Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zekos


  • This topic is locked This topic is locked
42 replies to this topic

#1 Isador

Isador

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 07 March 2014 - 02:36 PM

Here is the earlier topic that led me to here: http://www.bleepingcomputer.com/forums/t/526647/ads-audio-in-backgroundcomputer-crashed/

 

My computer is infected with zekos and I was instructed to run Dr Web cureit. rpcss.dll was deleted by Dr Web or couldn't be replaced properly. So as it is currently I am unable to start the computer normally, safe mode, or safe mode with networking. I also tried running the system repair option and it was unable to do anything, the only option I haven't select was system restore as I hope this problem can be solved without doing so.

 

Thanks,

 

Isador



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 07 March 2014 - 02:47 PM

Hello Isador,

let's see what went wrong there. :)
Please try to run a FRST scan from Recovery Environment as follows:


On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html




To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#3 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 07 March 2014 - 02:59 PM

Alrighty, I have to head to work but when I get back ill follow your instructions and post the results later tonight. :)



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 07 March 2014 - 03:05 PM

Ok.
My guess is that the permissions of the replacement file are messed up - but we'll see. :)

#5 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 03:19 PM

Performing scan now, will post the results when done :) sorry for the late reply I had a long work night



#6 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 03:23 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-03-2014 01
Ran by SYSTEM on MININT-J2HIUJS on 08-03-2014 15:18:12
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-07-08] ()
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2184520 2009-07-26] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-03-17] (CANON INC.)
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [UpdatePRCShortCut] - C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [IJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [136544 2009-05-19] (CANON INC.)
HKLM-x32\...\Run: [Communicator] - C:\Program Files (x86)\Microsoft Lync\communicator.exe [12105344 2012-09-28] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Aeria Ignite] - C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe [1925656 2013-06-06] (Aeria Games & Entertainment)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642304 2013-04-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4962320 2014-01-22] (AVG Technologies CZ, s.r.o.)
HKU\Dawn\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)
HKU\Dawn\...\Run: [AlcoholAutomount] - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [33120 2010-08-20] (Alcohol Soft Development Team)
HKU\Dawn\...\Run: [Akamai NetSession Interface] - C:\Users\Dawn\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-04] (Akamai Technologies, Inc.)
HKU\Dawn\...\Run: [Steam] - C:\Program Files (x86)\Steam\bin\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\Dawn\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [4288048 2013-04-06] ()
HKU\Dawn\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [20924576 2014-02-10] (Skype Technologies S.A.)
HKU\Dawn\...\Run: [HydraVisionDesktopManager] - C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [380928 2009-05-15] (AMD)
HKU\Dawn\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6563608 2014-01-06] (SUPERAntiSpyware)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)

==================== Services (Whitelisted) =================

S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [144152 2013-10-10] (SUPERAntiSpyware.com)
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2013-04-29] (Advanced Micro Devices, Inc.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3788816 2014-01-22] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
S2 DcomLaunch; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S2 HPBtnSrv; C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe [192512 2008-09-30] ()
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-04-30] (Alcatel-Lucent)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4377072 2011-01-11] (INCA Internet Co., Ltd.)
S2 PicasaUpdater; C:\Users\Dawn\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe [18432 2011-09-02] ()

