[Closed] Unidentified, serious MBR/rootkitting

Status
Not open for further replies.

Eric Witzling

Posts: 120   +2
The story so far:

I've seen this type of behavior once before, and it makes me nervous about trying to initiate the same repair, because the MBR broke for good and I had my fingers crossed during a Windows Repair.

Typical icons-disappearing/scam-windows-popping-up/search-redirection on a Windows XP Pro SP3 machine, but all efforts to get under it with known tools are failing. TDSSKiller will not run, nor will aswMBR, even in Safe Mode w/Command Prompt. Combofix will start running, but but the machine freezes entirely before it can get to the scanning steps. FixTDSS will initiate, but gets into a reset-loop when it attempts to boot, and can only be rolled back by going to "Last Known Good Configuration." Removed some minor items like a PEVSystemStart service and randomly-generated number processes, and let Malware Bytes, SpyBot, and SuperAntiSpyware run to try to peel back the layers even a tiny bit. SB found nothing, SAS and MB pulled off minimal traces of the randomly-generated process I had already stopped. (MB log will be posted below.)

GMER pops a LoadDriver error when first starting ("Cannot create a stable subkey under volatile parent key" on pwloipog.sys in temp directory) and running it reveals nothing and produces no log to save.

DDS took 20 minutes to run and while the computer was still semi-responsive at first, Ctrl-Alt-Delete would not respons, and moving the window eventually froze the rest of the UI as well. So my ability to currently give information is... not so mighty.

The last time what I'd done was unhooked the drive and cleaned what I could as best I could from another machine, but that broke boot routine to an unrecoverable degree and I was probably lucky that a raw Windows disk could repair it. I would LIKE to hit it more surgically, but at this point I'm stumped.


Any suggested next steps?

-----------------------------------
MB log, for what it's worth
-----------------------------------
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.19.13
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Kristine :: HL111008 [administrator]
7/19/2012 5:11:20 PM
mbam-log-2012-07-20 (09-14-52).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 374710
Time elapsed: 1 hour(s), 25 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw.exe (Rogue.FakeHDD) -> No action taken.
C:\Documents and Settings\All Users\Application Data\WPNMjlUbKov.exe (Trojan.FakeAlert.3CH) -> No action taken.
(end)
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Please review the 5-Step removal instructions and post the logs back here for my review.
 
Hi. Thanks, and I'll work up an intro when I have the time.

As mentioned in my first post, GMER ran following an error that seems to have kept it from scanning anything properly, and had nothing proper to log. DDS.scr took more that 20 minutes to run, failed to complete in that time, and froze with the PC when I started checking for activity. ComboFix freezes the computer, too.

I have since run hardware tests on the memory and HDD, and showing no errors.
 
  • Download OTLPENet.exe to your desktop
  • Download Farbar Recovery Scan Tool and save it to a flash drive.
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
    smiley.gif
  • Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
  • Insert the flash drive with FRST on it
  • Locate the flash drive and run FSRT
  • The tool will start to run.
FRST2.gif

  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
-=(Split due to 50k character restrictions and scripting errors when attempting to post.)=-

First off, THANK YOU for pointing me to that Reatogo-X-PE tool. I'd been working (poorly) off an old BartPE disk while trying to take time building and managing a new one, but this looks like it will save a lot of time and headache, and do what I need it too. Are you aware of any licensing terms and restrictions that I would need to worry about as a technician?



Secondly, the FRST log:



Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012
Ran by SYSTEM at 20-07-2012 15:29:52
Running from D:\cleanup
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet004

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]
HKLM\...\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe [141848 2007-09-21] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [166424 2007-09-21] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe [137752 2007-09-21] (Intel Corporation)
HKLM\...\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2006-02-02] (Sonic Solutions)
HKLM\...\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [120096 2007-12-09] (Lenovo Group Limited)
HKLM\...\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup [419376 2007-02-01] (LENOVO)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-09-17] (LogMeIn, Inc.)
HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [813912 2006-11-21] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [849280 2007-02-05] (Microsoft Corporation)
HKLM\...\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon [x]
HKLM\...\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s [407368 2008-02-08] (CA)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
HKLM\...\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto [169984 2008-04-13] (Microsoft Corporation)
HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\Administrator.SMALLBUSINESS\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\audrey\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\kristine\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\LMIinit: LMIinit.dll (LogMeIn, Inc.)
Winlogon\Notify\NavLogon:
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.25 24.225.193.110 24.225.193.111 208.67.222.222 208.67.220.220
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Tcpip\..\Interfaces\{85FA715C-19B2-437D-AE84-7C25D7ECE2D1}: [NameServer]192.168.24.50,208.67.222.222,8.8.8.8,208.67.222.222

================================ Services (Whitelisted) ==================

2 Diskeeper; "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" [622700 2006-05-23] (Diskeeper Corporation)
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
3 GoogleDesktopManager-061008-081103; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [29744 2008-11-13] (Google)
2 iGateway; "C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe" [106496 2007-02-05] (CA, Inc.)
2 InoRPC; "C:\Program Files\CA\eTrustITM\InoRpc.exe" [192512 2009-09-29] (CA)
2 InoRT; "C:\Program Files\CA\eTrustITM\InoRT.exe" [208896 2009-09-29] (CA)
2 InoTask; "C:\Program Files\CA\eTrustITM\InoTask.exe" [389960 2011-02-15] (CA)
2 ITMRTSVC; "C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe" [283888 2009-12-07] (CA, Inc.)
3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2045632 2006-02-23] (Symantec Corporation)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-20] (Microsoft Corporation)
2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [20480 2009-09-16] (Intuit)
3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2007-05-24] (Intuit Inc.)
2 QuickBooksDB18; C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [128536 2006-09-13] (iAnywhere Solutions, Inc.)
2 SAAZappr; "C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe" SAAZappr [82760 2011-05-31] (Zenith Infotech Ltd)
2 SAAZapsc; "C:\PROGRA~1\SAAZOD\zRealTime\SAAZapsc.exe" SAAZapsc [82760 2011-05-31] (Zenith Infotech Ltd)
2 SAAZDPMACTL; "C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe" [86856 2012-02-23] (Zenith Infotech Ltd)
2 SAAZRemoteSupport; "C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe" [78664 2012-02-23] (Zenith Infotech Ltd)
2 SAAZScheduler; "C:\PROGRA~1\SAAZOD\SAAZScheduler.exe" [77824 2012-02-23] (Zenith Infotech Ltd)
2 SAAZServerPlus; "C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe" [77824 2009-04-30] (Zenith Infotech Ltd)
2 SAAZWatchDog; "C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe" [86856 2012-02-23] (Zenith Infotech Ltd)
2 TVT Backup Protection Service; "C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe" [569344 2007-07-11] ()
2 tvtnetwk; C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe [45056 2007-07-11] ()
2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
3 WMConnectCDS; C:\Program Files\Windows Media Connect 2\wmccds.exe [855552 2005-10-06] (Microsoft Corporation)
4 ZEvtSVC; C:\PROGRA~1\SAAZOD\zSCC\zEvtSVC.exe [230216 2011-08-09] (Zenith Infotech ltd.)
3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
3 idsvc; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [x]
4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]
2 SUService; c:\program files\lenovo\system update\suservice.exe [x]
2 TVT Scheduler; "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [x]

