TechSpot

[Closed] Unidentified, serious MBR/rootkitting

By Eric Witzling
Jul 20, 2012
  1. The story so far:

    I've seen this type of behavior once before, and it makes me nervous about trying to initiate the same repair, because the MBR broke for good and I had my fingers crossed during a Windows Repair.

    Typical icons-disappearing/scam-windows-popping-up/search-redirection on a Windows XP Pro SP3 machine, but all efforts to get under it with known tools are failing. TDSSKiller will not run, nor will aswMBR, even in Safe Mode w/Command Prompt. Combofix will start running, but but the machine freezes entirely before it can get to the scanning steps. FixTDSS will initiate, but gets into a reset-loop when it attempts to boot, and can only be rolled back by going to "Last Known Good Configuration." Removed some minor items like a PEVSystemStart service and randomly-generated number processes, and let Malware Bytes, SpyBot, and SuperAntiSpyware run to try to peel back the layers even a tiny bit. SB found nothing, SAS and MB pulled off minimal traces of the randomly-generated process I had already stopped. (MB log will be posted below.)

    GMER pops a LoadDriver error when first starting ("Cannot create a stable subkey under volatile parent key" on pwloipog.sys in temp directory) and running it reveals nothing and produces no log to save.

    DDS took 20 minutes to run and while the computer was still semi-responsive at first, Ctrl-Alt-Delete would not respons, and moving the window eventually froze the rest of the UI as well. So my ability to currently give information is... not so mighty.

    The last time what I'd done was unhooked the drive and cleaned what I could as best I could from another machine, but that broke boot routine to an unrecoverable degree and I was probably lucky that a raw Windows disk could repair it. I would LIKE to hit it more surgically, but at this point I'm stumped.


    Any suggested next steps?

    -----------------------------------
    MB log, for what it's worth
    -----------------------------------
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.19.13
    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Kristine :: HL111008 [administrator]
    7/19/2012 5:11:20 PM
    mbam-log-2012-07-20 (09-14-52).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 374710
    Time elapsed: 1 hour(s), 25 minute(s), 8 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 8
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 2
    C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw.exe (Rogue.FakeHDD) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\WPNMjlUbKov.exe (Trojan.FakeAlert.3CH) -> No action taken.
    (end)
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.
     
  3. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Hi. Thanks, and I'll work up an intro when I have the time.

    As mentioned in my first post, GMER ran following an error that seems to have kept it from scanning anything properly, and had nothing proper to log. DDS.scr took more that 20 minutes to run, failed to complete in that time, and froze with the PC when I started checking for activity. ComboFix freezes the computer, too.

    I have since run hardware tests on the memory and HDD, and showing no errors.
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Download OTLPENet.exe to your desktop
    • Download Farbar Recovery Scan Tool and save it to a flash drive.
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
    • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads [​IMG]
    • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
    • Insert the flash drive with FRST on it
    • Locate the flash drive and run FSRT
    • The tool will start to run.
    [​IMG]
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  5. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    -=(Split due to 50k character restrictions and scripting errors when attempting to post.)=-

    First off, THANK YOU for pointing me to that Reatogo-X-PE tool. I'd been working (poorly) off an old BartPE disk while trying to take time building and managing a new one, but this looks like it will save a lot of time and headache, and do what I need it too. Are you aware of any licensing terms and restrictions that I would need to worry about as a technician?



    Secondly, the FRST log:



    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012
    Ran by SYSTEM at 20-07-2012 15:29:52
    Running from D:\cleanup
    Microsoft Windows XP (X86) OS Language: English(US)
    The current controlset is ControlSet004

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
    HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
    HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]
    HKLM\...\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe [141848 2007-09-21] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [166424 2007-09-21] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe [137752 2007-09-21] (Intel Corporation)
    HKLM\...\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2006-02-02] (Sonic Solutions)
    HKLM\...\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [120096 2007-12-09] (Lenovo Group Limited)
    HKLM\...\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup [419376 2007-02-01] (LENOVO)
    HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-09-17] (LogMeIn, Inc.)
    HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [813912 2006-11-21] (Microsoft Corporation)
    HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [849280 2007-02-05] (Microsoft Corporation)
    HKLM\...\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon [x]
    HKLM\...\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s [407368 2008-02-08] (CA)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [x]
    HKLM\...\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto [169984 2008-04-13] (Microsoft Corporation)
    HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    HKU\Administrator.SMALLBUSINESS\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    HKU\audrey\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    HKU\kristine\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Winlogon\Notify\LMIinit: LMIinit.dll (LogMeIn, Inc.)
    Winlogon\Notify\NavLogon:
    Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.2.25 24.225.193.110 24.225.193.111 208.67.222.222 208.67.220.220
    AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    Tcpip\..\Interfaces\{85FA715C-19B2-437D-AE84-7C25D7ECE2D1}: [NameServer]192.168.24.50,208.67.222.222,8.8.8.8,208.67.222.222