==================== Drivers (Whitelisted) ====================

S2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [150808 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [243480 2013-11-25] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [196376 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-09-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2012-10-31] (CACE Technologies, Inc.)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 sj; C:\AeriaGames\EdenEternal\sjcs64.sys [30840 2010-11-19] ()
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [526392 2011-10-01] (Duplex Secure Ltd.)
S3 usj; C:\AeriaGames\EdenEternal\avital\ussjcs64.sys [89560 2013-07-23] ()
S3 dump_wmimmc; \??\C:\Program Files (x86)\CABAL Online (US)\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 X6va005; \??\C:\Users\Dawn\AppData\Local\Temp\00579B8.tmp [X]
S3 X6va010; \??\C:\Windows\SysWOW64\Drivers\X6va010 [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-03-08 15:17 - 2014-03-08 15:18 - 00000000 ____D () C:\FRST
2014-03-06 22:57 - 2014-03-07 10:25 - 00000000 ____D () C:\Users\Dawn\Doctor Web
2014-03-06 22:53 - 2014-03-06 22:56 - 144163096 _____ () C:\Users\Dawn\Downloads\cureit.exe
2014-03-06 22:51 - 2014-03-06 22:51 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\AVG2014
2014-03-06 22:49 - 2014-03-06 22:49 - 00000927 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-06 22:49 - 2014-03-06 22:49 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\TuneUp Software
2014-03-06 22:46 - 2014-03-06 22:50 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-06 22:43 - 2014-03-06 22:51 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Avg2014
2014-03-06 20:17 - 2014-03-06 20:17 - 00001810 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-03-06 20:17 - 2014-03-06 20:17 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-03-06 13:13 - 2014-03-06 13:13 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\SUPERAntiSpyware.com
2014-03-06 13:12 - 2014-03-06 13:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-03-06 12:32 - 2014-03-06 12:32 - 00000000 ____D () C:\Windows\ERUNT
2014-03-06 12:19 - 2014-03-06 12:20 - 01244192 _____ () C:\Users\Dawn\Downloads\AdwCleaner.exe
2014-03-06 12:15 - 2014-03-07 10:31 - 00167684 _____ () C:\Windows\PFRO.log
2014-03-06 12:10 - 2014-03-06 12:12 - 00000000 ____D () C:\AdwCleaner
2014-03-06 12:02 - 2014-03-06 12:02 - 01021432 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\NDP451-KB2859818-Web.exe
2014-03-06 11:58 - 2014-03-06 12:07 - 00774632 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-03-06 11:55 - 2014-03-06 11:55 - 01005568 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\dotNetFx45_Full_setup.exe
2014-03-06 11:22 - 2014-03-06 11:22 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-06 11:16 - 2014-03-06 11:16 - 18126032 _____ (Adobe Systems Inc.) C:\Users\Dawn\Downloads\AdobeAIRInstaller.exe
2014-03-06 02:31 - 2014-03-06 02:31 - 00032365 _____ () C:\Users\Dawn\Desktop\Result.txt
2014-03-06 02:30 - 2014-03-06 02:30 - 00982016 _____ (Farbar) C:\Users\Dawn\Desktop\MiniToolBox.exe
2014-03-05 19:16 - 2014-03-07 10:23 - 00002016 _____ () C:\Windows\setupact.log
2014-03-05 19:16 - 2014-03-05 19:16 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-05 19:02 - 2014-03-05 19:02 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-05 18:40 - 2014-03-05 18:40 - 00000000 ____D () C:\ProgramData\Sophos
2014-03-05 18:39 - 2014-03-05 18:39 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-03-05 18:37 - 2014-03-05 18:38 - 85045736 _____ (Sophos Limited) C:\Users\Dawn\Desktop\Sophos Virus Removal Tool.exe
2014-03-05 17:41 - 2014-03-05 23:00 - 00004262 _____ () C:\Users\Dawn\Desktop\Rkill.txt
2014-03-05 17:40 - 2014-03-05 17:40 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Dawn\Desktop\iexplore.com.exe
2014-03-05 17:37 - 2014-03-05 17:37 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Dawn\Desktop\123.com.exe
2014-03-05 16:26 - 2014-03-06 15:27 - 00000086 _____ () C:\Windows\System32\btee.maf
2014-03-05 16:10 - 2014-03-05 16:10 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Skype
2014-03-05 16:04 - 2014-03-05 16:04 - 00000064 _____ () C:\Windows\System32\pgflshy.umv
2014-03-05 16:04 - 2014-03-05 16:04 - 00000000 _____ () C:\Windows\System32\kdlzeks.thm
2014-03-05 15:48 - 2014-03-05 15:48 - 00268613 ____S () C:\Windows\System32\aokchg.chw
2014-03-02 11:35 - 2014-03-05 16:01 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Battle.net
2014-03-02 11:35 - 2014-03-05 13:06 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-03-02 11:35 - 2014-03-02 15:09 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Battle.net
2014-03-02 11:35 - 2014-03-02 11:35 - 00001112 _____ () C:\Users\Public\Desktop\Battle.net.lnk
2014-03-02 00:43 - 2014-03-02 00:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Blizzard Entertainment
2014-02-18 10:58 - 2014-02-18 10:58 - 00375476 _____ () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe   Paula Deen   Food Network.htm
2014-02-18 10:58 - 2014-02-18 10:58 - 00000000 ____D () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe   Paula Deen   Food Network_files
2014-02-14 20:10 - 2014-02-14 20:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2014-03-08 15:18 - 2014-03-08 15:17 - 00000000 ____D () C:\FRST
2014-03-07 10:31 - 2014-03-06 12:15 - 00167684 _____ () C:\Windows\PFRO.log
2014-03-07 10:27 - 2011-09-30 09:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\PMB Files
2014-03-07 10:26 - 2011-02-11 21:25 - 00000000 ____D () C:\Program Files (x86)\CABAL Online (US)
2014-03-07 10:26 - 2010-10-30 17:26 - 00000000 ____D () C:\ProgramData\MFAData
2014-03-07 10:25 - 2014-03-06 22:57 - 00000000 ____D () C:\Users\Dawn\Doctor Web
2014-03-07 10:23 - 2014-03-05 19:16 - 00002016 _____ () C:\Windows\setupact.log
2014-03-07 10:23 - 2013-04-19 05:38 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-07 10:23 - 2013-03-18 13:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-07 00:19 - 2011-07-18 22:31 - 01621729 _____ () C:\Windows\WindowsUpdate.log
2014-03-06 22:57 - 2010-07-03 19:14 - 00000000 ____D () C:\users\Dawn
2014-03-06 22:56 - 2014-03-06 22:53 - 144163096 _____ () C:\Users\Dawn\Downloads\cureit.exe
2014-03-06 22:52 - 2010-10-30 17:38 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-03-06 22:51 - 2014-03-06 22:51 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\AVG2014
2014-03-06 22:51 - 2014-03-06 22:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Avg2014
2014-03-06 22:51 - 2010-10-31 17:24 - 00000000 ___HD () C:\$AVG
