Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess removal rootkit help


  • This topic is locked This topic is locked
1 reply to this topic

#1 Flaming

Flaming

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 06 June 2016 - 06:39 PM

Hi, 

 

I recently had sophos installed on my server machine and after running a scan it displayed 13 errors related to SAV interface error 0xa0040202. After some googling i came across this topic http://www.bleepingcomputer.com/forums/t/500504/please-help-with-zeroaccess-rootkit-removal/ citing similar symptoms. Following the guide i downloaded an ran FRST which generated the FRST and Addition logs attached. This is not the first time i've run into a virus or trojan and am seeking help from the good people here :)

This machine is used for my business and has people remotely connecting to it on a daily basis also.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:01-06-2016

Ran by jake (administrator) on NQESSERVER (07-06-2016 09:36:31)
Running from C:\Users\Admin\Downloads
Loaded Profiles: setup & jake & Steve & craig1 & Hayley & Administrator (Available Profiles: setup & jake & Steve & craig1 & Hayley & Administrator & Guest)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ThinSoft Pte Ltd.) C:\Windows\System32\BeTwinServiceVS.exe
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(ThinSoft Pte Ltd.) C:\Windows\System32\BeTwinMessagesLog.exe
(Acresso) C:\Program Files (x86)\NetGuard\TomcatWrapper.exe
() C:\Windows\System32\Rdpssw32.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\NetGuard\jre\bin\javaw.exe
(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe
(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe
(Acresso) C:\Program Files (x86)\NetGuard2.08\upsMonitor.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\NetGuard2.08\jre\bin\javaw.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.1\ToolbarUpdater.exe
(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ShadowProtect\vsnapvss.exe
(Apache Software Foundation) C:\Program Files (x86)\NetGuard2.08\tomcat\bin\tomcat6.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(ThinSoft Pte Ltd.) C:\Program Files (x86)\BeTwin\BeTwinAssistant.exe
(ThinSoft Pte Ltd) C:\Program Files (x86)\BeTwin\BeTwinMessages.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(ThinSoft Pte Ltd.) C:\Program Files (x86)\BeTwin\BeTwinAssistant.exe
(ThinSoft Pte Ltd) C:\Program Files (x86)\BeTwin\BeTwinMessages.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
() C:\Program Files (x86)\NetGuard2.08\console\ViewPowerTray.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(ThinSoft Pte Ltd.) C:\Program Files (x86)\BeTwin\BeTwinAssistant.exe
(ThinSoft Pte Ltd) C:\Program Files (x86)\BeTwin\BeTwinMessages.exe
(Creative Software LLC) C:\limowiz2000\LimoWiz.EXE
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Creative Software LLC) C:\limowiz2000\LimoWiz.EXE
() C:\Premier19\Myobp.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Creative Software LLC) C:\limowiz2000\LimoWiz.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12632168 2011-07-21] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [BeTwinAssistant] => C:\Program Files (x86)\BeTwin\BeTwinAssistant.exe [115528 2011-08-24] (ThinSoft Pte Ltd.)
HKLM-x32\...\Run: [BeTwinMessages] => C:\Program Files (x86)\BeTwin\BeTwinMessages.exe [125848 2011-08-24] (ThinSoft Pte Ltd)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41336 2013-09-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [10752 2012-01-31] ()
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [1941064 2016-05-16] ()
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-08-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [1531872 2015-10-13] (Sophos Limited)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1888747803-2331596299-1794523272-1003\...\Run: [ROC_JAN2013_TB] => "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe"  /PROMPT /CMPID=JAN2013_TB
HKU\S-1-5-21-1888747803-2331596299-1794523272-1003\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKU\S-1-5-21-1888747803-2331596299-1794523272-1004\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1888747803-2331596299-1794523272-1004\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\...\Run: [Corel Photo Downloader] => "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\...\Run: [Skype] => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\...\MountPoints2: {d73527e9-31c2-11e2-97b0-50e549e2b493} - G:\laucher.exe
HKU\S-1-5-21-1888747803-2331596299-1794523272-1008\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [413696 2008-09-06] (Apple Inc.)
