramData\KJxwBjfCUPr
2013-09-05 05:41 - 2012-02-23 18:55 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\CrashDumps
2013-09-05 05:39 - 2013-09-05 05:39 - 00183296 _____ C:\Users\Christopher\AppData\Roaming\aNShvnDeow
2013-09-05 05:39 - 2013-09-05 05:39 - 00183296 _____ C:\Users\Christopher\AppData\Local\FH8p5xlNsJ
2013-09-05 05:39 - 2013-09-05 05:39 - 00183296 _____ C:\ProgramData\8I0vonhBnX
2013-09-05 04:16 - 2013-09-05 04:16 - 00183296 _____ C:\Users\Joe Christopher\AppData\Roaming\HqYtDsUjY
2013-09-05 04:16 - 2013-09-05 04:16 - 00183296 _____ C:\Users\Joe Christopher\AppData\Local\kL7qNhQOQ1
2013-09-05 04:16 - 2013-09-05 04:16 - 00183296 _____ C:\ProgramData\rQClBjCfOP
2013-09-04 06:46 - 2008-01-15 11:29 - 00000000 ____D C:\Users\Joe Christopher\Documents\ConvertXtoDVD
2013-09-02 17:48 - 2013-07-10 08:52 - 00012312 _____ C:\Users\Joe Christopher\Desktop\MONTHS.xlsx
2013-09-02 08:06 - 2013-04-03 08:40 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\Paint.NET
2013-09-02 06:59 - 2013-09-02 06:59 - 00000000 ____D C:\Users\Joe Christopher\Desktop\PTO
2013-08-29 14:11 - 2013-08-29 14:11 - 00000000 ____D C:\ProgramData\FitbitConnect
2013-08-26 11:54 - 2013-08-21 08:26 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-21 11:10 - 2013-08-21 11:10 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-21 11:10 - 2013-08-21 11:10 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-21 11:10 - 2012-04-09 05:18 - 00003770 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-21 11:10 - 2012-02-24 12:01 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\Adobe
2013-08-21 11:10 - 2012-02-23 10:28 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\Google
2013-08-21 11:08 - 2007-12-04 09:04 - 00000000 ____D C:\Users\Joe Christopher\Documents\Contracts
2013-08-19 11:19 - 2013-08-19 11:18 - 00013853 _____ C:\Users\Joe Christopher\Desktop\Pret RubyTues cold call list.xlsx
2013-08-17 17:50 - 2009-07-13 20:51 - 00054785 _____ C:\Windows\setupact(12).log
2013-08-16 08:24 - 2012-02-23 18:22 - 00000000 ____D C:\Program Files (x86)\Vuze
2013-08-16 08:23 - 2013-08-16 08:23 - 00000000 ____D C:\Users\Joe Christopher\AppData\Roaming\Slick Savings
2013-08-16 08:23 - 2013-08-16 08:23 - 00000000 ____D C:\Users\Joe Christopher\AppData\Local\Slick Savings
2013-08-16 08:22 - 2012-02-23 18:22 - 00001854 _____ C:\Users\Public\Desktop\Vuze.lnk
2013-08-15 05:44 - 2013-08-15 05:44 - 02038348 ____T C:\Users\Joe Christopher\Desktop\Alex1.jpeg
2013-08-15 05:44 - 2013-08-15 05:44 - 02021198 _____ C:\Users\Joe Christopher\Desktop\Alex3.jpeg
2013-08-15 05:44 - 2013-08-15 05:44 - 01829051 _____ C:\Users\Joe Christopher\Desktop\Alex2.jpeg
2013-08-15 05:44 - 2013-08-15 05:44 - 01251308 _____ C:\Users\Joe Christopher\Desktop\Alex4.jpeg
2013-08-15 00:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-14 23:32 - 2013-08-14 23:32 - 00000000 __SHD C:\found.002
2013-08-14 23:26 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-08-14 23:26 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-08-14 23:06 - 2009-07-13 21:13 - 00890184 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-14 23:04 - 2013-07-14 15:50 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 23:01 - 2012-02-26 12:22 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-14 14:48 - 2013-08-14 14:48 - 02986440 _____ (Symantec Corporation) C:\Users\Joe Christopher\Desktop\NPE.exe
2013-08-14 14:43 - 2013-08-14 14:43 - 00032000 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2013-08-14 14:42 - 2013-08-14 14:08 - 00001950 _____ C:\Windows\System32\.crusader
2013-08-14 14:27 - 2013-08-14 14:27 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Malwarebytes
2013-08-14 14:25 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Local\Adobe
2013-08-14 14:25 - 2013-08-14 14:21 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Adobe
2013-08-14 14:24 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Apple Computer
2013-08-14 14:24 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Local\LogMeIn
2013-08-14 14:24 - 2013-08-14 14:24 - 00000000 ____D C:\Users\Christopher\AppData\Local\Google
2013-08-14 14:22 - 2013-08-14 14:22 - 00003974 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{004EB8D7-4984-441D-94BA-ABC1C4CA81A5}
2013-08-14 14:20 - 2013-08-14 14:20 - 00000000 ____D C:\Users\Christopher\AppData\Local\TouchSmartData
2013-08-14 14:18 - 2013-08-14 14:18 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\Symantec
2013-08-14 14:18 - 2011-10-12 14:32 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2013-08-14 14:17 - 2013-08-14 14:17 - 00000020 ___SH C:\Users\Christopher\ntuser.ini
2013-08-14 14:09 - 2013-02-26 19:08 - 00000000 ____D C:\ProgramData\HitmanPro