2014-03-06 22:50 - 2014-03-06 22:46 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-06 22:49 - 2014-03-06 22:49 - 00000927 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-06 22:49 - 2014-03-06 22:49 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\TuneUp Software
2014-03-06 22:33 - 2013-10-15 21:37 - 00007600 _____ () C:\Users\Dawn\AppData\Local\Resmon.ResmonCfg
2014-03-06 20:17 - 2014-03-06 20:17 - 00001810 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-03-06 20:17 - 2014-03-06 20:17 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-03-06 20:16 - 2013-04-19 05:38 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-06 20:16 - 2011-02-23 10:13 - 00003182 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForDawn
2014-03-06 20:16 - 2011-02-23 10:13 - 00000330 _____ () C:\Windows\Tasks\HPCeeScheduleForDawn.job
2014-03-06 15:27 - 2014-03-05 16:26 - 00000086 _____ () C:\Windows\System32\btee.maf
2014-03-06 15:12 - 2012-07-25 10:41 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\HpUpdate
2014-03-06 15:12 - 2012-07-25 10:41 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\HP Support Assistant
2014-03-06 13:13 - 2014-03-06 13:13 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\SUPERAntiSpyware.com
2014-03-06 13:12 - 2014-03-06 13:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-03-06 12:32 - 2014-03-06 12:32 - 00000000 ____D () C:\Windows\ERUNT
2014-03-06 12:32 - 2013-02-24 21:50 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Skype
2014-03-06 12:26 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-06 12:26 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-06 12:20 - 2014-03-06 12:19 - 01244192 _____ () C:\Users\Dawn\Downloads\AdwCleaner.exe
2014-03-06 12:17 - 2008-09-19 02:55 - 00014466 _____ () C:\Windows\SysWOW64\NapaSet.txt
2014-03-06 12:15 - 2009-09-04 07:45 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-06 12:15 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-06 12:12 - 2014-03-06 12:10 - 00000000 ____D () C:\AdwCleaner
2014-03-06 12:07 - 2014-03-06 11:58 - 00774632 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-03-06 12:07 - 2009-07-13 21:13 - 00774632 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-03-06 12:02 - 2014-03-06 12:02 - 01021432 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\NDP451-KB2859818-Web.exe
2014-03-06 11:55 - 2014-03-06 11:55 - 01005568 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\dotNetFx45_Full_setup.exe
2014-03-06 11:22 - 2014-03-06 11:22 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-06 11:17 - 2013-04-19 05:38 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Google
2014-03-06 11:16 - 2014-03-06 11:16 - 18126032 _____ (Adobe Systems Inc.) C:\Users\Dawn\Downloads\AdobeAIRInstaller.exe
2014-03-06 11:09 - 2010-11-28 17:35 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Unity
2014-03-06 11:06 - 2010-07-04 20:22 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Mozilla
2014-03-06 02:31 - 2014-03-06 02:31 - 00032365 _____ () C:\Users\Dawn\Desktop\Result.txt
2014-03-06 02:30 - 2014-03-06 02:30 - 00982016 _____ (Farbar) C:\Users\Dawn\Desktop\MiniToolBox.exe
2014-03-05 23:14 - 2012-06-26 07:52 - 00000024 _____ () C:\Users\Dawn\random.dat
2014-03-05 23:00 - 2014-03-05 17:41 - 00004262 _____ () C:\Users\Dawn\Desktop\Rkill.txt
2014-03-05 21:02 - 2011-12-07 22:48 - 00000032 _____ () C:\Users\Dawn\jagex_cl_runescape_LIVE.dat
2014-03-05 20:36 - 2011-09-30 09:43 - 00000000 ____D () C:\ProgramData\PMB Files
2014-03-05 19:16 - 2014-03-05 19:16 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-05 19:02 - 2014-03-05 19:02 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-05 18:40 - 2014-03-05 18:40 - 00000000 ____D () C:\ProgramData\Sophos
2014-03-05 18:39 - 2014-03-05 18:39 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-03-05 18:38 - 2014-03-05 18:37 - 85045736 _____ (Sophos Limited) C:\Users\Dawn\Desktop\Sophos Virus Removal Tool.exe
2014-03-05 18:34 - 2013-02-18 15:15 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Ventrilo
2014-03-05 17:40 - 2014-03-05 17:40 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Dawn\Desktop\iexplore.com.exe
2014-03-05 17:37 - 2014-03-05 17:37 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Dawn\Desktop\123.com.exe
2014-03-05 17:21 - 2009-07-13 21:08 - 00032572 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-05 16:10 - 2014-03-05 16:10 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Skype
2014-03-05 16:10 - 2013-02-24 21:49 - 00000000 ____D () C:\ProgramData\Skype
2014-03-05 16:04 - 2014-03-05 16:04 - 00000064 _____ () C:\Windows\System32\pgflshy.umv
2014-03-05 16:04 - 2014-03-05 16:04 - 00000000 _____ () C:\Windows\System32\kdlzeks.thm
2014-03-05 16:04 - 2012-04-25 09:47 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-03-05 16:01 - 2014-03-02 11:35 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Battle.net
2014-03-05 15:48 - 2014-03-05 15:48 - 00268613 ____S () C:\Windows\System32\aokchg.chw
2014-03-05 15:48 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\sysprep
2014-03-05 13:09 - 2012-12-09 23:50 - 00000000 ____D () C:\Program Files (x86)\Diablo III
2014-03-05 13:06 - 2014-03-02 11:35 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-03-03 22:59 - 2013-04-19 05:39 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-02 15:09 - 2014-03-02 11:35 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Battle.net
2014-03-02 11:35 - 2014-03-02 11:35 - 00001112 _____ () C:\Users\Public\Desktop\Battle.net.lnk
2014-03-02 00:43 - 2014-03-02 00:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Blizzard Entertainment
2014-02-28 11:03 - 2010-07-04 11:09 - 00000552 _____ () C:\Windows\Tasks\PCDRScheduledMaintenance.job
2014-02-22 21:40 - 2011-03-07 21:25 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\.minecraft
2014-02-20 20:48 - 2013-03-18 13:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-20 20:48 - 2013-03-18 13:58 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-20 20:48 - 2012-01-04 18:16 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-18 10:58 - 2014-02-18 10:58 - 00375476 _____ () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe   Paula Deen   Food Network.htm
2014-02-18 10:58 - 2014-02-18 10:58 - 00000000 ____D () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe   Paula Deen   Food Network_files
2014-02-14 20:10 - 2014-02-14 20:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-14 19:51 - 2013-04-19 05:38 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-14 19:51 - 2013-04-19 05:38 - 00003638 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2235160460-1089083335-3025275507-1001\$43dfd81bc353fa936bacefc0d8bd8585