    ================================ Services (Whitelisted) ==================

    2 Diskeeper; "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" [622700 2006-05-23] (Diskeeper Corporation)
    2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
    3 GoogleDesktopManager-061008-081103; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [29744 2008-11-13] (Google)
    2 iGateway; "C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe" [106496 2007-02-05] (CA, Inc.)
    2 InoRPC; "C:\Program Files\CA\eTrustITM\InoRpc.exe" [192512 2009-09-29] (CA)
    2 InoRT; "C:\Program Files\CA\eTrustITM\InoRT.exe" [208896 2009-09-29] (CA)
    2 InoTask; "C:\Program Files\CA\eTrustITM\InoTask.exe" [389960 2011-02-15] (CA)
    2 ITMRTSVC; "C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe" [283888 2009-12-07] (CA, Inc.)
    3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2045632 2006-02-23] (Symantec Corporation)
    2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
    2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
    2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-20] (Microsoft Corporation)
    2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [20480 2009-09-16] (Intuit)
    3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2007-05-24] (Intuit Inc.)
    2 QuickBooksDB18; C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [128536 2006-09-13] (iAnywhere Solutions, Inc.)
    2 SAAZappr; "C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe" SAAZappr [82760 2011-05-31] (Zenith Infotech Ltd)
    2 SAAZapsc; "C:\PROGRA~1\SAAZOD\zRealTime\SAAZapsc.exe" SAAZapsc [82760 2011-05-31] (Zenith Infotech Ltd)
    2 SAAZDPMACTL; "C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe" [86856 2012-02-23] (Zenith Infotech Ltd)
    2 SAAZRemoteSupport; "C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe" [78664 2012-02-23] (Zenith Infotech Ltd)
    2 SAAZScheduler; "C:\PROGRA~1\SAAZOD\SAAZScheduler.exe" [77824 2012-02-23] (Zenith Infotech Ltd)
    2 SAAZServerPlus; "C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe" [77824 2009-04-30] (Zenith Infotech Ltd)
    2 SAAZWatchDog; "C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe" [86856 2012-02-23] (Zenith Infotech Ltd)
    2 TVT Backup Protection Service; "C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe" [569344 2007-07-11] ()
    2 tvtnetwk; C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe [45056 2007-07-11] ()
    2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
    3 WMConnectCDS; C:\Program Files\Windows Media Connect 2\wmccds.exe [855552 2005-10-06] (Microsoft Corporation)
    4 ZEvtSVC; C:\PROGRA~1\SAAZOD\zSCC\zEvtSVC.exe [230216 2011-08-09] (Zenith Infotech ltd.)
    3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
    3 idsvc; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [x]
    4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]
    2 SUService; c:\program files\lenovo\system update\suservice.exe [x]
    2 TVT Scheduler; "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 ac97intc; C:\Windows\System32\drivers\ac97intc.sys [96256 2001-08-17] (Intel Corporation)
    2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2006-02-02] (Sonic Solutions)
    1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5660 2005-11-18] (Sonic Solutions)
    2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2006-02-02] (Sonic Solutions)
    2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86652 2006-02-02] (Sonic Solutions)
    2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2006-02-02] (Sonic Solutions)
    2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2006-02-02] (Sonic Solutions)
    1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-11-18] (Sonic Solutions)
    2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2006-02-02] (Sonic Solutions)
    2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2006-02-02] (Sonic Solutions)
    2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-11-18] (Sonic Solutions)
    3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
    3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-10-30] (HP)
    3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-10-30] (HP)
    3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-10-30] (HP)
    0 INO_FLPY; C:\Windows\System32\Drivers\ino_flpy.sys [27536 2007-08-06] (Computer Associates)
    2 INO_FLTR; \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys [184080 2007-10-18] (Computer Associates)
    3 Iviaspi; C:\Windows\System32\drivers\iviaspi.sys [21060 2003-09-11] (InterVideo, Inc.)
    2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2010-09-17] (LogMeIn, Inc.)
    3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
    3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
    3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
    2 pmem; \??\C:\WINDOWS\System32\drivers\pmemnt.sys [7012 2008-10-10] (Microsoft Corporation)
    3 yukonwxp; C:\Windows\System32\DRIVERS\yk51x86.sys [288896 2008-04-29] (Marvell)
    4 Abiosdsk; [x]
    4 Atdisk; [x]
    1 Changer; [x]
    1 lbrtfdc; [x]
    4 LMIRfsClientNP; [x]
    3 mcdbus; C:\Windows\System32\DRIVERS\mcdbus.sys [x]
    1 PCIDump; [x]
    3 PDCOMP; [x]
    3 PDFRAME; [x]
    3 PDRELI; [x]
    3 PDRFRAME; [x]
    1 SASDIFSV; \??\C:\DOCUME~1\kristine\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
    1 SASKUTIL; \??\C:\DOCUME~1\kristine\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
    4 Simbad; [x]
    3 SymIM; C:\Windows\System32\DRIVERS\SymIM.sys [x]
    3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [x]
    3 TVTPktFilter; C:\Windows\System32\DRIVERS\tvtpktfilter.sys [x]
    3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]
    3 WDICA; [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-20 15:29 - 2012-07-20 15:29 - 00000000 ____D C:\FRST
    2012-07-20 14:07 - 2012-07-20 14:07 - 00000000 ____D C:\Documents and Settings\All Users\Desktop\CC Support
    2012-07-19 17:10 - 2012-06-22 10:04 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.20120719-171050.backup
    2012-07-19 17:08 - 2012-07-19 17:08 - 00000000 ____D C:\Documents and Settings\kristine\Application Data\SUPERAntiSpyware.com
    2012-07-19 17:08 - 2012-07-19 17:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-07-19 17:01 - 2012-07-19 17:06 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-07-19 17:01 - 2012-07-19 17:01 - 00000000 ____D C:\Documents and Settings\kristine\Application Data\Malwarebytes