========================== Drivers (Whitelisted) =============

3 ac97intc; C:\Windows\System32\drivers\ac97intc.sys [96256 2001-08-17] (Intel Corporation)
2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2006-02-02] (Sonic Solutions)
1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5660 2005-11-18] (Sonic Solutions)
2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2006-02-02] (Sonic Solutions)
2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86652 2006-02-02] (Sonic Solutions)
2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2006-02-02] (Sonic Solutions)
2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2006-02-02] (Sonic Solutions)
1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-11-18] (Sonic Solutions)
2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2006-02-02] (Sonic Solutions)
2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2006-02-02] (Sonic Solutions)
2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-11-18] (Sonic Solutions)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-10-30] (HP)
3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-10-30] (HP)
3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-10-30] (HP)
0 INO_FLPY; C:\Windows\System32\Drivers\ino_flpy.sys [27536 2007-08-06] (Computer Associates)
2 INO_FLTR; \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys [184080 2007-10-18] (Computer Associates)
3 Iviaspi; C:\Windows\System32\drivers\iviaspi.sys [21060 2003-09-11] (InterVideo, Inc.)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2010-09-17] (LogMeIn, Inc.)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
2 pmem; \??\C:\WINDOWS\System32\drivers\pmemnt.sys [7012 2008-10-10] (Microsoft Corporation)
3 yukonwxp; C:\Windows\System32\DRIVERS\yk51x86.sys [288896 2008-04-29] (Marvell)
4 Abiosdsk; [x]
4 Atdisk; [x]
1 Changer; [x]
1 lbrtfdc; [x]
4 LMIRfsClientNP; [x]
3 mcdbus; C:\Windows\System32\DRIVERS\mcdbus.sys [x]
1 PCIDump; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
1 SASDIFSV; \??\C:\DOCUME~1\kristine\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
1 SASKUTIL; \??\C:\DOCUME~1\kristine\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
4 Simbad; [x]
3 SymIM; C:\Windows\System32\DRIVERS\SymIM.sys [x]
3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [x]
3 TVTPktFilter; C:\Windows\System32\DRIVERS\tvtpktfilter.sys [x]
3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]
3 WDICA; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-20 15:29 - 2012-07-20 15:29 - 00000000 ____D C:\FRST
2012-07-20 14:07 - 2012-07-20 14:07 - 00000000 ____D C:\Documents and Settings\All Users\Desktop\CC Support
2012-07-19 17:10 - 2012-06-22 10:04 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.20120719-171050.backup
2012-07-19 17:08 - 2012-07-19 17:08 - 00000000 ____D C:\Documents and Settings\kristine\Application Data\SUPERAntiSpyware.com
2012-07-19 17:08 - 2012-07-19 17:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2012-07-19 17:01 - 2012-07-19 17:06 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-07-19 17:01 - 2012-07-19 17:01 - 00000000 ____D C:\Documents and Settings\kristine\Application Data\Malwarebytes
2012-07-19 17:01 - 2012-07-19 17:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-07-19 17:01 - 2012-07-03 13:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-19 15:57 - 2012-07-19 16:05 - 00000000 ___SD C:\cfx
2012-07-19 15:53 - 2012-07-20 14:15 - 00000359 ____A C:\rkill.log
2012-07-19 15:50 - 2012-07-19 15:49 - 00081920 ____A C:\Windows\Minidump\Mini071912-02.dmp
2012-07-19 15:41 - 2012-07-19 15:38 - 04731392 ____A (AVAST Software) C:\Documents and Settings\kristine\Desktop\aswMBR.exe
2012-07-19 15:33 - 2012-07-19 15:33 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\FixTDSS
2012-07-19 15:30 - 2012-07-19 15:50 - 00000000 ____D C:\Windows\Minidump
2012-07-19 15:30 - 2012-07-19 15:30 - 00081920 ____A C:\Windows\Minidump\Mini071912-01.dmp
2012-07-19 10:38 - 2012-07-19 10:38 - 00000000 RASHD C:\cmdcons
2012-07-19 10:38 - 2012-07-19 10:12 - 00000245 ____A C:\Boot.bak
2012-07-19 10:38 - 2004-08-03 23:00 - 00260272 _RASH C:\cmldr
2012-07-19 10:32 - 2012-07-19 10:38 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-07-19 10:32 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-19 10:32 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-19 10:32 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-19 10:32 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-19 10:32 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-19 10:32 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-07-19 10:32 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-19 10:32 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-19 10:32 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-19 10:31 - 2012-07-19 15:57 - 00000000 ___SD C:\ComboFix
2012-07-19 10:29 - 2012-07-19 10:31 - 00000000 ____D C:\Qoobox
2012-07-19 10:28 - 2012-07-19 10:28 - 00000000 ____D C:\Windows\erdnt
2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr
2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw
2012-07-19 09:55 - 2012-07-19 09:56 - 00000368 ___AH C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw
2012-07-19 00:46 - 2012-07-19 00:46 - 00000000 __HDC C:\Windows\$NtUninstallKB2685939$
2012-07-19 00:44 - 2012-07-19 00:46 - 00016175 ___AH C:\Windows\KB2685939.log
2012-07-19 00:33 - 2012-07-19 00:35 - 00020406 ___AH C:\Windows\KB2699988-IE8.log
2012-07-19 00:32 - 2012-05-11 10:42 - 00521728 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
2012-07-17 00:18 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001837.backup
2012-07-17 00:17 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001734.backup
2012-07-17 00:16 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001629.backup
2012-07-16 00:30 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-003026.backup
2012-07-16 00:29 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002925.backup
2012-07-16 00:28 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002824.backup
2012-07-13 00:30 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-003030.backup
2012-07-13 00:29 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002927.backup
2012-07-13 00:27 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002755.backup
2012-07-10 00:20 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-002002.backup
2012-07-10 00:19 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001900.backup
2012-07-10 00:17 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001758.backup
2012-07-09 16:27 - 2012-07-09 16:27 - 00000263 ___AH C:\Documents and Settings\kristine\Desktop\VanAlstyne-Chubb Ins.log
2012-07-09 00:25 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002508.backup
2012-07-09 00:24 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002405.backup
2012-07-09 00:22 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002258.backup
2012-07-06 00:23 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002327.backup
2012-07-06 00:22 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002226.backup
2012-07-06 00:21 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002121.backup
2012-07-03 00:14 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001444.backup
2012-07-03 00:13 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001340.backup
2012-07-03 00:12 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001236.backup
2012-07-02 00:25 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002509.backup
2012-07-02 00:24 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002407.backup
2012-07-02 00:23 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002300.backup
2012-06-29 00:23 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002334.backup
2012-06-29 00:22 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002231.backup
2012-06-29 00:21 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002112.backup
2012-06-26 00:15 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001514.backup
2012-06-26 00:14 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001413.backup
2012-06-26 00:13 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001312.backup
2012-06-25 00:09 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000908.backup
2012-06-25 00:08 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000807.backup
2012-06-25 00:07 - 2012-06-22 10:04 - 00000761 _RASH C:\Windows\System32\Drivers\etc\hosts.20120625-000705.backup
2012-06-22 15:24 - 2012-06-22 15:25 - 00000000 ___HD C:\Windows\pss
2012-06-22 15:23 - 2012-07-19 09:14 - 00000830 ___AH C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-22 15:23 - 2012-07-12 11:14 - 00426184 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-22 15:23 - 2012-07-12 11:14 - 00070344 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-22 15:22 - 2012-06-22 15:22 - 00002029 ___AH C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
2012-06-22 10:05 - 2012-06-22 10:05 - 00045056 ___SH C:\Documents and Settings\kristine\1ee7e578-5753.exe
2012-06-22 10:04 - 2012-06-22 10:04 - 00178692 ___AH C:\Windows\System32\c_7265170.nls
2012-06-22 00:29 - 2012-06-22 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002956.backup
2012-06-22 00:28 - 2012-06-22 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002843.backup
2012-06-22 00:27 - 2012-06-19 00:20 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002733.backup