Files to move or delete:
====================
C:\Users\Dawn\AppData\Roaming\RSBuddy Login.ini
C:\ProgramData\hash.dat
C:\Users\Dawn\cache.dat
C:\Users\Dawn\jagex_cl_oldschool_LIVE.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE1.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE2.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE_BETA.dat
C:\Users\Dawn\jagex_runescape_preferences.dat
C:\Users\Dawn\jagex_runescape_preferences2.dat
C:\Users\Dawn\jagex__preferences3.dat
C:\Users\Dawn\random.dat

Some content of TEMP:
====================
C:\Users\Dawn\AppData\Local\Temp\13-9-legacy_vista_win7_64_dd_ccc_whql.exe
C:\Users\Dawn\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Dawn\AppData\Local\Temp\Quarantine.exe
C:\Users\Dawn\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Dawn\AppData\Local\Temp\uyl8oobe.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-03-05 18:39:32
Restore point made on: 2014-03-06 11:06:36
Restore point made on: 2014-03-06 11:21:56
Restore point made on: 2014-03-06 15:12:03
Restore point made on: 2014-03-06 22:45:54
Restore point made on: 2014-03-06 22:46:57

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8183.89 MB
Available physical RAM: 7210.79 MB
Total Pagefile: 8182.04 MB
Available Pagefile: 7206.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:919.07 GB) (Free:672.13 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:12.34 GB) (Free:2.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:7.33 GB) (Free:2.95 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: C00D6066)

Partition: GPT Partition Type.

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)

Partition: GPT Partition Type.

LastRegBack: 2014-02-28 00:32

==================== End Of Log ============================



#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 08 March 2014 - 03:43 PM

Hi there,

ok the file seems fine but it seems that the service has been damaged.
Let's have a closer look:


Please download this attached Attached File  fixlist.txt   555bytes   4 downloads and save it on the same flash drive as FRST.
  • Plug in the flash drive to the infected computer, enter the System Recovery Options and open FRST.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) is saved on the flash drive.
    Please copy and paste its contents in your next reply.


#8 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 03:54 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2014 01
Ran by SYSTEM at 2014-03-08 15:52:13 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Unlock: C:\Windows\System32\rpcss.dll
C:\$Recycle.Bin\S-1-5-21-2235160460-1089083335-3025275507-1001\$43dfd81bc353fa936bacefc0d8bd8585
2014-03-05 15:48 - 2014-03-05 15:48 - 00268613 ____S () C:\Windows\System32\aokchg.chw
2014-03-06 15:27 - 2014-03-05 16:26 - 00000086 _____ () C:\Windows\System32\btee.maf
2014-03-05 16:04 - 2014-03-05 16:04 - 00000064 _____ () C:\Windows\System32\pgflshy.umv
2014-03-05 16:04 - 2014-03-05 16:04 - 00000000 _____ () C:\Windows\System32\kdlzeks.thm
REG: reg query "HKLM\System\CurrentControlSet\Services\DcomLaunch"
*****************

"C:\Windows\System32\rpcss.dll" => File/Directory unlocked successfully.
C:\$Recycle.Bin\S-1-5-18\$43dfd81bc353fa936bacefc0d8bd8585 => Deleted successfully.
C:\Windows\System32\aokchg.chw => Moved successfully.
C:\Windows\System32\btee.maf => Moved successfully.
C:\Windows\System32\pgflshy.umv => Moved successfully.
C:\Windows\System32\kdlzeks.thm => Moved successfully.