    2012-07-19 17:01 - 2012-07-19 17:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2012-07-19 17:01 - 2012-07-03 13:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-19 15:57 - 2012-07-19 16:05 - 00000000 ___SD C:\cfx
    2012-07-19 15:53 - 2012-07-20 14:15 - 00000359 ____A C:\rkill.log
    2012-07-19 15:50 - 2012-07-19 15:49 - 00081920 ____A C:\Windows\Minidump\Mini071912-02.dmp
    2012-07-19 15:41 - 2012-07-19 15:38 - 04731392 ____A (AVAST Software) C:\Documents and Settings\kristine\Desktop\aswMBR.exe
    2012-07-19 15:33 - 2012-07-19 15:33 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\FixTDSS
    2012-07-19 15:30 - 2012-07-19 15:50 - 00000000 ____D C:\Windows\Minidump
    2012-07-19 15:30 - 2012-07-19 15:30 - 00081920 ____A C:\Windows\Minidump\Mini071912-01.dmp
    2012-07-19 10:38 - 2012-07-19 10:38 - 00000000 RASHD C:\cmdcons
    2012-07-19 10:38 - 2012-07-19 10:12 - 00000245 ____A C:\Boot.bak
    2012-07-19 10:38 - 2004-08-03 23:00 - 00260272 _RASH C:\cmldr
    2012-07-19 10:32 - 2012-07-19 10:38 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
    2012-07-19 10:32 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-07-19 10:32 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-07-19 10:32 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-07-19 10:32 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-07-19 10:32 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-07-19 10:32 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
    2012-07-19 10:32 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
    2012-07-19 10:32 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
    2012-07-19 10:32 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
    2012-07-19 10:31 - 2012-07-19 15:57 - 00000000 ___SD C:\ComboFix
    2012-07-19 10:29 - 2012-07-19 10:31 - 00000000 ____D C:\Qoobox
    2012-07-19 10:28 - 2012-07-19 10:28 - 00000000 ____D C:\Windows\erdnt
    2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr
    2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw
    2012-07-19 09:55 - 2012-07-19 09:56 - 00000368 ___AH C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw
    2012-07-19 00:46 - 2012-07-19 00:46 - 00000000 __HDC C:\Windows\$NtUninstallKB2685939$
    2012-07-19 00:44 - 2012-07-19 00:46 - 00016175 ___AH C:\Windows\KB2685939.log
    2012-07-19 00:33 - 2012-07-19 00:35 - 00020406 ___AH C:\Windows\KB2699988-IE8.log
    2012-07-19 00:32 - 2012-05-11 10:42 - 00521728 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
    2012-07-17 00:18 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001837.backup
    2012-07-17 00:17 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001734.backup
    2012-07-17 00:16 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001629.backup
    2012-07-16 00:30 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-003026.backup
    2012-07-16 00:29 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002925.backup
    2012-07-16 00:28 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002824.backup
    2012-07-13 00:30 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-003030.backup
    2012-07-13 00:29 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002927.backup
    2012-07-13 00:27 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002755.backup
    2012-07-10 00:20 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-002002.backup
    2012-07-10 00:19 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001900.backup
    2012-07-10 00:17 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001758.backup
    2012-07-09 16:27 - 2012-07-09 16:27 - 00000263 ___AH C:\Documents and Settings\kristine\Desktop\VanAlstyne-Chubb Ins.log
    2012-07-09 00:25 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002508.backup
    2012-07-09 00:24 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002405.backup
    2012-07-09 00:22 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002258.backup
    2012-07-06 00:23 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002327.backup
    2012-07-06 00:22 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002226.backup
    2012-07-06 00:21 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002121.backup
    2012-07-03 00:14 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001444.backup
    2012-07-03 00:13 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001340.backup
    2012-07-03 00:12 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001236.backup
    2012-07-02 00:25 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002509.backup
    2012-07-02 00:24 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002407.backup
    2012-07-02 00:23 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002300.backup
    2012-06-29 00:23 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002334.backup
    2012-06-29 00:22 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002231.backup
    2012-06-29 00:21 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002112.backup
    2012-06-26 00:15 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001514.backup
    2012-06-26 00:14 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001413.backup
    2012-06-26 00:13 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001312.backup
    2012-06-25 00:09 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000908.backup
    2012-06-25 00:08 - 2012-06-22 10:04 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000807.backup
    2012-06-25 00:07 - 2012-06-22 10:04 - 00000761 _RASH C:\Windows\System32\Drivers\etc\hosts.20120625-000705.backup
    2012-06-22 15:24 - 2012-06-22 15:25 - 00000000 ___HD C:\Windows\pss
    2012-06-22 15:23 - 2012-07-19 09:14 - 00000830 ___AH C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-06-22 15:23 - 2012-07-12 11:14 - 00426184 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-22 15:23 - 2012-07-12 11:14 - 00070344 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-22 15:22 - 2012-06-22 15:22 - 00002029 ___AH C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
    2012-06-22 10:05 - 2012-06-22 10:05 - 00045056 ___SH C:\Documents and Settings\kristine\1ee7e578-5753.exe
    2012-06-22 10:04 - 2012-06-22 10:04 - 00178692 ___AH C:\Windows\System32\c_7265170.nls
    2012-06-22 00:29 - 2012-06-22 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002956.backup
    2012-06-22 00:28 - 2012-06-22 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002843.backup
    2012-06-22 00:27 - 2012-06-19 00:20 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002733.backup