============ 3 Months Modified Files ========================

2012-07-20 14:22 - 2008-11-13 23:47 - 00000278 __ASH C:\Documents and Settings\kristine\ntuser.ini
2012-07-20 14:22 - 2006-04-30 03:11 - 02072280 ___AH C:\Windows\WindowsUpdate.log
2012-07-20 14:15 - 2012-07-19 15:53 - 00000359 ____A C:\rkill.log
2012-07-20 14:12 - 2006-04-30 02:56 - 00002278 ___AH C:\Windows\System32\wpa.dbl
2012-07-20 14:11 - 2008-11-13 23:47 - 00000062 __ASH C:\Documents and Settings\kristine\Local Settings\desktop.ini
2012-07-20 14:10 - 2006-04-30 03:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-07-20 14:10 - 2006-04-30 03:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-07-20 10:18 - 2008-11-13 14:34 - 00000178 __ASH C:\Documents and Settings\QBDataServiceUser18\ntuser.ini
2012-07-20 10:18 - 2006-04-30 03:20 - 00032284 ___AH C:\Windows\SchedLgU.Txt
2012-07-20 10:18 - 2006-04-30 03:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-20 10:18 - 2006-04-29 20:07 - 00000049 ___AH C:\Windows\wiaservc.log
2012-07-20 10:17 - 2008-11-13 14:34 - 00000062 __ASH C:\Documents and Settings\QBDataServiceUser18\Local Settings\desktop.ini
2012-07-19 16:50 - 2006-04-30 02:56 - 00000355 _RASH C:\boot.ini
2012-07-19 15:51 - 2006-04-29 20:03 - 00585391 ___AH C:\Windows\setupapi.log
2012-07-19 15:50 - 2006-04-29 20:03 - 00217502 ___AH C:\Windows\setupact.log
2012-07-19 15:49 - 2012-07-19 15:50 - 00081920 ____A C:\Windows\Minidump\Mini071912-02.dmp
2012-07-19 15:38 - 2012-07-19 15:41 - 04731392 ____A (AVAST Software) C:\Documents and Settings\kristine\Desktop\aswMBR.exe
2012-07-19 15:33 - 2006-04-30 03:21 - 00000178 __ASH C:\Documents and Settings\Administrator\ntuser.ini
2012-07-19 15:32 - 2006-04-30 03:21 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2012-07-19 15:30 - 2012-07-19 15:30 - 00081920 ____A C:\Windows\Minidump\Mini071912-01.dmp
2012-07-19 15:27 - 2010-05-10 13:55 - 00000236 ___AH C:\Windows\Tasks\OGALogon.job
2012-07-19 15:27 - 2010-02-05 10:15 - 00000882 ___AH C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-19 10:38 - 2012-07-19 10:32 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-07-19 10:12 - 2012-07-19 10:38 - 00000245 ____A C:\Boot.bak
2012-07-19 10:11 - 2008-11-13 23:21 - 00000278 __ASH C:\Documents and Settings\Administrator.SMALLBUSINESS\ntuser.ini
2012-07-19 10:11 - 2006-04-29 20:07 - 00000463 ___AH C:\Windows\wiadebug.log
2012-07-19 10:02 - 2008-11-13 23:21 - 00000062 __ASH C:\Documents and Settings\Administrator.SMALLBUSINESS\Local Settings\desktop.ini
2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr
2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw
2012-07-19 09:56 - 2012-07-19 09:55 - 00000368 ___AH C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw
2012-07-19 09:50 - 2008-11-10 15:48 - 00000256 ___AH C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
2012-07-19 09:47 - 2011-11-15 10:33 - 00000564 ___AH C:\Documents and Settings\kristine\Desktop\106.7 Lite fm - 106.7 Lite fm New York.url
2012-07-19 09:45 - 2008-11-13 23:14 - 00000152 ___AH C:\Windows\System32\config\netlogon.ftl
2012-07-19 09:20 - 2010-02-05 10:15 - 00000886 ___AH C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-19 09:14 - 2012-06-22 15:23 - 00000830 ___AH C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-19 09:10 - 2006-04-30 02:56 - 00000655 ___AH C:\Windows\win.ini
2012-07-19 09:07 - 2008-11-20 17:46 - 00002521 ____A C:\Documents and Settings\kristine\Desktop\Microsoft Office Outlook 2003.lnk
2012-07-19 01:07 - 2008-11-13 14:36 - 00524288 ___AH C:\Windows\System32\config\QB GDS P.evt
2012-07-19 00:46 - 2012-07-19 00:44 - 00016175 ___AH C:\Windows\KB2685939.log
2012-07-19 00:46 - 2006-04-29 20:04 - 02311705 ___AH C:\Windows\FaxSetup.log
2012-07-19 00:46 - 2006-04-29 20:04 - 01106753 ___AH C:\Windows\ocgen.log
2012-07-19 00:46 - 2006-04-29 20:04 - 01063286 ___AH C:\Windows\tsoc.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00702458 ___AH C:\Windows\msmqinst.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00603313 ___AH C:\Windows\comsetup.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00493045 ___AH C:\Windows\iis6.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00405340 ___AH C:\Windows\netfxocm.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00364073 ___AH C:\Windows\ntdtcsetup.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00159544 ___AH C:\Windows\MedCtrOC.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00117142 ___AH C:\Windows\tabletoc.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00115663 ___AH C:\Windows\msgsocm.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00099884 ___AH C:\Windows\ocmsn.log
2012-07-19 00:46 - 2006-04-29 20:04 - 00001374 ___AH C:\Windows\imsins.log
2012-07-19 00:42 - 2006-04-29 20:04 - 00507652 ___AH C:\Windows\System32\PerfStringBackup.INI
2012-07-19 00:35 - 2012-07-19 00:33 - 00020406 ___AH C:\Windows\KB2699988-IE8.log
2012-07-19 00:35 - 2006-04-29 20:04 - 00001374 ___AH C:\Windows\imsins.BAK
2012-07-19 00:34 - 2006-04-30 03:26 - 00316744 ___AH C:\Windows\updspapi.log
2012-07-19 00:29 - 2012-02-23 17:30 - 00001427 ___AH C:\Windows\System32\ipstuffNew.txt
2012-07-17 15:09 - 2011-12-19 10:37 - 00248320 ___AH C:\Documents and Settings\kristine\Desktop\Credit Cards.xls
2012-07-17 10:14 - 2008-11-17 17:24 - 00000322 ___AH C:\Documents and Settings\kristine\Desktop\PNC Bank.url
2012-07-12 18:25 - 2008-11-10 18:28 - 00030624 ___AH (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-12 18:25 - 2008-11-10 18:27 - 00087456 ___AH (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-12 11:14 - 2012-06-22 15:23 - 00426184 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-12 11:14 - 2012-06-22 15:23 - 00070344 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-09 16:27 - 2012-07-09 16:27 - 00000263 ___AH C:\Documents and Settings\kristine\Desktop\VanAlstyne-Chubb Ins.log
2012-07-03 13:46 - 2012-07-19 17:01 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-22 16:37 - 2008-11-12 09:07 - 00000178 __ASH C:\Documents and Settings\LogMeInRemoteUser\ntuser.ini
2012-06-22 15:28 - 2008-11-12 09:07 - 00000062 __ASH C:\Documents and Settings\LogMeInRemoteUser\Local Settings\desktop.ini
2012-06-22 15:26 - 2006-04-30 02:56 - 00000227 ___AH C:\Windows\system.ini
2012-06-22 15:24 - 2008-11-18 13:02 - 00001116 ___AH C:\IPH.PH
2012-06-22 15:22 - 2012-06-22 15:22 - 00002029 ___AH C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
2012-06-22 10:05 - 2012-06-22 10:05 - 00045056 ___SH C:\Documents and Settings\kristine\1ee7e578-5753.exe
2012-06-22 10:04 - 2012-07-19 17:10 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.20120719-171050.backup
2012-06-22 10:04 - 2012-07-17 00:18 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001837.backup
2012-06-22 10:04 - 2012-07-17 00:17 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001734.backup
2012-06-22 10:04 - 2012-07-17 00:16 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001629.backup
2012-06-22 10:04 - 2012-07-16 00:30 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-003026.backup
2012-06-22 10:04 - 2012-07-16 00:29 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002925.backup
2012-06-22 10:04 - 2012-07-16 00:28 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002824.backup
2012-06-22 10:04 - 2012-07-13 00:30 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-003030.backup
2012-06-22 10:04 - 2012-07-13 00:29 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002927.backup
2012-06-22 10:04 - 2012-07-13 00:27 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002755.backup
2012-06-22 10:04 - 2012-07-10 00:20 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-002002.backup
2012-06-22 10:04 - 2012-07-10 00:19 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001900.backup
2012-06-22 10:04 - 2012-07-10 00:17 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001758.backup
2012-06-22 10:04 - 2012-07-09 00:25 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002508.backup
2012-06-22 10:04 - 2012-07-09 00:24 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002405.backup
2012-06-22 10:04 - 2012-07-09 00:22 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002258.backup
2012-06-22 10:04 - 2012-07-06 00:23 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002327.backup
2012-06-22 10:04 - 2012-07-06 00:22 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002226.backup
2012-06-22 10:04 - 2012-07-06 00:21 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002121.backup
2012-06-22 10:04 - 2012-07-03 00:14 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001444.backup
2012-06-22 10:04 - 2012-07-03 00:13 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001340.backup
2012-06-22 10:04 - 2012-07-03 00:12 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001236.backup
2012-06-22 10:04 - 2012-07-02 00:25 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002509.backup
2012-06-22 10:04 - 2012-07-02 00:24 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002407.backup
2012-06-22 10:04 - 2012-07-02 00:23 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002300.backup
2012-06-22 10:04 - 2012-06-29 00:23 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002334.backup
2012-06-22 10:04 - 2012-06-29 00:22 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002231.backup
2012-06-22 10:04 - 2012-06-29 00:21 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002112.backup
2012-06-22 10:04 - 2012-06-26 00:15 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001514.backup
2012-06-22 10:04 - 2012-06-26 00:14 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001413.backup
2012-06-22 10:04 - 2012-06-26 00:13 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001312.backup
2012-06-22 10:04 - 2012-06-25 00:09 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000908.backup
2012-06-22 10:04 - 2012-06-25 00:08 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000807.backup
2012-06-22 10:04 - 2012-06-25 00:07 - 00000761 _RASH C:\Windows\System32\Drivers\etc\hosts.20120625-000705.backup
2012-06-22 10:04 - 2012-06-22 10:04 - 00178692 ___AH C:\Windows\System32\c_7265170.nls
2012-06-22 00:28 - 2012-06-22 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002956.backup
2012-06-22 00:27 - 2012-06-22 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002843.backup
2012-06-19 00:20 - 2012-06-22 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002733.backup
2012-06-19 00:19 - 2012-06-19 00:20 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120619-002029.backup
2012-06-19 00:18 - 2012-06-19 00:19 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120619-001918.backup
2012-06-18 00:30 - 2012-06-19 00:18 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120619-001807.backup
2012-06-18 00:28 - 2012-06-18 00:30 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120618-003003.backup
2012-06-18 00:27 - 2012-06-18 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120618-002850.backup
2012-06-16 01:26 - 2006-04-29 20:03 - 00282928 ___AH C:\Windows\System32\FNTCACHE.DAT
2012-06-16 01:01 - 2012-06-16 01:00 - 00009572 ___AH C:\Windows\KB2686509.log
2012-06-16 00:59 - 2012-06-16 00:56 - 00006916 ___AH C:\Windows\KB2659262.log
2012-06-16 00:55 - 2012-06-16 00:52 - 00011836 ___AH C:\Windows\KB2676562.log
2012-06-15 00:35 - 2012-06-18 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120618-002744.backup
2012-06-15 00:34 - 2012-06-15 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120615-003554.backup
2012-06-15 00:33 - 2012-06-15 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120615-003440.backup