========= reg query "HKLM\System\CurrentControlSet\Services\DcomLaunch" =========

ERROR: The system was unable to find the specified registry key or value.

========= End of Reg: =========

==== End of Fixlog ====



#9 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 08 March 2014 - 04:04 PM

Oops, I made a mistake.
Again:


Please download this attached Attached File  fixlist.txt   65bytes   4 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#10 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 04:08 PM

How do I start it with admin privileges?



#11 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 04:15 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2014 01
Ran by SYSTEM at 2014-03-08 16:12:33 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
REG: reg query "HKLM\System\ControlSet001\Services\DcomLaunch" /s
*****************

========= reg query "HKLM\System\ControlSet001\Services\DcomLaunch" /s =========

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch
    DisplayName    REG_SZ    @oleres.dll,-5012
    Group    REG_SZ    COM Infrastructure
    ImagePath    REG_EXPAND_SZ    %SystemRoot%\system32\svchost.exe -k DcomLaunch
    Description    REG_SZ    @oleres.dll,-5013
    ObjectName    REG_SZ    LocalSystem
    ErrorControl    REG_DWORD    0x1
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x20
    FailureActions    REG_BINARY    00000000000000000000000001000000000000000200000060EA0000
    RequiredPrivileges    REG_MULTI_SZ    SeAssignPrimaryTokenPrivilege\0SeAuditPrivilege\0SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeDebugPrivilege\0SeImpersonatePrivilege\0SeIncreaseQuotaPrivilege\0SeTcbPrivilege\0SeBackupPrivilege\0SeRestorePrivilege
    ServiceSidType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch\Security
    Security    REG_BINARY    01001480900000009C000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200600004000000000014008500020001010000000000050B00000000001400FF000E0001010000000000051200000000001800FD000E0001020000000000052000000020020000000018008500000001020000000000052000000021020000010100000000000512000000010100000000000512000000

 

========= End of Reg: =========



#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 08 March 2014 - 04:25 PM

I've posted the wrong instructions. But good to see that you figured out anyway how to run the fix.
Now we're trying to repair the service. Please do the following fix and reboot your computer afterwards. Is there still this blackscreen or does it work now?


Please download this attached Attached File  fixlist.txt   218bytes   2 downloads and save it on the same flash drive as FRST.
  • Plug in the flash drive to the infected computer, enter the System Recovery Options and open FRST.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) is saved on the flash drive.
    Please copy and paste its contents in your next reply.


#13 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 04:33 PM

I rebooted the system and it is still sitting at a black screen.



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2014 01
Ran by SYSTEM at 2014-03-08 16:29:17 Run:3
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
REG: reg add "HKLM\System\ControlSet001\Services\DcomLaunch\Parameters" /f
REG: reg add "HKLM\System\ControlSet001\Services\DcomLaunch\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d ^%SystemRoot^%\system32\rpcss.dll /f
*****************


========= reg add "HKLM\System\ControlSet001\Services\DcomLaunch\Parameters" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add "HKLM\System\ControlSet001\Services\DcomLaunch\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d ^%SystemRoot^%\system32\rpcss.dll /f =========

The operation completed successfully.



========= End of Reg: =========


==== End of Fixlog ====

#14 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 08 March 2014 - 04:48 PM

Ok, then please go back into Recovery Environment, run a scan with FRST and post the log.

#15 Isador

Isador
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 08 March 2014 - 04:58 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-03-2014 01
Ran by SYSTEM on MININT-P09V3H0 on 08-03-2014 16:53:08
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-07-08] ()
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2184520 2009-07-26] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-03-17] (CANON INC.)
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [UpdatePRCShortCut] - C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [IJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [136544 2009-05-19] (CANON INC.)
HKLM-x32\...\Run: [Communicator] - C:\Program Files (x86)\Microsoft Lync\communicator.exe [12105344 2012-09-28] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Aeria Ignite] - C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe [1925656 2013-06-06] (Aeria Games & Entertainment)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642304 2013-04-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4962320 2014-01-22] (AVG Technologies CZ, s.r.o.)
HKU\Dawn\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)
HKU\Dawn\...\Run: [AlcoholAutomount] - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [33120 2010-08-20] (Alcohol Soft Development Team)
HKU\Dawn\...\Run: [Akamai NetSession Interface] - C:\Users\Dawn\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-04] (Akamai Technologies, Inc.)
HKU\Dawn\...\Run: [Steam] - C:\Program Files (x86)\Steam\bin\Steam.exe [1821888 2014-02-25] (Valve Corporation)
HKU\Dawn\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [4288048 2013-04-06] ()
HKU\Dawn\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [20924576 2014-02-10] (Skype Technologies S.A.)
HKU\Dawn\...\Run: [HydraVisionDesktopManager] - C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [380928 2009-05-15] (AMD)
HKU\Dawn\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6563608 2014-01-06] (SUPERAntiSpyware)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)