HKU\S-1-5-21-1888747803-2331596299-1794523272-1008\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1888747803-2331596299-1794523272-1008\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [231936 2016-02-19] (Sophos Limited)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [289040 2016-02-19] (Sophos Limited)
Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetGuard.lnk [2012-03-20]
ShortcutTarget: NetGuard.lnk -> C:\Program Files (x86)\NetGuard2.08\NetGuard.exe (Acresso)
GroupPolicyUsers\S-1-5-21-1888747803-2331596299-1794523272-1007\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Winsock: Catalog9-x64 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864 2015-07-31] (Sophos Limited)
Tcpip\..\Interfaces\{65E2CD76-7DB8-4C86-A486-F676BBDE1028}: [NameServer] 139.130.4.4,203.50.2.71
Tcpip\..\Interfaces\{74EAAF85-8125-43FA-A68B-ABE36CBD23F7}: [NameServer] 192.168.0.10
Tcpip\..\Interfaces\{D2117A80-4DB6-4232-BDC9-8D4DB9A007DA}: [DhcpNameServer] 192.168.0.10
Tcpip\..\Interfaces\{F71F5E06-DDB8-412E-8057-F1C7E14E57A7}: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{FFB8BE4A-6EC6-4556-AA5A-6FB4686E93FB}: [NameServer] 192.168.0.10
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\S-1-5-21-1888747803-2331596299-1794523272-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.au/
HKU\S-1-5-21-1888747803-2331596299-1794523272-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ninemsn.com.au/?ocid=iehp
HKU\S-1-5-21-1888747803-2331596299-1794523272-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={C661281B-9B57-4EA7-B164-C609A40DFC8B}&mid=dd476cb9a45647d09ea481ac0f065d60-b7cef3b97b86ed581e2644fdfa16a8aee817759b&lang=en&ds=AVG&coid=avgtbavg&cmpid=0915wt&pr=sa&d=2015-09-11 13:22:04&v=4.1.6.294&pid=wtu&sg=&sap=hp
HKU\S-1-5-21-1888747803-2331596299-1794523272-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ninemsn.com.au/?ocid=iehp
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/en-au/?pc=UP97&ocid=UP97DHP
HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ninemsn.com.au/?ocid=iehp
HKU\S-1-5-21-1888747803-2331596299-1794523272-1007\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://isearch.avg.com/?cid={993B7D26-4CA1-4AA3-A993-C242AE4C96CD}&mid=dd476cb9a45647d09ea481ac0f065d60-b7cef3b97b86ed581e2644fdfa16a8aee817759b&lang=en&ds=gl011&pr=sa&d=2012-08-16 18:00:54&v=18.5.0.909&sap=hp
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1004 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={C661281B-9B57-4EA7-B164-C609A40DFC8B}&mid=dd476cb9a45647d09ea481ac0f065d60-b7cef3b97b86ed581e2644fdfa16a8aee817759b&lang=en&ds=AVG&coid=avgtbavg&cmpid=0915wt&pr=sa&d=2015-09-11 13:22:04&v=4.1.6.294&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1005 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1005 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={C661281B-9B57-4EA7-B164-C609A40DFC8B}&mid=dd476cb9a45647d09ea481ac0f065d60-b7cef3b97b86ed581e2644fdfa16a8aee817759b&lang=en&ds=AVG&coid=avgtbavg&cmpid=0915wt&pr=sa&d=2015-09-11 13:22:04&v=4.1.8.599&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1007 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={993B7D26-4CA1-4AA3-A993-C242AE4C96CD}&mid=dd476cb9a45647d09ea481ac0f065d60-b7cef3b97b86ed581e2644fdfa16a8aee817759b&lang=en&ds=gl011&pr=sa&d=2012-08-16 18:00:54&v=15.5.0.2&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1007 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={993B7D26-4CA1-4AA3-A993-C242AE4C96CD}&mid=dd476cb9a45647d09ea481ac0f065d60-b7cef3b97b86ed581e2644fdfa16a8aee817759b&lang=en&ds=gl011&pr=sa&d=2012-08-16 18:00:54&v=15.5.0.2&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1888747803-2331596299-1794523272-1008 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\ssv.dll [2016-04-11] (Oracle Corporation)
BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.3.1.831\AVG Web TuneUp.dll [2016-05-16] (AVG)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-09-03] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-04-11] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-09-03] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-09-03] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1888747803-2331596299-1794523272-1004 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1888747803-2331596299-1794523272-1005 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1888747803-2331596299-1794523272-1007 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1888747803-2331596299-1794523272-1007 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-1888747803-2331596299-1794523272-1008 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {F4E59691-8BC1-446B-9F89-B4C8621D2079} hxxps://secure.thinsoftinc.com/WinConnectServerRegistration/controls/RegisterBeTwin2000.ocx
 
FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1gocvwkt.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-13] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-13] ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.1\\npsitesafety.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-04-11] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-04-11] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2013-09-03] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-09-03] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1gocvwkt.default\searchplugins\avg-secure-search.xml [2016-05-16]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2015-08-17]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2016-05-16]
FF Extension: AVG Web TuneUp - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1gocvwkt.default\Extensions\avg@toolbar.xpi [2016-05-16]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-10-04] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.reddit.com/
CHR StartupUrls: Default -> "hxxp://www.reddit.com/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.885\_platform_specific\win_x86\widevinecdmadapter.dll (Google Inc.)
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Hide Fedora) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\acjgabfifnnmmlckmnijdbijgbfpedde [2016-03-22]
CHR Extension: (Google Docs) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-11]
CHR Extension: (Google Drive) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2016-01-04]
CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-30]
CHR Extension: (Webmail Ad Blocker) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbhfdchmklhpcngcgjmpdbjakdggkkjp [2016-05-17]
CHR Extension: (Ratings Preview for YouTube™) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbhdenfmgbagncdmgbholejjpmmiank [2016-01-04]
CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-12]
CHR Extension: (Search by Image (by Google)) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dajedkncpodkggklbegccjpmnglmnflm [2016-01-04]
CHR Extension: (Tampermonkey) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-05-31]
CHR Extension: (Little Alchemy light) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlinaifoeodggjcfoonifcjppkklkdkd [2016-01-04]
CHR Extension: (Office Editing for Docs, Sheets & Slides) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbkeegbaiigmenfmjfclcdgdpimamgkj [2016-04-26]
CHR Extension: (Supernova) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gegpgpjbmbggplclldecdbpcmopmlbll [2013-06-28]
CHR Extension: (Google Docs Offline) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-02]
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2016-05-31]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-19]
CHR Extension: (Google Dictionary (by Google)) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgijmajocgfcbeboacabfgobmjgjcoja [2016-04-20]
CHR Extension: (Ghostery) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-03-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-07]
CHR HKU\S-1-5-21-1888747803-2331596299-1794523272-1005\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fkkcgfbgohboipdhliafmacjnhjbhmim] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 BeTwinMessagesLog; C:\Windows\System32\BeTwinMessagesLog.exe [70480 2011-08-24] (ThinSoft Pte Ltd.)
R3 BeTwinProxy; C:\Windows\System32\BeTwinProxyVS.dll [217928 2011-08-24] (ThinSoft Pte Ltd.)
R2 BeTwinService; C:\Windows\System32\BeTwinServiceVS.exe [335688 2011-08-24] (ThinSoft Pte Ltd.)
R2 NetGuard; C:\Program Files (x86)\NetGuard\TomcatWrapper.exe [116224 2012-03-12] (Acresso) [File not signed]
R2 RDPSSW32; C:\Windows\System32\RDPSSW32.EXE [68608 2010-05-19] () [File not signed]
R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [311544 2016-02-19] (Sophos Limited)
R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [285136 2016-02-19] (Sophos Limited)
R2 ShadowControl ImageManager; C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe [2014952 2015-11-02] (StorageCraft Technology Corporation)
R2 ShadowProtectSvc; C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4672336 2012-12-04] (StorageCraft Technology Corporation)
R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [604000 2015-10-13] (Sophos Limited)
R2 sophossps; C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe [2455816 2015-12-16] (Sophos Limited)
R2 StorageCraft ImageManager; C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe [2014952 2015-11-02] (StorageCraft Technology Corporation)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [3339736 2016-02-19] (Sophos Limited)
S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2118896 2016-02-19] (Sophos Limited)
R2 upsMonitor; C:\Program Files (x86)\NetGuard2.08\upsMonitor.exe [116224 2012-03-20] (Acresso) [File not signed]
R3 upsTomcat; C:\Program Files (x86)\NetGuard2.08\tomcat\bin\tomcat6.exe [57344 2011-04-15] (Apache Software Foundation) [File not signed]
R2 VSNAPVSS; C:\Program Files (x86)\StorageCraft\ShadowProtect\vsnapvss.exe [71976 2012-12-04] (StorageCraft Technology Corporation)