2012-06-12 00:26 - 2012-06-15 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120615-003330.backup
2012-06-12 00:24 - 2012-06-12 00:26 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120612-002610.backup
2012-06-12 00:23 - 2012-06-12 00:24 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120612-002457.backup
2012-06-11 00:07 - 2012-06-12 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120612-002343.backup
2012-06-11 00:06 - 2012-06-11 00:07 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120611-000712.backup
2012-06-11 00:05 - 2012-06-11 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120611-000610.backup
2012-06-08 00:37 - 2012-06-11 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120611-000506.backup
2012-06-08 00:36 - 2012-06-08 00:37 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120608-003736.backup
2012-06-08 00:35 - 2012-06-08 00:36 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120608-003623.backup
2012-06-05 00:34 - 2012-06-08 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120608-003509.backup
2012-06-05 00:33 - 2012-06-05 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120605-003435.backup
2012-06-05 00:32 - 2012-06-05 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120605-003317.backup
2012-06-04 00:08 - 2012-06-05 00:31 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120605-003159.backup
2012-06-04 00:06 - 2012-06-04 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120604-000808.backup
2012-06-04 00:05 - 2012-06-04 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120604-000653.backup
2012-06-01 00:38 - 2012-06-04 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120604-000538.backup
2012-06-01 00:36 - 2012-06-01 00:38 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120601-003800.backup
2012-06-01 00:35 - 2012-06-01 00:36 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120601-003651.backup
2012-05-29 00:17 - 2012-06-01 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120601-003529.backup
2012-05-29 00:16 - 2012-05-29 00:17 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120529-001717.backup
2012-05-29 00:14 - 2012-05-29 00:16 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120529-001602.backup
2012-05-28 00:29 - 2012-05-29 00:14 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120529-001447.backup
2012-05-28 00:28 - 2012-05-28 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120528-002938.backup
2012-05-28 00:27 - 2012-05-28 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120528-002827.backup
2012-05-25 00:25 - 2012-05-28 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120528-002725.backup
2012-05-25 00:24 - 2012-05-25 00:25 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120525-002558.backup
2012-05-25 00:23 - 2012-05-25 00:24 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120525-002445.backup
2012-05-22 00:14 - 2012-05-25 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120525-002340.backup
2012-05-22 00:13 - 2012-05-22 00:14 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120522-001411.backup
2012-05-22 00:11 - 2012-05-22 00:13 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120522-001308.backup
2012-05-21 18:24 - 2008-11-10 18:27 - 00087424 ___AH (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll.000.bak
2012-05-21 00:26 - 2012-05-22 00:11 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120522-001157.backup
2012-05-21 00:25 - 2012-05-21 00:26 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120521-002655.backup
2012-05-21 00:24 - 2012-05-21 00:25 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120521-002542.backup
2012-05-18 00:23 - 2012-05-21 00:24 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120521-002429.backup
2012-05-18 00:22 - 2012-05-18 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120518-002316.backup
2012-05-18 00:20 - 2012-05-18 00:22 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120518-002206.backup
2012-05-17 00:29 - 2012-05-17 00:24 - 00017429 ___AH C:\Windows\KB2675157-IE8.log
2012-05-17 00:20 - 2012-05-17 00:17 - 00009214 ___AH C:\Windows\KB2653956.log
2012-05-16 11:08 - 2006-11-08 00:03 - 00916992 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll
2012-05-16 11:08 - 2006-04-30 02:56 - 00916992 ___AH (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-15 00:23 - 2012-05-18 00:20 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120518-002056.backup
2012-05-15 00:22 - 2012-05-15 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120515-002342.backup
2012-05-15 00:21 - 2012-05-15 00:22 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120515-002230.backup
2012-05-14 00:06 - 2012-05-15 00:21 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120515-002118.backup
2012-05-14 00:05 - 2012-05-14 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120514-000627.backup
2012-05-14 00:04 - 2012-05-14 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120514-000523.backup
2012-05-11 20:12 - 2008-10-03 13:41 - 11111424 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll
2012-05-11 20:12 - 2006-11-08 00:03 - 11111424 ___AH (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-11 10:42 - 2012-07-19 00:32 - 00521728 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
2012-05-11 10:42 - 2010-06-09 04:37 - 00743424 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll
2012-05-11 10:42 - 2010-05-10 14:03 - 00247808 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll
2012-05-11 10:42 - 2010-05-10 14:03 - 00012800 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll
2012-05-11 10:42 - 2008-08-26 03:24 - 02000384 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll
2012-05-11 10:42 - 2008-08-26 03:24 - 00629760 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll
2012-05-11 10:42 - 2008-08-26 03:24 - 00055296 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 06007808 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 01212416 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 00629760 ___AH (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 00611840 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 00184320 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 00067072 ___AH (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 00055296 ___AH (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-11 10:42 - 2006-11-08 00:03 - 00025600 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll
2012-05-11 10:42 - 2006-11-07 06:27 - 00387584 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll
2012-05-11 10:42 - 2006-10-17 15:05 - 01469440 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl
2012-05-11 10:42 - 2006-10-17 15:05 - 00105984 ___AH (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll
2012-05-11 10:42 - 2006-10-17 15:05 - 00043520 ___AH (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll
2012-05-11 10:42 - 2006-10-17 15:04 - 00206848 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll
2012-05-11 10:42 - 2006-10-17 14:57 - 02000384 ___AH (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-11 10:42 - 2006-04-30 02:56 - 01212416 ___AH (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-11 10:42 - 2006-04-30 02:56 - 00105984 ___AH (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 06007808 ___AH (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 01469440 ____H (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-11 10:42 - 2006-04-30 02:55 - 00611840 ____H (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 00387584 ____H (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 00206848 ____H (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 00184320 ___AH (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 00067072 ___AH (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 00043520 ___AH (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-11 10:42 - 2006-04-30 02:55 - 00025600 ___AH (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-11 07:38 - 2006-11-07 06:26 - 00174080 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe
2012-05-11 07:38 - 2006-04-30 02:55 - 00385024 ___AH (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-11 07:38 - 2006-04-30 02:55 - 00174080 ____H (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-11 00:34 - 2012-05-14 00:04 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120514-000408.backup
2012-05-11 00:33 - 2012-05-11 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120511-003448.backup
2012-05-11 00:32 - 2012-05-11 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120511-003347.backup
2012-05-08 00:31 - 2012-05-11 00:32 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120511-003234.backup
2012-05-08 00:30 - 2012-05-08 00:31 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120508-003157.backup
2012-05-08 00:29 - 2012-05-08 00:30 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120508-003043.backup
2012-05-07 00:09 - 2012-05-08 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120508-002929.backup
2012-05-07 00:08 - 2012-05-07 00:09 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120507-000930.backup
2012-05-07 00:07 - 2012-05-07 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120507-000819.backup
2012-05-04 00:10 - 2012-05-07 00:07 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120507-000708.backup
2012-05-04 00:09 - 2012-05-04 00:10 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120504-001053.backup
2012-05-04 00:08 - 2012-05-04 00:09 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120504-000941.backup
2012-05-02 09:46 - 2011-08-10 21:37 - 00139656 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\rdpwd.sys
2012-05-02 09:46 - 2006-04-30 02:55 - 00139656 ___AH (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-05-01 00:06 - 2012-05-04 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120504-000827.backup
2012-05-01 00:05 - 2012-05-01 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120501-000654.backup
2012-05-01 00:04 - 2012-05-01 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120501-000545.backup
2012-04-30 00:34 - 2012-05-01 00:04 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120501-000441.backup
2012-04-30 00:33 - 2012-04-30 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120430-003439.backup
2012-04-30 00:32 - 2012-04-30 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120430-003327.backup
2012-04-27 00:35 - 2012-04-30 00:32 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120430-003226.backup
2012-04-27 00:34 - 2012-04-27 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120427-003555.backup
2012-04-27 00:33 - 2012-04-27 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120427-003439.backup
2012-04-26 11:21 - 2012-04-26 11:11 - 00008192 ___AH C:\Documents and Settings\kristine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-24 23:10 - 2012-04-24 23:09 - 00001736 ___AH C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
2012-04-24 00:29 - 2012-04-27 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120427-003322.backup
2012-04-24 00:28 - 2012-04-24 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120424-002954.backup
2012-04-24 00:27 - 2012-04-24 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120424-002843.backup
2012-04-23 00:08 - 2012-04-24 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120424-002733.backup
2012-04-23 00:06 - 2012-04-23 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120423-000807.backup
2012-04-23 00:05 - 2012-04-23 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120423-000654.backup
 