==================== Services (Whitelisted) =================

S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [144152 2013-10-10] (SUPERAntiSpyware.com)
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2013-04-29] (Advanced Micro Devices, Inc.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3788816 2014-01-22] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
S2 HPBtnSrv; C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe [192512 2008-09-30] ()
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-04-30] (Alcatel-Lucent)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4377072 2011-01-11] (INCA Internet Co., Ltd.)
S2 PicasaUpdater; C:\Users\Dawn\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe [18432 2011-09-02] ()

==================== Drivers (Whitelisted) ====================

S2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [150808 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [243480 2013-11-25] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [196376 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-09-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
S2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2012-10-31] (CACE Technologies, Inc.)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 sj; C:\AeriaGames\EdenEternal\sjcs64.sys [30840 2010-11-19] ()
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [526392 2011-10-01] (Duplex Secure Ltd.)
S3 usj; C:\AeriaGames\EdenEternal\avital\ussjcs64.sys [89560 2013-07-23] ()
S3 dump_wmimmc; \??\C:\Program Files (x86)\CABAL Online (US)\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 X6va005; \??\C:\Users\Dawn\AppData\Local\Temp\00579B8.tmp [X]
S3 X6va010; \??\C:\Windows\SysWOW64\Drivers\X6va010 [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-08 15:17 - 2014-03-08 16:53 - 00000000 ____D () C:\FRST
2014-03-06 22:57 - 2014-03-07 10:25 - 00000000 ____D () C:\Users\Dawn\Doctor Web
2014-03-06 22:53 - 2014-03-06 22:56 - 144163096 _____ () C:\Users\Dawn\Downloads\cureit.exe
2014-03-06 22:51 - 2014-03-06 22:51 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\AVG2014
2014-03-06 22:49 - 2014-03-06 22:49 - 00000927 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-06 22:49 - 2014-03-06 22:49 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\TuneUp Software
2014-03-06 22:46 - 2014-03-06 22:50 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-06 22:43 - 2014-03-06 22:51 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Avg2014
2014-03-06 20:17 - 2014-03-06 20:17 - 00001810 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-03-06 20:17 - 2014-03-06 20:17 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-03-06 13:13 - 2014-03-06 13:13 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\SUPERAntiSpyware.com
2014-03-06 13:12 - 2014-03-06 13:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-03-06 12:32 - 2014-03-06 12:32 - 00000000 ____D () C:\Windows\ERUNT
2014-03-06 12:19 - 2014-03-06 12:20 - 01244192 _____ () C:\Users\Dawn\Downloads\AdwCleaner.exe
2014-03-06 12:15 - 2014-03-07 10:31 - 00167684 _____ () C:\Windows\PFRO.log
2014-03-06 12:10 - 2014-03-06 12:12 - 00000000 ____D () C:\AdwCleaner
2014-03-06 12:02 - 2014-03-06 12:02 - 01021432 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\NDP451-KB2859818-Web.exe
2014-03-06 11:58 - 2014-03-06 12:07 - 00774632 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-03-06 11:55 - 2014-03-06 11:55 - 01005568 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\dotNetFx45_Full_setup.exe
2014-03-06 11:22 - 2014-03-06 11:22 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-06 11:16 - 2014-03-06 11:16 - 18126032 _____ (Adobe Systems Inc.) C:\Users\Dawn\Downloads\AdobeAIRInstaller.exe
2014-03-06 02:31 - 2014-03-06 02:31 - 00032365 _____ () C:\Users\Dawn\Desktop\Result.txt
2014-03-06 02:30 - 2014-03-06 02:30 - 00982016 _____ (Farbar) C:\Users\Dawn\Desktop\MiniToolBox.exe
2014-03-05 19:16 - 2014-03-07 10:23 - 00002016 _____ () C:\Windows\setupact.log
2014-03-05 19:16 - 2014-03-05 19:16 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-05 19:02 - 2014-03-05 19:02 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-05 18:40 - 2014-03-05 18:40 - 00000000 ____D () C:\ProgramData\Sophos
2014-03-05 18:39 - 2014-03-05 18:39 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-03-05 18:37 - 2014-03-05 18:38 - 85045736 _____ (Sophos Limited) C:\Users\Dawn\Desktop\Sophos Virus Removal Tool.exe
2014-03-05 17:41 - 2014-03-05 23:00 - 00004262 _____ () C:\Users\Dawn\Desktop\Rkill.txt
2014-03-05 17:40 - 2014-03-05 17:40 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Dawn\Desktop\iexplore.com.exe
2014-03-05 17:37 - 2014-03-05 17:37 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Dawn\Desktop\123.com.exe
2014-03-05 16:10 - 2014-03-05 16:10 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Skype
2014-03-02 11:35 - 2014-03-05 16:01 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Battle.net
2014-03-02 11:35 - 2014-03-05 13:06 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-03-02 11:35 - 2014-03-02 15:09 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Battle.net
2014-03-02 11:35 - 2014-03-02 11:35 - 00001112 _____ () C:\Users\Public\Desktop\Battle.net.lnk
2014-03-02 00:43 - 2014-03-02 00:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Blizzard Entertainment
2014-02-18 10:58 - 2014-02-18 10:58 - 00375476 _____ () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe Paula Deen Food Network.htm
2014-02-18 10:58 - 2014-02-18 10:58 - 00000000 ____D () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe Paula Deen Food Network_files
2014-02-14 20:10 - 2014-02-14 20:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified Files and Folders =======