R2 vToolbarUpdater40.3.1; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.1\ToolbarUpdater.exe [1323080 2016-05-16] (AVG Secure Search)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [972872 2016-05-16] ()
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21104 2011-01-10] ()
R1 BeTwinSystem; C:\Windows\System32\Drivers\BeTwinSystemVS.sys [23368 2011-08-24] (ThinSoft Pte Ltd.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [161024 2016-02-19] (Sophos Limited)
R1 sbmount; C:\Windows\System32\Drivers\sbmount.sys [133352 2015-11-02] (StorageCraft Technology Corporation)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [27904 2016-02-19] (Sophos Limited)
R0 stcvsm; C:\Windows\System32\DRIVERS\stcvsm.sys [277288 2012-12-04] (StorageCraft Technology Corporation)
S3 cpuz130; \??\C:\Users\Steve\AppData\Local\Temp\cpuz130\cpuz_x64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 NPF; system32\DRIVERS\npf.sys [X]
S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-03 13:44 - 2016-06-03 13:45 - 00037265 _____ C:\Users\Admin\Downloads\Addition.txt
2016-06-03 13:43 - 2016-06-07 09:36 - 00031678 _____ C:\Users\Admin\Downloads\FRST.txt
2016-06-03 13:42 - 2016-06-03 13:42 - 02383872 _____ (Farbar) C:\Users\Admin\Downloads\FRST64.exe
2016-06-03 11:47 - 2016-06-03 11:47 - 00000000 ____D C:\Users\Admin\AppData\Local\Sophos
2016-05-31 15:07 - 2016-05-31 15:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2016-05-31 15:07 - 2016-02-19 04:30 - 00035592 _____ (Sophos Limited) C:\Windows\system32\SophosBootTasks.exe
2016-05-31 15:06 - 2016-02-19 04:31 - 00161024 _____ (Sophos Limited) C:\Windows\system32\Drivers\savonaccess.sys
2016-05-31 15:06 - 2016-02-19 04:30 - 00027904 _____ (Sophos Limited) C:\Windows\system32\Drivers\SophosBootDriver.sys
2016-05-31 15:01 - 2016-05-31 15:07 - 00000000 ____D C:\ProgramData\Sophos
2016-05-31 15:01 - 2016-05-31 15:07 - 00000000 ____D C:\Program Files (x86)\Sophos
2016-05-31 14:58 - 2016-05-31 15:33 - 00000000 ____D C:\savw_103_sa
2016-05-31 14:58 - 2016-01-13 16:17 - 157949968 _____ C:\Users\Steve\Desktop\savw_103_sa_sfx.exe
2016-05-27 09:53 - 2016-05-27 09:53 - 00026698 _____ C:\Users\Admin\Desktop\Test Page.pdf
2016-05-13 15:10 - 2016-05-13 15:10 - 00000000 ____D C:\Users\Admin\AppData\Roaming\AMD
2016-05-11 19:27 - 2016-04-14 23:49 - 00603648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2016-05-11 19:27 - 2016-04-14 23:21 - 00647680 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2016-05-11 19:27 - 2016-04-09 17:02 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-05-11 19:27 - 2016-04-09 17:01 - 05546216 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-05-11 19:27 - 2016-04-09 17:01 - 00986344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2016-05-11 19:27 - 2016-04-09 17:01 - 00706280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-05-11 19:27 - 2016-04-09 17:01 - 00264936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2016-05-11 19:27 - 2016-04-09 17:01 - 00154344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-05-11 19:27 - 2016-04-09 17:01 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-05-11 19:27 - 2016-04-09 16:59 - 03998952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-05-11 19:27 - 2016-04-09 16:59 - 03943144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-05-11 19:27 - 2016-04-09 16:59 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-05-11 19:27 - 2016-04-09 16:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 16:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-05-11 19:27 - 2016-04-09 15:52 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-05-11 19:27 - 2016-04-09 15:52 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-05-11 19:27 - 2016-04-09 15:52 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-05-11 19:27 - 2016-04-09 15:51 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-05-11 19:27 - 2016-04-09 15:49 - 03217408 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-05-11 19:27 - 2016-04-09 15:48 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-05-11 19:27 - 2016-04-09 15:47 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-05-11 19:27 - 2016-04-09 15:44 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-05-11 19:27 - 2016-04-09 15:44 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-05-11 19:27 - 2016-04-09 15:44 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-05-11 19:27 - 2016-04-09 15:43 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-05-11 19:27 - 2016-04-09 15:43 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-05-11 19:27 - 2016-04-09 15:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-05-11 19:27 - 2016-04-09 15:38 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-05-11 19:27 - 2016-04-09 15:38 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-05-11 19:27 - 2016-04-09 15:38 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-05-11 19:27 - 2016-04-09 15:38 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-05-11 19:27 - 2016-04-09 15:37 