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points (XP) =====================
RP: -> 2012-07-19 00:44 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2868
RP: -> 2012-07-19 00:37 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2867
RP: -> 2012-07-19 00:36 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2866
RP: -> 2012-07-19 00:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2865
RP: -> 2012-07-19 00:29 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2864
RP: -> 2012-07-18 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2863
RP: -> 2012-07-18 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2862
RP: -> 2012-07-18 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2861
RP: -> 2012-07-18 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2860
RP: -> 2012-07-18 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2859
RP: -> 2012-07-18 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2858
RP: -> 2012-07-18 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2857
RP: -> 2012-07-18 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2856
RP: -> 2012-07-18 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2855
RP: -> 2012-07-18 00:27 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2854
RP: -> 2012-07-18 00:05 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2853
RP: -> 2012-07-17 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2852
RP: -> 2012-07-17 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2851
RP: -> 2012-07-17 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2850
RP: -> 2012-07-17 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2849
RP: -> 2012-07-17 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2848
RP: -> 2012-07-17 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2847
RP: -> 2012-07-17 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2846
RP: -> 2012-07-17 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2845
RP: -> 2012-07-17 02:34 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2844
RP: -> 2012-07-17 00:14 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2843
RP: -> 2012-07-16 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2842
RP: -> 2012-07-16 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2841
RP: -> 2012-07-16 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2840
RP: -> 2012-07-16 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2839
RP: -> 2012-07-16 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2838
RP: -> 2012-07-16 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2837
RP: -> 2012-07-16 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2836
RP: -> 2012-07-16 00:49 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2835
RP: -> 2012-07-16 00:24 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2834
RP: -> 2012-07-15 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2833
RP: -> 2012-07-15 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2832
RP: -> 2012-07-15 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2831
RP: -> 2012-07-15 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2830
RP: -> 2012-07-15 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2829
RP: -> 2012-07-15 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2828
RP: -> 2012-07-15 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2827
RP: -> 2012-07-15 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2826
RP: -> 2012-07-15 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2825
RP: -> 2012-07-15 00:25 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2824
RP: -> 2012-07-15 00:05 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2823
RP: -> 2012-07-14 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2822
RP: -> 2012-07-14 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2821
RP: -> 2012-07-14 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2820
RP: -> 2012-07-14 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2819
RP: -> 2012-07-14 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2818
RP: -> 2012-07-14 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2817
RP: -> 2012-07-14 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2816
RP: -> 2012-07-14 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2815
RP: -> 2012-07-14 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2814
RP: -> 2012-07-14 00:36 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2813
RP: -> 2012-07-14 00:15 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2812
RP: -> 2012-07-13 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2811
RP: -> 2012-07-13 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2810
RP: -> 2012-07-13 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2809
RP: -> 2012-07-13 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2808
RP: -> 2012-07-13 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2807
RP: -> 2012-07-13 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2806
RP: -> 2012-07-13 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2805
RP: -> 2012-07-13 01:11 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2804
RP: -> 2012-07-13 00:22 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2803
RP: -> 2012-07-12 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2802
RP: -> 2012-07-12 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2801
RP: -> 2012-07-12 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2800
RP: -> 2012-07-12 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2799
RP: -> 2012-07-12 18:26 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2798
RP: -> 2012-07-12 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2797
RP: -> 2012-07-12 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2796
RP: -> 2012-07-12 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2795
RP: -> 2012-07-12 00:50 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2794
RP: -> 2012-07-12 00:29 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2793
RP: -> 2012-07-11 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2792
RP: -> 2012-07-11 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2791
RP: -> 2012-07-11 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2790
RP: -> 2012-07-11 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2789
RP: -> 2012-07-11 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2788
RP: -> 2012-07-11 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2787
RP: -> 2012-07-11 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2786
RP: -> 2012-07-11 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2785
RP: -> 2012-07-11 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2784
RP: -> 2012-07-11 00:30 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2783
RP: -> 2012-07-11 00:07 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2782
RP: -> 2012-07-10 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2781
RP: -> 2012-07-10 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2780
RP: -> 2012-07-10 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2779
RP: -> 2012-07-10 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2778
RP: -> 2012-07-10 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2777
RP: -> 2012-07-10 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2776
RP: -> 2012-07-10 00:40 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2775
RP: -> 2012-07-10 00:15 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2774
RP: -> 2012-07-09 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2773
RP: -> 2012-07-09 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2772
RP: -> 2012-07-09 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2771
RP: -> 2012-07-09 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2770
RP: -> 2012-07-09 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2769
RP: -> 2012-07-09 00:43 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2768
RP: -> 2012-07-09 00:17 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2767
RP: -> 2012-07-08 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2766
RP: -> 2012-07-08 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2765
RP: -> 2012-07-08 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2764
RP: -> 2012-07-08 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2763
RP: -> 2012-07-08 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2762
RP: -> 2012-07-08 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2761
RP: -> 2012-07-08 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2760
RP: -> 2012-07-08 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2759
RP: -> 2012-07-08 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2758
RP: -> 2012-07-08 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2757
RP: -> 2012-07-08 00:47 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2756
RP: -> 2012-07-08 00:26 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2755
RP: -> 2012-07-07 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2754
RP: -> 2012-07-07 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2753
RP: -> 2012-07-07 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2752
RP: -> 2012-07-07 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2751
RP: -> 2012-07-07 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2750
RP: -> 2012-07-07 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2749
RP: -> 2012-07-07 16:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2748
RP: -> 2012-07-07 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2747
RP: -> 2012-07-07 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2746
RP: -> 2012-07-07 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2745
RP: -> 2012-07-07 00:28 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2744
RP: -> 2012-07-07 00:06 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2743
RP: -> 2012-07-06 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2742
RP: -> 2012-07-06 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2741
RP: -> 2012-07-06 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2740
RP: -> 2012-07-06 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2739
RP: -> 2012-07-06 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2738
RP: -> 2012-07-06 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2737
RP: -> 2012-07-06 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2736
RP: -> 2012-07-06 00:36 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2735
RP: -> 2012-07-06 00:16 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2734
RP: -> 2012-07-05 22:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2733
RP: -> 2012-07-05 20:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2732
RP: -> 2012-07-05 18:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2731
RP: -> 2012-07-05 16:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2730
RP: -> 2012-07-05 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2729
RP: -> 2012-07-05 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2728
RP: -> 2012-07-05 00:37 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2727
RP: -> 2012-07-05 00:23 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2726
RP: -> 2012-07-04 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2725
RP: -> 2012-07-04 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2724
RP: -> 2012-07-04 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2723
RP: -> 2012-07-04 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2722
RP: -> 2012-07-04 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2721
RP: -> 2012-07-04 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2720
RP: -> 2012-07-04 16:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2719
RP: -> 2012-07-04 16:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2718
RP: -> 2012-07-04 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2717
RP: -> 2012-07-04 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2716
RP: -> 2012-07-04 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2715
RP: -> 2012-07-04 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2714
RP: -> 2012-07-04 00:14 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2713
RP: -> 2012-07-04 00:01 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2712
RP: -> 2012-07-03 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2711
RP: -> 2012-07-03 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2710
========================= Memory info ======================
Percentage of memory in use: 21%
Total physical RAM: 1014.17 MB
Available physical RAM: 794.05 MB
Total Pagefile: 901.73 MB
Available Pagefile: 840.25 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.18 MB
======================= Partitions =========================
1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: (Preload) (Fixed) (Total:145.58 GB) (Free:113.07 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (MULTIBOOT) (Removable) (Total:7.52 GB) (Free:2.29 GB) FAT32
4 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 146 GB 1024 KB
Partition 2 OEM 3556 MB 146 GB
Partition 3 Unknown 1872 KB 149 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Preload NTFS Partition 146 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 12
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 SERVICEV001 FAT32 Partition 3556 MB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 Partition 2048 KB Healthy
==================================================================================
======================= End Of Log ==========================
 