2014-03-08 16:53 - 2014-03-08 15:17 - 00000000 ____D () C:\FRST
2014-03-07 10:31 - 2014-03-06 12:15 - 00167684 _____ () C:\Windows\PFRO.log
2014-03-07 10:29 - 2011-07-18 22:31 - 01621729 _____ () C:\Windows\WindowsUpdate.log
2014-03-07 10:27 - 2011-09-30 09:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\PMB Files
2014-03-07 10:26 - 2011-02-11 21:25 - 00000000 ____D () C:\Program Files (x86)\CABAL Online (US)
2014-03-07 10:26 - 2010-10-30 17:26 - 00000000 ____D () C:\ProgramData\MFAData
2014-03-07 10:25 - 2014-03-06 22:57 - 00000000 ____D () C:\Users\Dawn\Doctor Web
2014-03-07 10:23 - 2014-03-05 19:16 - 00002016 _____ () C:\Windows\setupact.log
2014-03-07 10:23 - 2013-04-19 05:38 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-07 10:23 - 2013-03-18 13:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-06 22:57 - 2010-07-03 19:14 - 00000000 ____D () C:\users\Dawn
2014-03-06 22:56 - 2014-03-06 22:53 - 144163096 _____ () C:\Users\Dawn\Downloads\cureit.exe
2014-03-06 22:52 - 2010-10-30 17:38 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-03-06 22:51 - 2014-03-06 22:51 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\AVG2014
2014-03-06 22:51 - 2014-03-06 22:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Avg2014
2014-03-06 22:51 - 2010-10-31 17:24 - 00000000 ___HD () C:\$AVG
2014-03-06 22:50 - 2014-03-06 22:46 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-06 22:49 - 2014-03-06 22:49 - 00000927 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-06 22:49 - 2014-03-06 22:49 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\TuneUp Software
2014-03-06 22:33 - 2013-10-15 21:37 - 00007600 _____ () C:\Users\Dawn\AppData\Local\Resmon.ResmonCfg
2014-03-06 20:17 - 2014-03-06 20:17 - 00001810 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-03-06 20:17 - 2014-03-06 20:17 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-03-06 20:16 - 2013-04-19 05:38 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-06 20:16 - 2011-02-23 10:13 - 00003182 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForDawn
2014-03-06 20:16 - 2011-02-23 10:13 - 00000330 _____ () C:\Windows\Tasks\HPCeeScheduleForDawn.job
2014-03-06 15:12 - 2012-07-25 10:41 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\HpUpdate
2014-03-06 15:12 - 2012-07-25 10:41 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\HP Support Assistant
2014-03-06 13:13 - 2014-03-06 13:13 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\SUPERAntiSpyware.com
2014-03-06 13:12 - 2014-03-06 13:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-03-06 12:32 - 2014-03-06 12:32 - 00000000 ____D () C:\Windows\ERUNT
2014-03-06 12:32 - 2013-02-24 21:50 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Skype
2014-03-06 12:26 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-06 12:26 - 2009-07-13 20:45 - 00015792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-06 12:20 - 2014-03-06 12:19 - 01244192 _____ () C:\Users\Dawn\Downloads\AdwCleaner.exe
2014-03-06 12:17 - 2008-09-19 02:55 - 00014466 _____ () C:\Windows\SysWOW64\NapaSet.txt
2014-03-06 12:15 - 2009-09-04 07:45 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-06 12:15 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-06 12:12 - 2014-03-06 12:10 - 00000000 ____D () C:\AdwCleaner
2014-03-06 12:07 - 2014-03-06 11:58 - 00774632 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-03-06 12:07 - 2009-07-13 21:13 - 00774632 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-03-06 12:02 - 2014-03-06 12:02 - 01021432 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\NDP451-KB2859818-Web.exe
2014-03-06 11:55 - 2014-03-06 11:55 - 01005568 _____ (Microsoft Corporation) C:\Users\Dawn\Downloads\dotNetFx45_Full_setup.exe
2014-03-06 11:22 - 2014-03-06 11:22 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-06 11:17 - 2013-04-19 05:38 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Google
2014-03-06 11:16 - 2014-03-06 11:16 - 18126032 _____ (Adobe Systems Inc.) C:\Users\Dawn\Downloads\AdobeAIRInstaller.exe
2014-03-06 11:09 - 2010-11-28 17:35 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Unity
2014-03-06 11:06 - 2010-07-04 20:22 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Mozilla
2014-03-06 02:31 - 2014-03-06 02:31 - 00032365 _____ () C:\Users\Dawn\Desktop\Result.txt
2014-03-06 02:30 - 2014-03-06 02:30 - 00982016 _____ (Farbar) C:\Users\Dawn\Desktop\MiniToolBox.exe
2014-03-05 23:14 - 2012-06-26 07:52 - 00000024 _____ () C:\Users\Dawn\random.dat
2014-03-05 23:00 - 2014-03-05 17:41 - 00004262 _____ () C:\Users\Dawn\Desktop\Rkill.txt
2014-03-05 21:02 - 2011-12-07 22:48 - 00000032 _____ () C:\Users\Dawn\jagex_cl_runescape_LIVE.dat
2014-03-05 20:36 - 2011-09-30 09:43 - 00000000 ____D () C:\ProgramData\PMB Files
2014-03-05 19:16 - 2014-03-05 19:16 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-05 19:02 - 2014-03-05 19:02 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-05 18:40 - 2014-03-05 18:40 - 00000000 ____D () C:\ProgramData\Sophos
2014-03-05 18:39 - 2014-03-05 18:39 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-03-05 18:38 - 2014-03-05 18:37 - 85045736 _____ (Sophos Limited) C:\Users\Dawn\Desktop\Sophos Virus Removal Tool.exe
2014-03-05 18:34 - 2013-02-18 15:15 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Ventrilo
2014-03-05 17:40 - 2014-03-05 17:40 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Dawn\Desktop\iexplore.com.exe
2014-03-05 17:37 - 2014-03-05 17:37 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Dawn\Desktop\123.com.exe
2014-03-05 17:21 - 2009-07-13 21:08 - 00032572 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-05 16:10 - 2014-03-05 16:10 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-05 16:10 - 2014-03-05 16:10 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Skype
2014-03-05 16:10 - 2013-02-24 21:49 - 00000000 ____D () C:\ProgramData\Skype
2014-03-05 16:04 - 2012-04-25 09:47 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-03-05 16:01 - 2014-03-02 11:35 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Battle.net
2014-03-05 15:48 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\sysprep
2014-03-05 13:09 - 2012-12-09 23:50 - 00000000 ____D () C:\Program Files (x86)\Diablo III
2014-03-05 13:06 - 2014-03-02 11:35 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-03-03 22:59 - 2013-04-19 05:39 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-02 15:09 - 2014-03-02 11:35 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\Battle.net
2014-03-02 11:35 - 2014-03-02 11:35 - 00001112 _____ () C:\Users\Public\Desktop\Battle.net.lnk
2014-03-02 00:43 - 2014-03-02 00:43 - 00000000 ____D () C:\Users\Dawn\AppData\Local\Blizzard Entertainment
2014-02-28 11:03 - 2010-07-04 11:09 - 00000552 _____ () C:\Windows\Tasks\PCDRScheduledMaintenance.job
2014-02-22 21:40 - 2011-03-07 21:25 - 00000000 ____D () C:\Users\Dawn\AppData\Roaming\.minecraft
2014-02-20 20:48 - 2013-03-18 13:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-20 20:48 - 2013-03-18 13:58 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-20 20:48 - 2012-01-04 18:16 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-18 10:58 - 2014-02-18 10:58 - 00375476 _____ () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe Paula Deen Food Network.htm
2014-02-18 10:58 - 2014-02-18 10:58 - 00000000 ____D () C:\Users\Dawn\Desktop\Chicken and Dumplings Recipe Paula Deen Food Network_files
2014-02-14 20:10 - 2014-02-14 20:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-14 19:51 - 2013-04-19 05:38 - 00003890 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-14 19:51 - 2013-04-19 05:38 - 00003638 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2235160460-1089083335-3025275507-1001\$43dfd81bc353fa936bacefc0d8bd8585