    ============ 3 Months Modified Files ========================

    2012-07-20 14:22 - 2008-11-13 23:47 - 00000278 __ASH C:\Documents and Settings\kristine\ntuser.ini
    2012-07-20 14:22 - 2006-04-30 03:11 - 02072280 ___AH C:\Windows\WindowsUpdate.log
    2012-07-20 14:15 - 2012-07-19 15:53 - 00000359 ____A C:\rkill.log
    2012-07-20 14:12 - 2006-04-30 02:56 - 00002278 ___AH C:\Windows\System32\wpa.dbl
    2012-07-20 14:11 - 2008-11-13 23:47 - 00000062 __ASH C:\Documents and Settings\kristine\Local Settings\desktop.ini
    2012-07-20 14:10 - 2006-04-30 03:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
    2012-07-20 14:10 - 2006-04-30 03:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    2012-07-20 10:18 - 2008-11-13 14:34 - 00000178 __ASH C:\Documents and Settings\QBDataServiceUser18\ntuser.ini
    2012-07-20 10:18 - 2006-04-30 03:20 - 00032284 ___AH C:\Windows\SchedLgU.Txt
    2012-07-20 10:18 - 2006-04-30 03:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-20 10:18 - 2006-04-29 20:07 - 00000049 ___AH C:\Windows\wiaservc.log
    2012-07-20 10:17 - 2008-11-13 14:34 - 00000062 __ASH C:\Documents and Settings\QBDataServiceUser18\Local Settings\desktop.ini
    2012-07-19 16:50 - 2006-04-30 02:56 - 00000355 _RASH C:\boot.ini
    2012-07-19 15:51 - 2006-04-29 20:03 - 00585391 ___AH C:\Windows\setupapi.log
    2012-07-19 15:50 - 2006-04-29 20:03 - 00217502 ___AH C:\Windows\setupact.log
    2012-07-19 15:49 - 2012-07-19 15:50 - 00081920 ____A C:\Windows\Minidump\Mini071912-02.dmp
    2012-07-19 15:38 - 2012-07-19 15:41 - 04731392 ____A (AVAST Software) C:\Documents and Settings\kristine\Desktop\aswMBR.exe
    2012-07-19 15:33 - 2006-04-30 03:21 - 00000178 __ASH C:\Documents and Settings\Administrator\ntuser.ini
    2012-07-19 15:32 - 2006-04-30 03:21 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
    2012-07-19 15:30 - 2012-07-19 15:30 - 00081920 ____A C:\Windows\Minidump\Mini071912-01.dmp
    2012-07-19 15:27 - 2010-05-10 13:55 - 00000236 ___AH C:\Windows\Tasks\OGALogon.job
    2012-07-19 15:27 - 2010-02-05 10:15 - 00000882 ___AH C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-19 10:38 - 2012-07-19 10:32 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
    2012-07-19 10:12 - 2012-07-19 10:38 - 00000245 ____A C:\Boot.bak
    2012-07-19 10:11 - 2008-11-13 23:21 - 00000278 __ASH C:\Documents and Settings\Administrator.SMALLBUSINESS\ntuser.ini
    2012-07-19 10:11 - 2006-04-29 20:07 - 00000463 ___AH C:\Windows\wiadebug.log
    2012-07-19 10:02 - 2008-11-13 23:21 - 00000062 __ASH C:\Documents and Settings\Administrator.SMALLBUSINESS\Local Settings\desktop.ini
    2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr
    2012-07-19 09:56 - 2012-07-19 09:56 - 00000096 ___AH C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw
    2012-07-19 09:56 - 2012-07-19 09:55 - 00000368 ___AH C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw
    2012-07-19 09:50 - 2008-11-10 15:48 - 00000256 ___AH C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
    2012-07-19 09:47 - 2011-11-15 10:33 - 00000564 ___AH C:\Documents and Settings\kristine\Desktop\106.7 Lite fm - 106.7 Lite fm New York.url
    2012-07-19 09:45 - 2008-11-13 23:14 - 00000152 ___AH C:\Windows\System32\config\netlogon.ftl
    2012-07-19 09:20 - 2010-02-05 10:15 - 00000886 ___AH C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-19 09:14 - 2012-06-22 15:23 - 00000830 ___AH C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-19 09:10 - 2006-04-30 02:56 - 00000655 ___AH C:\Windows\win.ini
    2012-07-19 09:07 - 2008-11-20 17:46 - 00002521 ____A C:\Documents and Settings\kristine\Desktop\Microsoft Office Outlook 2003.lnk
    2012-07-19 01:07 - 2008-11-13 14:36 - 00524288 ___AH C:\Windows\System32\config\QB GDS P.evt
    2012-07-19 00:46 - 2012-07-19 00:44 - 00016175 ___AH C:\Windows\KB2685939.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 02311705 ___AH C:\Windows\FaxSetup.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 01106753 ___AH C:\Windows\ocgen.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 01063286 ___AH C:\Windows\tsoc.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00702458 ___AH C:\Windows\msmqinst.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00603313 ___AH C:\Windows\comsetup.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00493045 ___AH C:\Windows\iis6.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00405340 ___AH C:\Windows\netfxocm.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00364073 ___AH C:\Windows\ntdtcsetup.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00159544 ___AH C:\Windows\MedCtrOC.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00117142 ___AH C:\Windows\tabletoc.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00115663 ___AH C:\Windows\msgsocm.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00099884 ___AH C:\Windows\ocmsn.log
    2012-07-19 00:46 - 2006-04-29 20:04 - 00001374 ___AH C:\Windows\imsins.log
    2012-07-19 00:42 - 2006-04-29 20:04 - 00507652 ___AH C:\Windows\System32\PerfStringBackup.INI
    2012-07-19 00:35 - 2012-07-19 00:33 - 00020406 ___AH C:\Windows\KB2699988-IE8.log
    2012-07-19 00:35 - 2006-04-29 20:04 - 00001374 ___AH C:\Windows\imsins.BAK
    2012-07-19 00:34 - 2006-04-30 03:26 - 00316744 ___AH C:\Windows\updspapi.log
    2012-07-19 00:29 - 2012-02-23 17:30 - 00001427 ___AH C:\Windows\System32\ipstuffNew.txt
    2012-07-17 15:09 - 2011-12-19 10:37 - 00248320 ___AH C:\Documents and Settings\kristine\Desktop\Credit Cards.xls
    2012-07-17 10:14 - 2008-11-17 17:24 - 00000322 ___AH C:\Documents and Settings\kristine\Desktop\PNC Bank.url
    2012-07-12 18:25 - 2008-11-10 18:28 - 00030624 ___AH (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
    2012-07-12 18:25 - 2008-11-10 18:27 - 00087456 ___AH (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
    2012-07-12 11:14 - 2012-06-22 15:23 - 00426184 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-12 11:14 - 2012-06-22 15:23 - 00070344 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-09 16:27 - 2012-07-09 16:27 - 00000263 ___AH C:\Documents and Settings\kristine\Desktop\VanAlstyne-Chubb Ins.log