I skipped over the part where "ComboFix freezes". Which may not be good. If this is a business PC, I have no idea what to tell you. It's at own risk.

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr
2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw
2012-07-19 09:55 - 2012-07-19 09:56 - 00000368 ___AH C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw
2012-06-22 10:05 - 2012-06-22 10:05 - 00045056 ___SH C:\Documents and Settings\kristine\1ee7e578-5753.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

NEXT, go to the Desktop of OTLPE front screen, and double click on OTL.exe. Please run a Quick Scan and post the logs from it as well.
 
This particular machine is a friend's, but as a tech I try to make sure I mind my P's and Q's.

Do you want me to run FRST out of the System Recover Options from a Windows XP boot disk, or are you referring to a particular program within the OTLPE?
 
Since this is one of those PCs that only comes with a recovery disk and no Windows startup one, I'm using a generic retail disk from Microsoft and booting off that. After it finishes all the driver loads and goes to "Starting Windows..." however, it blue-screens on pci.sys.

Not sure if this is related to the other problems, or because I'm booting off a Home disk and this machine is XP Professional. I don't recall having seen that type of crash before, however, and I've often run CHKDSK this way off whatever boot disk was lying closest to me.
 
Sorry if it seems like comment spam. I just apparently don't have a disk that works while at home to get into a proper recovery environment. Will FRST run from Save Mode w/Command Prompt?
 
Going to be largely away until Monday, so I hope it runs OK from in Safe Mode. The log file complained about it, but the actions seem to have taken place. Let me know if "Fix" in FRST was supposed to do more:


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012
Ran by Administrator at 2012-07-21 16:39:46 Run:1
Running from E:\cleanup

ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==============================================

C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr moved successfully.
C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw moved successfully.
C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw moved successfully.
C:\Documents and Settings\kristine\1ee7e578-5753.exe moved successfully.

==== End of Fixlog ====


OTL logfile created on: 7/21/2012 5:56:57 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 772.00 Mb Available Physical Memory | 76.00% Memory free
902.00 Mb Paging File | 844.00 Mb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.58 Gb Total Space | 113.07 Gb Free Space | 77.67% Space Free | Partition Type: NTFS
Drive D: | 7.52 Gb Total Space | 2.29 Gb Free Space | 30.42% Space Free | Partition Type: FAT32
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004