Files to move or delete:
====================
C:\Users\Dawn\AppData\Roaming\RSBuddy Login.ini
C:\ProgramData\hash.dat
C:\Users\Dawn\cache.dat
C:\Users\Dawn\jagex_cl_oldschool_LIVE.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE1.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE2.dat
C:\Users\Dawn\jagex_cl_runescape_LIVE_BETA.dat
C:\Users\Dawn\jagex_runescape_preferences.dat
C:\Users\Dawn\jagex_runescape_preferences2.dat
C:\Users\Dawn\jagex__preferences3.dat
C:\Users\Dawn\random.dat


Some content of TEMP:
====================
C:\Users\Dawn\AppData\Local\Temp\13-9-legacy_vista_win7_64_dd_ccc_whql.exe
C:\Users\Dawn\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Dawn\AppData\Local\Temp\Quarantine.exe
C:\Users\Dawn\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Dawn\AppData\Local\Temp\uyl8oobe.dll


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2014-03-05 18:39:32
Restore point made on: 2014-03-06 11:06:36
Restore point made on: 2014-03-06 11:21:56
Restore point made on: 2014-03-06 15:12:03
Restore point made on: 2014-03-06 22:45:54
Restore point made on: 2014-03-06 22:46:57

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8183.89 MB
Available physical RAM: 7212.36 MB
Total Pagefile: 8182.04 MB
Available Pagefile: 7202.48 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:919.07 GB) (Free:672.13 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:12.34 GB) (Free:2.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:7.33 GB) (Free:2.95 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: C00D6066)

Partition: GPT Partition Type.

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)

Partition: GPT Partition Type.


LastRegBack: 2014-02-28 00:32

==================== End Of Log ============================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users