    2012-07-03 13:46 - 2012-07-19 17:01 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-22 16:37 - 2008-11-12 09:07 - 00000178 __ASH C:\Documents and Settings\LogMeInRemoteUser\ntuser.ini
    2012-06-22 15:28 - 2008-11-12 09:07 - 00000062 __ASH C:\Documents and Settings\LogMeInRemoteUser\Local Settings\desktop.ini
    2012-06-22 15:26 - 2006-04-30 02:56 - 00000227 ___AH C:\Windows\system.ini
    2012-06-22 15:24 - 2008-11-18 13:02 - 00001116 ___AH C:\IPH.PH
    2012-06-22 15:22 - 2012-06-22 15:22 - 00002029 ___AH C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
    2012-06-22 10:05 - 2012-06-22 10:05 - 00045056 ___SH C:\Documents and Settings\kristine\1ee7e578-5753.exe
    2012-06-22 10:04 - 2012-07-19 17:10 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.20120719-171050.backup
    2012-06-22 10:04 - 2012-07-17 00:18 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001837.backup
    2012-06-22 10:04 - 2012-07-17 00:17 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001734.backup
    2012-06-22 10:04 - 2012-07-17 00:16 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120717-001629.backup
    2012-06-22 10:04 - 2012-07-16 00:30 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-003026.backup
    2012-06-22 10:04 - 2012-07-16 00:29 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002925.backup
    2012-06-22 10:04 - 2012-07-16 00:28 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120716-002824.backup
    2012-06-22 10:04 - 2012-07-13 00:30 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-003030.backup
    2012-06-22 10:04 - 2012-07-13 00:29 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002927.backup
    2012-06-22 10:04 - 2012-07-13 00:27 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120713-002755.backup
    2012-06-22 10:04 - 2012-07-10 00:20 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-002002.backup
    2012-06-22 10:04 - 2012-07-10 00:19 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001900.backup
    2012-06-22 10:04 - 2012-07-10 00:17 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120710-001758.backup
    2012-06-22 10:04 - 2012-07-09 00:25 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002508.backup
    2012-06-22 10:04 - 2012-07-09 00:24 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002405.backup
    2012-06-22 10:04 - 2012-07-09 00:22 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120709-002258.backup
    2012-06-22 10:04 - 2012-07-06 00:23 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002327.backup
    2012-06-22 10:04 - 2012-07-06 00:22 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002226.backup
    2012-06-22 10:04 - 2012-07-06 00:21 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120706-002121.backup
    2012-06-22 10:04 - 2012-07-03 00:14 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001444.backup
    2012-06-22 10:04 - 2012-07-03 00:13 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001340.backup
    2012-06-22 10:04 - 2012-07-03 00:12 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120703-001236.backup
    2012-06-22 10:04 - 2012-07-02 00:25 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002509.backup
    2012-06-22 10:04 - 2012-07-02 00:24 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002407.backup
    2012-06-22 10:04 - 2012-07-02 00:23 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120702-002300.backup
    2012-06-22 10:04 - 2012-06-29 00:23 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002334.backup
    2012-06-22 10:04 - 2012-06-29 00:22 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002231.backup
    2012-06-22 10:04 - 2012-06-29 00:21 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120629-002112.backup
    2012-06-22 10:04 - 2012-06-26 00:15 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001514.backup
    2012-06-22 10:04 - 2012-06-26 00:14 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001413.backup
    2012-06-22 10:04 - 2012-06-26 00:13 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120626-001312.backup
    2012-06-22 10:04 - 2012-06-25 00:09 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000908.backup
    2012-06-22 10:04 - 2012-06-25 00:08 - 00000761 ___AH C:\Windows\System32\Drivers\etc\hosts.20120625-000807.backup
    2012-06-22 10:04 - 2012-06-25 00:07 - 00000761 _RASH C:\Windows\System32\Drivers\etc\hosts.20120625-000705.backup
    2012-06-22 10:04 - 2012-06-22 10:04 - 00178692 ___AH C:\Windows\System32\c_7265170.nls
    2012-06-22 00:28 - 2012-06-22 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002956.backup
    2012-06-22 00:27 - 2012-06-22 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002843.backup
    2012-06-19 00:20 - 2012-06-22 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120622-002733.backup
    2012-06-19 00:19 - 2012-06-19 00:20 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120619-002029.backup
    2012-06-19 00:18 - 2012-06-19 00:19 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120619-001918.backup
    2012-06-18 00:30 - 2012-06-19 00:18 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120619-001807.backup
    2012-06-18 00:28 - 2012-06-18 00:30 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120618-003003.backup
    2012-06-18 00:27 - 2012-06-18 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120618-002850.backup
    2012-06-16 01:26 - 2006-04-29 20:03 - 00282928 ___AH C:\Windows\System32\FNTCACHE.DAT
    2012-06-16 01:01 - 2012-06-16 01:00 - 00009572 ___AH C:\Windows\KB2686509.log
    2012-06-16 00:59 - 2012-06-16 00:56 - 00006916 ___AH C:\Windows\KB2659262.log
    2012-06-16 00:55 - 2012-06-16 00:52 - 00011836 ___AH C:\Windows\KB2676562.log
    2012-06-15 00:35 - 2012-06-18 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120618-002744.backup
    2012-06-15 00:34 - 2012-06-15 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120615-003554.backup
    2012-06-15 00:33 - 2012-06-15 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120615-003440.backup