========== Win32 Services (SafeList) ==========

SRV - [2012/07/12 18:25:51 | 000,136,616 | -H-- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2012/07/12 18:25:15 | 000,374,184 | -H-- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/07/12 11:14:58 | 000,250,056 | -H-- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/02/23 17:41:45 | 000,086,856 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZWatchDog.exe -- (SAAZWatchDog)
SRV - [2012/02/23 17:41:45 | 000,086,856 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZDPMACTL.exe -- (SAAZDPMACTL)
SRV - [2012/02/23 17:41:45 | 000,078,664 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZRemoteSupport.exe -- (SAAZRemoteSupport)
SRV - [2012/02/23 17:26:24 | 000,077,824 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZScheduler.exe -- (SAAZScheduler)
SRV - [2011/08/09 13:31:24 | 000,230,216 | -H-- | M] (Zenith Infotech ltd.) [Disabled] -- C:\Program Files\SAAZOD\zSCC\zEvtSVC.exe -- (ZEvtSVC)
SRV - [2011/05/31 14:15:16 | 000,082,760 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe -- (SAAZapsc)
SRV - [2011/05/31 14:14:38 | 000,082,760 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe -- (SAAZappr)
SRV - [2011/04/18 14:11:40 | 000,028,672 | -H-- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2011/02/15 14:12:51 | 000,389,960 | -H-- | M] (CA) [Auto] -- C:\Program Files\CA\eTrustITM\InoTask.exe -- (InoTask)
SRV - [2010/11/08 13:04:20 | 000,390,528 | -H-- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2009/12/07 16:19:18 | 000,283,888 | -H-- | M] (CA, Inc.) [Auto] -- C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe -- (ITMRTSVC)
SRV - [2009/09/29 15:23:54 | 000,192,512 | -H-- | M] (CA) [Auto] -- C:\Program Files\CA\eTrustITM\InoRpc.exe -- (InoRPC)
SRV - [2009/09/29 15:23:53 | 000,208,896 | -H-- | M] (CA) [Auto] -- C:\Program Files\CA\eTrustITM\InoRT.exe -- (InoRT)
SRV - [2009/09/16 19:22:08 | 000,020,480 | -H-- | M] (Intuit) [Auto] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/04/30 20:46:58 | 000,077,824 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZServerPlus.exe -- (SAAZServerPlus)
SRV - [2007/08/03 19:10:46 | 000,644,408 | -H-- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/07/11 23:38:44 | 000,569,344 | -H-- | M] () [Auto] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2007/07/11 22:19:00 | 000,045,056 | -H-- | M] () [Auto] -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
SRV - [2007/05/24 07:08:44 | 000,061,440 | -H-- | M] (Intuit Inc.) [On_Demand] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/02/05 07:57:24 | 000,106,496 | -H-- | M] (CA, Inc.) [Auto] -- C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe -- (iGateway)
SRV - [2007/01/04 22:48:52 | 000,112,152 | RH-- | M] (InterVideo) [Auto] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2007/01/04 17:38:08 | 000,024,652 | -H-- | M] (Viewpoint Corporation) [Auto] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/09/13 10:32:12 | 000,128,536 | -H-- | M] (iAnywhere Solutions, Inc.) [Auto] -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -- (QuickBooksDB18)
SRV - [2006/05/23 23:08:06 | 000,622,700 | -H-- | M] (Diskeeper Corporation) [Auto] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/02/23 12:41:02 | 002,045,632 | -H-- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2005/10/06 21:12:30 | 000,855,552 | -H-- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (USBAAPL)
DRV - File not found [Kernel | On_Demand] -- -- (TVTPktFilter)
DRV - File not found [Kernel | On_Demand] -- -- (SymIMMP)
DRV - File not found [Kernel | On_Demand] -- -- (SymIM)
DRV - File not found [Kernel | System] -- -- (SASKUTIL)
DRV - File not found [Kernel | System] -- -- (SASDIFSV)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (mcdbus)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2012/01/31 22:30:34 | 000,083,360 | -H-- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/09/17 16:40:06 | 000,012,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/29 04:00:00 | 000,288,896 | -H-- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/10/22 04:41:34 | 004,622,848 | -H-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/10/18 21:14:32 | 000,184,080 | -H-- | M] (Computer Associates) [File_System | Auto] -- C:\WINDOWS\system32\drivers\ino_fltr.sys -- (INO_FLTR)
DRV - [2007/08/06 22:07:02 | 000,027,536 | -H-- | M] (Computer Associates) [File_System | Boot] -- C:\WINDOWS\system32\drivers\ino_flpy.sys -- (INO_FLPY)
DRV - [2007/05/22 18:59:38 | 000,030,336 | -H-- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2007/05/22 03:59:34 | 000,021,376 | -H-- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/02/02 08:20:00 | 000,094,332 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/02/02 08:20:00 | 000,087,036 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/02/02 08:20:00 | 000,086,652 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/02/02 08:20:00 | 000,025,628 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/02/02 08:20:00 | 000,014,684 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/02/02 08:20:00 | 000,006,364 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/02/02 08:20:00 | 000,002,496 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/11/18 15:02:50 | 000,005,660 | -H-- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/11/18 15:02:10 | 000,022,684 | -H-- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2003/02/11 16:25:14 | 000,009,216 | -H-- | M] (Primax Electronics Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PELUSBLF.SYS -- (pelusblf)
DRV - [2003/01/10 16:55:32 | 000,016,384 | -H-- | M] (Primax Electronics Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS -- (pelmouse)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\audrey_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\audrey_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\audrey_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\audrey_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?mtmhp=txtlnkusaolp00000051
IE - HKU\kristine_ON_C\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKU\kristine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\kristine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2012/06/22 10:04:41 | 000,000,761 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (AOL Messaging Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (AOL Messaging Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\Administrator.SMALLBUSINESS_ON_C\..\Toolbar\WebBrowser: (AOL Messaging Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKU\Administrator.SMALLBUSINESS_ON_C\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\audrey_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\audrey_ON_C\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\kristine_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\kristine_ON_C\..\Toolbar\WebBrowser: (AOL Messaging Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKU\kristine_ON_C\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [Realtime Monitor] C:\Program Files\CA\eTrustITM\realmon.exe (CA)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\Administrator.SMALLBUSINESS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\audrey_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\audrey_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kristine_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\kristine_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kristine_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LogMeInRemoteUser_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\LogMeInRemoteUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\QBDataServiceUser18_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\QBDataServiceUser18_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.25 24.225.193.110 24.225.193.111 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = smallbusiness.local
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/30 03:13:35 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{8e2c3f6f-b3c3-11e0-8132-0021971730ba}\Shell - "" = AutoRun
O33 - MountPoints2\{8e2c3f6f-b3c3-11e0-8132-0021971730ba}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8e2c3f6f-b3c3-11e0-8132-0021971730ba}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/07/20 15:29:44 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/20 14:07:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2012/07/19 17:08:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kristine\Application Data\SUPERAntiSpyware.com
[2012/07/19 17:08:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/07/19 17:01:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kristine\Application Data\Malwarebytes
[2012/07/19 17:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/19 17:01:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/07/19 17:01:16 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/07/19 17:01:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/07/19 15:57:44 | 000,000,000 | --SD | C] -- C:\cfx
[2012/07/19 15:41:43 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\kristine\Desktop\aswMBR.exe
[2012/07/19 15:33:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\FixTDSS
[2012/07/19 15:30:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/07/19 15:28:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\kristine\Recent
[2012/07/19 10:38:30 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/19 10:32:47 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/19 10:32:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/19 10:32:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/19 10:32:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/19 10:31:33 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/07/19 10:29:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/19 10:28:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/07/19 09:56:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\kristine\Start Menu\Programs\File Recovery
[2012/06/22 15:24:32 | 000,000,000 | -H-D | C] -- C:\WINDOWS\pss
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/21 16:50:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/21 15:31:57 | 000,002,278 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/19 17:06:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/19 16:50:51 | 000,000,355 | RHS- | M] () -- C:\boot.ini
[2012/07/19 15:38:52 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\kristine\Desktop\aswMBR.exe
[2012/07/19 15:27:53 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/07/19 15:27:51 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/19 10:38:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/19 10:12:07 | 000,000,245 | ---- | M] () -- C:\Boot.bak
[2012/07/19 09:55:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/07/19 09:55:45 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\ThinkVantage
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Syscan
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy SBE
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Remote Support
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Picasa2
[2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Multimedia Center For Think Offerings
[2012/07/19 09:55:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\PrintMe Internet Printing
[2012/07/19 09:55:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC-Doctor 5 for Windows
[2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Mouse
[2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Keyboard
[2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\JMA
[2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\HP
[2012/07/19 09:55:43 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
[2012/07/19 09:55:43 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/07/19 09:55:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Desktop
[2012/07/19 09:55:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Diskeeper Corporation
[2012/07/19 09:55:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\AIM
[2012/07/19 09:55:42 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
[2012/07/19 09:50:00 | 000,000,256 | -H-- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2012/07/19 09:47:26 | 000,000,564 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\106.7 Lite fm - 106.7 Lite fm New York.url
[2012/07/19 09:20:00 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/19 09:14:00 | 000,000,830 | -H-- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/19 09:13:47 | 000,318,531 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\ERBOE.jpg
[2012/07/19 09:07:10 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\kristine\Desktop\Microsoft Office Outlook 2003.lnk
[2012/07/19 00:42:54 | 000,445,452 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/19 00:42:54 | 000,073,202 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/19 00:35:11 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/17 15:01:48 | 000,011,778 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\Intuit.pdf
[2012/07/17 10:14:23 | 000,000,322 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\PNC Bank.url
[2012/07/16 15:17:23 | 000,011,778 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\ERutherford.pdf
[2012/07/16 10:46:58 | 000,233,455 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\cosco.jpg
[2012/07/12 18:25:15 | 000,087,456 | -H-- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2012/07/12 18:25:15 | 000,030,624 | -H-- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/28 09:42:34 | 000,309,173 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\carrabbas.jpg
[2012/06/26 13:07:07 | 000,134,731 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\louie.jpg
[2012/06/22 15:24:11 | 000,001,116 | -H-- | M] () -- C:\IPH.PH
[2012/06/22 15:22:20 | 000,002,029 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
[2012/06/22 14:46:20 | 000,360,823 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\Better Proposal for Louie.jpg
[2012/06/22 10:04:41 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120625-000705.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120717-001837.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120717-001734.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120717-001629.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120716-003026.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120716-002925.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120716-002824.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120713-003030.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120713-002927.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120713-002755.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120710-002002.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120710-001900.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120710-001758.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120709-002508.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120709-002405.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120709-002258.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120706-002327.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120706-002226.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120706-002121.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120703-001444.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120703-001340.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120703-001236.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120702-002509.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120702-002407.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120702-002300.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120629-002334.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120629-002231.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120629-002112.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120626-001514.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120626-001413.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120626-001312.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120625-000908.backup
[2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120625-000807.backup
[2012/06/22 10:04:41 | 000,000,761 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120719-171050.backup
[2012/06/22 10:04:41 | 000,000,761 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/22 00:28:43 | 000,440,483 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120622-002956.backup
[2012/06/22 00:27:33 | 000,440,483 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120622-002843.backup
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/19 10:38:46 | 000,000,245 | ---- | C] () -- C:\Boot.bak
[2012/07/19 10:38:34 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/19 10:32:47 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/19 10:32:47 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/19 10:32:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/19 10:32:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/19 10:32:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/19 10:32:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/19 09:13:26 | 000,318,531 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\ERBOE.jpg
[2012/07/17 15:01:35 | 000,011,778 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\Intuit.pdf
[2012/07/16 15:17:09 | 000,011,778 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\ERutherford.pdf
[2012/07/16 10:46:04 | 000,233,455 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\cosco.jpg
[2012/06/28 09:41:39 | 000,309,173 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\carrabbas.jpg
[2012/06/26 13:02:06 | 000,134,731 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\louie.jpg
[2012/06/22 15:23:17 | 000,000,830 | -H-- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/06/22 15:22:15 | 000,002,029 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
[2012/06/22 14:45:26 | 000,360,823 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\Better Proposal for Louie.jpg
[2012/04/26 11:11:31 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\kristine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/16 02:17:16 | 000,003,072 | -H-- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/17 00:26:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator.SMALLBUSINESS\Ÿ9Ÿ9
[2009/08/03 15:07:42 | 000,403,816 | -H-- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | -H-- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/04/13 14:16:40 | 004,111,360 | -H-- | C] () -- C:\Program Files\Common Files\Remote Deposit Client.msi
[2008/11/13 15:17:27 | 000,007,680 | -H-- | C] () -- C:\Documents and Settings\audrey\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/13 13:29:24 | 000,157,672 | -H-- | C] () -- C:\WINDOWS\hpoins28.dat
[2008/11/13 13:29:24 | 000,000,932 | -H-- | C] () -- C:\WINDOWS\hpomdl28.dat
[2008/11/12 12:17:39 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/10 13:27:08 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
[2008/10/10 13:06:15 | 000,114,688 | -H-- | C] () -- C:\WINDOWS\desktopset.exe
[2008/10/10 13:02:46 | 000,204,800 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/10/10 13:02:46 | 000,200,704 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/10/10 13:02:46 | 000,192,512 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/10/10 13:02:46 | 000,192,512 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/10/10 13:02:46 | 000,188,416 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/10/10 13:02:46 | 000,020,480 | -H-- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/10/10 13:00:59 | 000,000,124 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/10 12:56:28 | 000,147,456 | -H-- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4873.dll
[2008/10/10 12:56:14 | 000,049,152 | -H-- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/10/10 12:55:47 | 000,005,528 | -H-- | C] () -- C:\WINDOWS\System32\Setup2k.ini
[2008/10/10 12:55:47 | 000,000,296 | -H-- | C] () -- C:\WINDOWS\System32\presetup.ini
[2008/10/10 12:55:46 | 000,024,576 | -H-- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2008/10/10 12:55:46 | 000,020,480 | -H-- | C] () -- C:\WINDOWS\System32\FSRremoS.EXE
[2008/10/10 12:51:22 | 000,000,138 | -H-- | C] () -- C:\WINDOWS\System32\Softkbd.exe.config
[2007/02/19 15:15:38 | 000,331,264 | -H-- | C] () -- C:\WINDOWS\System32\DP485WIA.dll
[2007/01/16 11:12:12 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/05 17:20:36 | 000,079,400 | -H-- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2006/04/30 03:31:51 | 000,004,670 | -H-- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/04/30 03:22:10 | 000,000,791 | -H-- | C] () -- C:\WINDOWS\orun32.ini
[2006/04/30 03:19:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/04/30 03:10:07 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/04/30 02:55:59 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/04/30 02:55:55 | 000,445,452 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/04/30 02:55:55 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/04/30 02:55:55 | 000,073,202 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/04/30 02:55:55 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/04/30 02:55:54 | 000,004,547 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/04/30 02:55:52 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/04/30 02:55:50 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/04/30 02:55:44 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/04/30 02:55:44 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/04/30 02:55:37 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/04/30 02:55:28 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/04/29 20:04:28 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/04/29 20:03:29 | 000,282,928 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 16:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator.SMALLBUSINESS\Application Data\Lenovo
[2012/07/19 15:33:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FixTDSS
[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data\Lenovo
[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\audrey\Application Data\Lenovo
[2010/01/28 12:37:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\3M
[2010/09/23 13:13:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\acccore
[2010/01/28 12:36:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\GetRightToGo
[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\Lenovo
[2010/11/19 12:58:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\PriceGong
[2009/05/19 08:04:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\Viewpoint
[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Lenovo
[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\QBDataServiceUser18\Application Data\Lenovo
[2010/09/23 13:11:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2008/11/18 13:03:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AIM Toolbar
[2008/11/13 14:24:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/09/09 14:50:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DNC
[2010/01/04 11:54:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2009/04/15 15:30:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\kinoma
[2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2012/07/20 10:17:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2009/04/15 15:31:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Marlin
[2009/04/13 13:56:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/10/10 13:14:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/04/13 13:55:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Syscan
[2010/05/10 13:53:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/10 09:56:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2012/01/16 10:02:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/07/19 09:50:00 | 000,000,256 | -H-- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2012/07/19 15:27:53 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 834 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34
< End of report >
 
ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Thanks. I'm used to renaming ComboFix to a "randomstring.com" username, but not giving those kinds of names. It still froze as svchost.exe, but I'll try through all of them in succession now. Just wanted to update a bit more I was able to do before your current update from your previous instructions first.