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-05-11 19:27 - 2016-04-09 15:37 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 15:37 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 15:37 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 15:37 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-05-11 19:27 - 2016-04-09 14:20 - 01230848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2016-05-11 19:27 - 2016-04-09 13:52 - 01424896 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2016-05-11 19:27 - 2016-04-07 01:27 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2016-05-11 19:27 - 2016-03-10 04:54 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2016-05-11 19:27 - 2016-03-10 04:34 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2016-05-11 10:33 - 2016-05-11 10:33 - 00000000 ____D C:\Users\Steve\AppData\Local\VirtualStore
2016-05-11 08:16 - 2016-05-11 08:16 - 00000000 ____D C:\Users\Hayley\AppData\Local\VirtualStore
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-07 09:36 - 2016-05-05 11:21 - 00000000 ____D C:\FRST
2016-06-07 09:33 - 2012-03-19 14:57 - 00000000 ____D C:\Users\Admin\Documents\Outlook Files
2016-06-07 09:24 - 2015-01-23 09:53 - 00000000 ____D C:\limowiz2000
2016-06-07 09:12 - 2012-12-04 11:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-07 09:09 - 2012-03-12 16:10 - 00000520 _____ C:\Windows\SysWOW64\winsusrm.dll
2016-06-07 09:09 - 2012-03-12 16:10 - 00000344 _____ C:\Windows\SysWOW64\winsusrx.dll
2016-06-07 08:45 - 2012-11-13 08:48 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-07 05:42 - 2009-07-14 14:45 - 00032080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-07 05:42 - 2009-07-14 14:45 - 00032080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-06 10:45 - 2012-11-13 08:48 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-06 10:18 - 2012-03-19 15:16 - 00000424 _____ C:\Windows\MYOBP.INI
2016-06-06 10:18 - 2012-03-19 15:12 - 00000000 ____D C:\Premier19
2016-06-06 10:17 - 2012-03-19 15:16 - 00000042 _____ C:\Windows\MYOB.INI
2016-06-06 00:59 - 2012-03-12 16:03 - 00000000 ____D C:\viewpower
2016-06-03 16:53 - 2012-03-19 15:07 - 00000000 ____D C:\Users\Steve\Documents\Outlook Files
2016-06-02 11:24 - 2016-01-07 16:48 - 00023731 _____ C:\Users\Admin\Documents\figures for hayley.xlsx
2016-06-01 13:42 - 2013-06-03 10:27 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2016-06-01 13:42 - 2013-01-22 03:23 - 00000354 _____ C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job
2016-05-31 15:10 - 2016-05-05 10:49 - 00000632 __RSH C:\Users\Steve\ntuser.pol
2016-05-31 15:10 - 2016-03-31 12:21 - 00000000 ____D C:\Users\Admin\AppData\Roaming\StorageCraft
2016-05-31 15:10 - 2012-03-19 15:06 - 00000000 ____D C:\Users\Steve
2016-05-31 15:09 - 2016-05-05 11:43 - 00000632 __RSH C:\Users\Admin\ntuser.pol
2016-05-31 15:09 - 2012-03-13 08:29 - 00000000 ____D C:\Users\Admin
2016-05-31 15:07 - 2016-05-05 11:37 - 00000632 __RSH C:\Users\Hayley\ntuser.pol
2016-05-31 15:07 - 2015-03-23 12:22 - 00000000 ____D C:\Users\Hayley
2016-05-31 15:02 - 2012-03-19 15:46 - 00000000 ____D C:\Users\Steve\AppData\Roaming\StorageCraft
2016-05-31 15:01 - 2009-07-14 15:13 - 00006450 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-31 14:57 - 2012-03-12 16:10 - 00000000 ____D C:\ProgramData\ThinSoft
2016-05-31 14:55 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-31 14:52 - 2012-03-20 14:18 - 00000000 ____D C:\ProgramData\MFAData
2016-05-30 13:06 - 2012-03-19 13:44 - 00000000 ____D C:\NQES
2016-05-27 03:00 - 2015-04-05 03:00 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2016-05-27 03:00 - 2015-04-05 03:00 - 00000000 ___SD C:\Windows\system32\GWX
2016-05-24 10:54 - 2015-03-09 12:44 - 00001456 _____ C:\Users\Admin\AppData\Local\Adobe Save for Web 13.0 Prefs
2016-05-16 08:33 - 2015-09-11 13:21 - 00000000 ____D C:\ProgramData\AVG Web TuneUp
2016-05-16 08:33 - 2015-09-11 13:21 - 00000000 ____D C:\Program Files (x86)\AVG Web TuneUp
2016-05-13 23:12 - 2012-12-04 11:47 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-05-13 23:12 - 2012-12-04 11:47 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-05-13 23:12 - 2012-03-12 11:43 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-05-13 08:46 - 2012-11-13 08:49 - 00002233 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-13 03:00 - 2014-12-12 03:23 - 00000000 ____D C:\Windows\system32\appraiser
2016-05-12 04:12 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\rescache
2016-05-12 03:35 - 2009-07-14 14:45 - 05063728 _____ C:\Windows\system32\FNTCACHE.DAT
2016-05-12 03:33 - 2011-04-12 18:28 - 00000000 ____D C:\Program Files\Windows Journal
2016-05-12 03:14 - 2013-07-27 03:00 - 00000000 ____D C:\Windows\system32\MRT
2016-05-12 03:02 - 2012-03-09 16:00 - 139319312 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-05-11 10:40 - 2012-11-13 08:48 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-11 10:40 - 2012-11-13 08:48 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-10 15:20 - 2016-02-10 21:12 - 00000000 __SHD C:\Users\Guest\AppData\Roaming\tsifehid
 