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3441659023-3949084364-1237749997-1001\$3a18518c51724e5fa47a3f0ae477a6ea

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$3a18518c51724e5fa47a3f0ae477a6ea

Files to move or delete:
====================
C:\Users\Christopher\AppData\Local\PG4q3ReeO\nQi6b6EhKh.exe
C:\Users\Joe Christopher\AppData\Local\TGI1u5Cs\h6dTbbiM.exe
C:\ProgramData\etadpuelgoog.pad
C:\ProgramData\gla.pad
C:\Users\Joe Christopher\acrobatreader.exe
C:\Users\Joe Christopher\msconfig.exe
C:\Users\Joe Christopher\mstsc.exe
C:\Users\Joe Christopher\skype.exe
C:\Users\Joe Christopher\teamviewer.exe
C:\Users\Joe Christopher\AppData\Roaming\skype.ini
C:\Users\Joe Christopher\AppData\Local\Temp\0elz5qrx.dll
C:\Users\Joe Christopher\AppData\Local\Temp\addbdemyoahnxadvkgq.exe
C:\Users\Joe Christopher\AppData\Local\Temp\i4jdel0.exe
C:\Users\Joe Christopher\AppData\Local\Temp\idvmldicqeatveyqbax.dll
C:\Users\Joe Christopher\AppData\Local\Temp\idvmldicqeatveyqbax.exe
C:\Users\Joe Christopher\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
C:\Users\Joe Christopher\AppData\Local\Temp\mswjgkxf.dll
C:\Users\Joe Christopher\AppData\Local\Temp\ose00000.exe
C:\Users\Joe Christopher\AppData\Local\Temp\ose00001.exe
C:\Users\Joe Christopher\AppData\Local\Temp\SEVINST64x86.EXE
C:\Users\Joe Christopher\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Joe Christopher\AppData\Local\Temp\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}_N360_8239.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-09-05 06:20:02
Restore point made on: 2013-09-05 06:22:02
Restore point made on: 2013-09-05 07:05:34
Restore point made on: 2013-09-05 07:47:19
Restore point made on: 2013-09-05 12:42:56
Restore point made on: 2013-09-05 12:59:11
Restore point made on: 2013-09-05 13:03:35
Restore point made on: 2013-09-05 13:55:39
Restore point made on: 2013-09-09 06:23:45

==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 4000.31 MB
Available physical RAM: 3043.01 MB
Total Pagefile: 3998.51 MB
Available Pagefile: 3031.97 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:916.71 GB) (Free:278.46 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:14.71 GB) (Free:1.82 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (USB DISK) (Removable) (Total:7.2 GB) (Free:7.2 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.12 GB) (Free:0.12 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 0C983697)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=917 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0C)


LastRegBack: 2013-09-05 13:27

==================== End Of Log ============================

Edited by bloopie, 09 September 2013 - 01:24 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:05 PM

Posted 09 September 2013 - 02:51 PM

Hello joec4571 and welcome to Bleeping Computer!

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!

==========

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you'd still like to continue with the cleaning process, the follow the instructions below.

==========

From a clean computer please download attached Attached File  fixlist.txt   6.12KB   2 downloads and save it to the same location as FRST64. <--Important!

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Now on the infected machine run FRST64 just as you did before, but this time around press the "Fix" button just once and wait for the tool to do it's job.
The tool will generate a log (Fixlog.txt) in the same location the tool was run. Please copy and paste it in your reply.

==========

In addition to the Fixlog.txt, please let me know if the machine boots normally and let me know how the machine is running now!

bloopie



#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:05 PM

Posted 12 September 2013 - 05:48 PM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:05 PM

Posted 14 September 2013 - 12:39 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users