I was unable to run the FRST steps from a Recovery Console, but it seemed to run OK from Safe Mode and apparently removed enough that I could run TDSSkiller (which found and killed an Rloader.a infection in ACPI.sys) and aswMBR (which locates but cannot fix an infection, and whose log file I will list below.)

HitmanPro can run now as well and sees some temp infections and rates mscomm32.ocx as "suspicious" as well. (Did not have it clean, just tested.)

dds.scr still fails to complete, and I have not successfully gotten ComboFix to run yet, but I'll continue through the other renamings.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-23 00:43:50
-----------------------------
00:43:50.359 OS Version: Windows 5.1.2600 Service Pack 3
00:43:50.359 Number of processors: 2 586 0xF0D
00:43:50.359 ComputerName: HL111008 UserName: Kristine
00:43:50.640 Initialize success
00:45:31.671 AVAST engine defs: 12072201
00:46:01.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
00:46:01.796 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
00:46:01.828 Disk 0 MBR read successfully
00:46:01.828 Disk 0 MBR scan
00:46:01.875 Disk 0 Windows XP default MBR code
00:46:01.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
00:46:01.937 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
00:46:01.953 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
00:46:01.968 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
00:46:02.015 Disk 0 scanning sectors +312581792
00:46:03.484 Disk 0 scanning C:\WINDOWS\system32\drivers
00:46:13.218 Service scanning
00:46:32.640 Modules scanning
00:46:38.359 Disk 0 trace - called modules:
00:46:38.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:46:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87375ab8]
00:46:38.515 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000063[0x873ca9e8]
00:46:38.546 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87378d98]
00:46:38.921 AVAST engine scan C:\WINDOWS
00:47:03.859 AVAST engine scan C:\WINDOWS\system32
00:49:16.906 AVAST engine scan C:\WINDOWS\system32\drivers
00:49:37.046 AVAST engine scan C:\Documents and Settings\kristine
00:51:51.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.359 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.531 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:52:29.156 AVAST engine scan C:\Documents and Settings\All Users
00:53:11.328 Scan finished successfully
00:53:19.890 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
00:53:19.937 The log file has been saved successfully to "C:\download\aswMBR.txt
 
Looks like ComboFix with any given name is causing the PC to freeze still. I have disabled all 3rd party services and startup items, meanwhile, to rule out any of that interaction.
 
I don't want to run a tool like ComboFix out of the reatogo-X-PE environment without asking, but would it do a thing? Are there other tools that might be able to scour the MBR and registry properly loaded from in there? I imagine they are not able to work as WELL, but if they're able to work at ALL would it help peel back the layers of this malware onion?
 
Also, something is definitely watching and scrubbing those processes after they run. ComboFix.exe when named to svchost.exe or winlogon.exe or iexplore.exe or explore.exe all freeze at some point, and their file also disappears from the directory they were run out of.
 
I was running it out of Safe Mode. Hadn't run anything out of OTLPE except what you were explicitly mentioning, just because I wasn't sure what would still target the Windows install properly.

I guess you're saying aswMBR is safe to run. ;-) But what about ComboFix? Other tools? There a hard and fast guide?

For reference, after doing the other cleanup and getting TDSSKiller and asdMBR to run at all, I could also run FixTDSS and it found and fixed... SOMEthing. I guess? But in the end it couldn't catch it all. It didn't throw the PC into a boot loop after running which needed to be Last Known'd back out of, however.
 
aswMBR does not detect any of the same infections when run from the PE as when it's run from Safe Mode, so it's still best to refer to the log listed above, rather than the one I will paste below. (I imagine.) Hence my questions about which tools to expect would work better or worse (or not at all) from the PE, or if there are any other steps I have to take first before they do operate effectively.

-----------

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-24 18:15:18
-----------------------------
18:15:18.421 OS Version: Windows 5.1.2600
18:15:18.421 Number of processors: 1 586 0xF0D
18:15:18.421 ComputerName: REATOGO UserName: SYSTEM
18:15:18.656 Initialze error 0
18:29:03.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:29:03.468 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
18:29:03.484 Disk 0 MBR read successfully
18:29:03.500 Disk 0 MBR scan
18:29:03.515 Disk 0 Windows XP default MBR code
18:29:03.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
18:29:03.578 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
18:29:03.609 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
18:29:03.640 Disk 0 scanning sectors +312581792
18:29:04.984 Disk 0 scanning X:\i386\system32\drivers
18:29:05.000 Service scanning
18:29:09.359 Modules scanning
18:29:09.921 Disk 0 trace - called modules:
18:29:09.968 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys halaacpi.dll atapi.sys pciide.sys PCIIDEX.SYS
18:29:11.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872dfab8]
18:29:11.031 3 CLASSPNP.SYS[f75d705b] -> nt!IofCallDriver -> \Device\0000004a[0x872dc9e8]
18:29:11.078 5 acpi.sys[f74a2620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x872ded98]
18:29:11.125 Scan finished successfully
18:29:45.937 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
18:29:46.031 The log file has been saved successfully to "C:\download\aswMBR5.txt"
 
We need the scan to be run from Safe Mode, as done before, please.

This scan in REATOGO (didn't mean to confuse you), is inaccurate because it is listing the REATOGO system's attributes rather than the actual PC's attributes.
 
That's what I thought, but your "Did you run aswMBR from OTLPE?" question threw me off, so I wasn't sure if there WERE some tools to run out of it.


I don't have a current scan available to me, but of the times I was running it the results were basically the same as logged upthread:

-------------------------

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-23 00:43:50
-----------------------------
00:43:50.359 OS Version: Windows 5.1.2600 Service Pack 3
00:43:50.359 Number of processors: 2 586 0xF0D
00:43:50.359 ComputerName: HL111008 UserName: Kristine
00:43:50.640 Initialize success
00:45:31.671 AVAST engine defs: 12072201
00:46:01.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
00:46:01.796 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
00:46:01.828 Disk 0 MBR read successfully
00:46:01.828 Disk 0 MBR scan
00:46:01.875 Disk 0 Windows XP default MBR code
00:46:01.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
00:46:01.937 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
00:46:01.953 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
00:46:01.968 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
00:46:02.015 Disk 0 scanning sectors +312581792
00:46:03.484 Disk 0 scanning C:\WINDOWS\system32\drivers
00:46:13.218 Service scanning
00:46:32.640 Modules scanning
00:46:38.359 Disk 0 trace - called modules:
00:46:38.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:46:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87375ab8]
00:46:38.515 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000063[0x873ca9e8]
00:46:38.546 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87378d98]
00:46:38.921 AVAST engine scan C:\WINDOWS
00:47:03.859 AVAST engine scan C:\WINDOWS\system32
00:49:16.906 AVAST engine scan C:\WINDOWS\system32\drivers
00:49:37.046 AVAST engine scan C:\Documents and Settings\kristine
00:51:51.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.359 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:51:51.531 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
00:52:29.156 AVAST engine scan C:\Documents and Settings\All Users
00:53:11.328 Scan finished successfully
00:53:19.890 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
00:53:19.937 The log file has been saved successfully to "C:\download\aswMBR.txt

--------------------

The **INFECTED** lines were always the same. Even if I used something like ATF-Cleaner to wipe the temps, there would be infected temps right back in with another aswMBR scan.
 
See if you can run this tool, please...

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


tdss_1.jpg


-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg


------------------------

Click the Start Scan button.

tdss_3.jpg


-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue


tdss_4.jpg


----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


tdss_5.jpg



--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
 
Status
Not open for further replies.
Back