    2012-06-12 00:26 - 2012-06-15 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120615-003330.backup
    2012-06-12 00:24 - 2012-06-12 00:26 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120612-002610.backup
    2012-06-12 00:23 - 2012-06-12 00:24 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120612-002457.backup
    2012-06-11 00:07 - 2012-06-12 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120612-002343.backup
    2012-06-11 00:06 - 2012-06-11 00:07 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120611-000712.backup
    2012-06-11 00:05 - 2012-06-11 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120611-000610.backup
    2012-06-08 00:37 - 2012-06-11 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120611-000506.backup
    2012-06-08 00:36 - 2012-06-08 00:37 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120608-003736.backup
    2012-06-08 00:35 - 2012-06-08 00:36 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120608-003623.backup
    2012-06-05 00:34 - 2012-06-08 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120608-003509.backup
    2012-06-05 00:33 - 2012-06-05 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120605-003435.backup
    2012-06-05 00:32 - 2012-06-05 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120605-003317.backup
    2012-06-04 00:08 - 2012-06-05 00:31 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120605-003159.backup
    2012-06-04 00:06 - 2012-06-04 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120604-000808.backup
    2012-06-04 00:05 - 2012-06-04 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120604-000653.backup
    2012-06-01 00:38 - 2012-06-04 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120604-000538.backup
    2012-06-01 00:36 - 2012-06-01 00:38 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120601-003800.backup
    2012-06-01 00:35 - 2012-06-01 00:36 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120601-003651.backup
    2012-05-29 00:17 - 2012-06-01 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120601-003529.backup
    2012-05-29 00:16 - 2012-05-29 00:17 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120529-001717.backup
    2012-05-29 00:14 - 2012-05-29 00:16 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120529-001602.backup
    2012-05-28 00:29 - 2012-05-29 00:14 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120529-001447.backup
    2012-05-28 00:28 - 2012-05-28 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120528-002938.backup
    2012-05-28 00:27 - 2012-05-28 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120528-002827.backup
    2012-05-25 00:25 - 2012-05-28 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120528-002725.backup
    2012-05-25 00:24 - 2012-05-25 00:25 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120525-002558.backup
    2012-05-25 00:23 - 2012-05-25 00:24 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120525-002445.backup
    2012-05-22 00:14 - 2012-05-25 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120525-002340.backup
    2012-05-22 00:13 - 2012-05-22 00:14 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120522-001411.backup
    2012-05-22 00:11 - 2012-05-22 00:13 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120522-001308.backup
    2012-05-21 18:24 - 2008-11-10 18:27 - 00087424 ___AH (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll.000.bak
    2012-05-21 00:26 - 2012-05-22 00:11 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120522-001157.backup
    2012-05-21 00:25 - 2012-05-21 00:26 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120521-002655.backup
    2012-05-21 00:24 - 2012-05-21 00:25 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120521-002542.backup
    2012-05-18 00:23 - 2012-05-21 00:24 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120521-002429.backup
    2012-05-18 00:22 - 2012-05-18 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120518-002316.backup
    2012-05-18 00:20 - 2012-05-18 00:22 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120518-002206.backup
    2012-05-17 00:29 - 2012-05-17 00:24 - 00017429 ___AH C:\Windows\KB2675157-IE8.log
    2012-05-17 00:20 - 2012-05-17 00:17 - 00009214 ___AH C:\Windows\KB2653956.log
    2012-05-16 11:08 - 2006-11-08 00:03 - 00916992 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll
    2012-05-16 11:08 - 2006-04-30 02:56 - 00916992 ___AH (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-15 00:23 - 2012-05-18 00:20 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120518-002056.backup
    2012-05-15 00:22 - 2012-05-15 00:23 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120515-002342.backup
    2012-05-15 00:21 - 2012-05-15 00:22 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120515-002230.backup
    2012-05-14 00:06 - 2012-05-15 00:21 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120515-002118.backup
    2012-05-14 00:05 - 2012-05-14 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120514-000627.backup
    2012-05-14 00:04 - 2012-05-14 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120514-000523.backup
    2012-05-11 20:12 - 2008-10-03 13:41 - 11111424 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll
    2012-05-11 20:12 - 2006-11-08 00:03 - 11111424 ___AH (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-11 10:42 - 2012-07-19 00:32 - 00521728 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
    2012-05-11 10:42 - 2010-06-09 04:37 - 00743424 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll
    2012-05-11 10:42 - 2010-05-10 14:03 - 00247808 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll
    2012-05-11 10:42 - 2010-05-10 14:03 - 00012800 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll
    2012-05-11 10:42 - 2008-08-26 03:24 - 02000384 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll
    2012-05-11 10:42 - 2008-08-26 03:24 - 00629760 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll
    2012-05-11 10:42 - 2008-08-26 03:24 - 00055296 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 06007808 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 01212416 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 00629760 ___AH (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 00611840 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 00184320 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 00067072 ___AH (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 00055296 ___AH (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-05-11 10:42 - 2006-11-08 00:03 - 00025600 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll
    2012-05-11 10:42 - 2006-11-07 06:27 - 00387584 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll
    2012-05-11 10:42 - 2006-10-17 15:05 - 01469440 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl
    2012-05-11 10:42 - 2006-10-17 15:05 - 00105984 ___AH (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll
    2012-05-11 10:42 - 2006-10-17 15:05 - 00043520 ___AH (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll
    2012-05-11 10:42 - 2006-10-17 15:04 - 00206848 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll
    2012-05-11 10:42 - 2006-10-17 14:57 - 02000384 ___AH (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-11 10:42 - 2006-04-30 02:56 - 01212416 ___AH (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-11 10:42 - 2006-04-30 02:56 - 00105984 ___AH (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 06007808 ___AH (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 01469440 ____H (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-11 10:42 - 2006-04-30 02:55 - 00611840 ____H (Microsoft Corporation) C:\Windows\System32\mstime.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 00387584 ____H (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 00206848 ____H (Microsoft Corporation) C:\Windows\System32\occache.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 00184320 ___AH (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 00067072 ___AH (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 00043520 ___AH (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-05-11 10:42 - 2006-04-30 02:55 - 00025600 ___AH (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-11 07:38 - 2006-11-07 06:26 - 00174080 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe
    2012-05-11 07:38 - 2006-04-30 02:55 - 00385024 ___AH (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-05-11 07:38 - 2006-04-30 02:55 - 00174080 ____H (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2012-05-11 00:34 - 2012-05-14 00:04 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120514-000408.backup
    2012-05-11 00:33 - 2012-05-11 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120511-003448.backup
    2012-05-11 00:32 - 2012-05-11 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120511-003347.backup
    2012-05-08 00:31 - 2012-05-11 00:32 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120511-003234.backup
    2012-05-08 00:30 - 2012-05-08 00:31 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120508-003157.backup
    2012-05-08 00:29 - 2012-05-08 00:30 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120508-003043.backup
    2012-05-07 00:09 - 2012-05-08 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120508-002929.backup
    2012-05-07 00:08 - 2012-05-07 00:09 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120507-000930.backup
    2012-05-07 00:07 - 2012-05-07 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120507-000819.backup
    2012-05-04 00:10 - 2012-05-07 00:07 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120507-000708.backup
    2012-05-04 00:09 - 2012-05-04 00:10 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120504-001053.backup
    2012-05-04 00:08 - 2012-05-04 00:09 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120504-000941.backup
    2012-05-02 09:46 - 2011-08-10 21:37 - 00139656 ____H (Microsoft Corporation) C:\Windows\System32\dllcache\rdpwd.sys
    2012-05-02 09:46 - 2006-04-30 02:55 - 00139656 ___AH (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-05-01 00:06 - 2012-05-04 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120504-000827.backup
    2012-05-01 00:05 - 2012-05-01 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120501-000654.backup
    2012-05-01 00:04 - 2012-05-01 00:05 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120501-000545.backup
    2012-04-30 00:34 - 2012-05-01 00:04 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120501-000441.backup
    2012-04-30 00:33 - 2012-04-30 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120430-003439.backup
    2012-04-30 00:32 - 2012-04-30 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120430-003327.backup
    2012-04-27 00:35 - 2012-04-30 00:32 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120430-003226.backup
    2012-04-27 00:34 - 2012-04-27 00:35 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120427-003555.backup
    2012-04-27 00:33 - 2012-04-27 00:34 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120427-003439.backup
    2012-04-26 11:21 - 2012-04-26 11:11 - 00008192 ___AH C:\Documents and Settings\kristine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-04-24 23:10 - 2012-04-24 23:09 - 00001736 ___AH C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    2012-04-24 00:29 - 2012-04-27 00:33 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120427-003322.backup
    2012-04-24 00:28 - 2012-04-24 00:29 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120424-002954.backup
    2012-04-24 00:27 - 2012-04-24 00:28 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120424-002843.backup
    2012-04-23 00:08 - 2012-04-24 00:27 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120424-002733.backup
    2012-04-23 00:06 - 2012-04-23 00:08 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120423-000807.backup
    2012-04-23 00:05 - 2012-04-23 00:06 - 00440483 __RAH C:\Windows\System32\Drivers\etc\hosts.20120423-000654.backup
     