==================== Files in the root of some directories =======
 
2013-09-28 15:28 - 2014-06-23 14:26 - 0003730 _____ () C:\Program Files (x86)\Mozilla Firefoxavg-secure-search.xml
2015-03-17 11:53 - 2016-02-03 09:46 - 0000132 _____ () C:\Users\Admin\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-03-09 12:44 - 2016-05-24 10:54 - 0001456 _____ () C:\Users\Admin\AppData\Local\Adobe Save for Web 13.0 Prefs
2012-08-15 09:51 - 2012-08-15 09:51 - 0003584 _____ () C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-28 17:13 - 2012-08-28 17:13 - 0000008 __RSH () C:\ProgramData\91332E1471.sys
2016-03-18 14:56 - 2016-03-18 14:56 - 0000008 ____H () C:\ProgramData\@000001.dat
2016-03-18 14:56 - 2016-03-22 16:41 - 0000920 ____H () C:\ProgramData\@system.temp
2016-03-18 14:55 - 2016-03-22 16:41 - 0000656 ____H () C:\ProgramData\@system3.att
2012-03-19 15:44 - 2012-03-19 15:44 - 0004899 _____ () C:\ProgramData\giiynunu.mau
2012-12-04 11:52 - 2014-10-17 11:26 - 0005093 _____ () C:\ProgramData\ipqjxxho.fyn
2012-08-16 17:29 - 2013-11-08 12:58 - 0003766 ___SH () C:\ProgramData\KGyGaAvL.sys
2016-03-31 12:38 - 2016-03-31 12:38 - 0000016 _____ () C:\ProgramData\mntemp
 
Files to move or delete:
====================
C:\ProgramData\@000001.dat
 
 
Some files in TEMP:
====================
C:\Users\Steve\AppData\Local\Temp\625D.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-07 00:25
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 07 June 2016 - 09:50 AM

This is a duplicate post.

Oh My! has replied to your previous topic.
http://www.bleepingcomputer.com/forums/t/616209/zeroaccess-rootkit-removal-help/#entry4013857

This topic will be locked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users