  6. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    ========================= Known DLLs (Whitelisted) ============
    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points (XP) =====================
    RP: -> 2012-07-19 00:44 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2868
    RP: -> 2012-07-19 00:37 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2867
    RP: -> 2012-07-19 00:36 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2866
    RP: -> 2012-07-19 00:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2865
    RP: -> 2012-07-19 00:29 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2864
    RP: -> 2012-07-18 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2863
    RP: -> 2012-07-18 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2862
    RP: -> 2012-07-18 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2861
    RP: -> 2012-07-18 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2860
    RP: -> 2012-07-18 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2859
    RP: -> 2012-07-18 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2858
    RP: -> 2012-07-18 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2857
    RP: -> 2012-07-18 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2856
    RP: -> 2012-07-18 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2855
    RP: -> 2012-07-18 00:27 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2854
    RP: -> 2012-07-18 00:05 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2853
    RP: -> 2012-07-17 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2852
    RP: -> 2012-07-17 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2851
    RP: -> 2012-07-17 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2850
    RP: -> 2012-07-17 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2849
    RP: -> 2012-07-17 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2848
    RP: -> 2012-07-17 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2847
    RP: -> 2012-07-17 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2846
    RP: -> 2012-07-17 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2845
    RP: -> 2012-07-17 02:34 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2844
    RP: -> 2012-07-17 00:14 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2843
    RP: -> 2012-07-16 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2842
    RP: -> 2012-07-16 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2841
    RP: -> 2012-07-16 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2840
    RP: -> 2012-07-16 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2839
    RP: -> 2012-07-16 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2838
    RP: -> 2012-07-16 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2837
    RP: -> 2012-07-16 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2836
    RP: -> 2012-07-16 00:49 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2835
    RP: -> 2012-07-16 00:24 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2834
    RP: -> 2012-07-15 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2833
    RP: -> 2012-07-15 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2832
    RP: -> 2012-07-15 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2831
    RP: -> 2012-07-15 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2830
    RP: -> 2012-07-15 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2829
    RP: -> 2012-07-15 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2828
    RP: -> 2012-07-15 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2827
    RP: -> 2012-07-15 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2826
    RP: -> 2012-07-15 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2825
    RP: -> 2012-07-15 00:25 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2824
    RP: -> 2012-07-15 00:05 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2823
    RP: -> 2012-07-14 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2822
    RP: -> 2012-07-14 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2821
    RP: -> 2012-07-14 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2820
    RP: -> 2012-07-14 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2819
    RP: -> 2012-07-14 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2818
    RP: -> 2012-07-14 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2817
    RP: -> 2012-07-14 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2816
    RP: -> 2012-07-14 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2815
    RP: -> 2012-07-14 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2814
    RP: -> 2012-07-14 00:36 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2813
    RP: -> 2012-07-14 00:15 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2812
    RP: -> 2012-07-13 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2811
    RP: -> 2012-07-13 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2810
    RP: -> 2012-07-13 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2809
    RP: -> 2012-07-13 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2808
    RP: -> 2012-07-13 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2807
    RP: -> 2012-07-13 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2806
    RP: -> 2012-07-13 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2805
    RP: -> 2012-07-13 01:11 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2804
    RP: -> 2012-07-13 00:22 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2803
    RP: -> 2012-07-12 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2802
    RP: -> 2012-07-12 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2801
    RP: -> 2012-07-12 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2800
    RP: -> 2012-07-12 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2799
    RP: -> 2012-07-12 18:26 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2798
    RP: -> 2012-07-12 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2797
    RP: -> 2012-07-12 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2796
    RP: -> 2012-07-12 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2795
    RP: -> 2012-07-12 00:50 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2794
    RP: -> 2012-07-12 00:29 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2793
    RP: -> 2012-07-11 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2792
    RP: -> 2012-07-11 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2791
    RP: -> 2012-07-11 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2790
    RP: -> 2012-07-11 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2789
    RP: -> 2012-07-11 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2788
    RP: -> 2012-07-11 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2787
    RP: -> 2012-07-11 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2786
    RP: -> 2012-07-11 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2785
    RP: -> 2012-07-11 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2784
    RP: -> 2012-07-11 00:30 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2783
    RP: -> 2012-07-11 00:07 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2782
    RP: -> 2012-07-10 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2781
    RP: -> 2012-07-10 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2780
    RP: -> 2012-07-10 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2779
    RP: -> 2012-07-10 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2778
    RP: -> 2012-07-10 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2777
    RP: -> 2012-07-10 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2776
    RP: -> 2012-07-10 00:40 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2775
    RP: -> 2012-07-10 00:15 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2774
    RP: -> 2012-07-09 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2773
    RP: -> 2012-07-09 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2772
    RP: -> 2012-07-09 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2771
    RP: -> 2012-07-09 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2770
    RP: -> 2012-07-09 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2769
    RP: -> 2012-07-09 00:43 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2768
    RP: -> 2012-07-09 00:17 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2767
    RP: -> 2012-07-08 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2766
    RP: -> 2012-07-08 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2765
    RP: -> 2012-07-08 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2764
    RP: -> 2012-07-08 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2763
    RP: -> 2012-07-08 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2762
    RP: -> 2012-07-08 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2761
    RP: -> 2012-07-08 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2760
    RP: -> 2012-07-08 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2759
    RP: -> 2012-07-08 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2758
    RP: -> 2012-07-08 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2757
    RP: -> 2012-07-08 00:47 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2756
    RP: -> 2012-07-08 00:26 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2755
    RP: -> 2012-07-07 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2754
    RP: -> 2012-07-07 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2753
    RP: -> 2012-07-07 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2752
    RP: -> 2012-07-07 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2751
    RP: -> 2012-07-07 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2750
    RP: -> 2012-07-07 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2749
    RP: -> 2012-07-07 16:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2748
    RP: -> 2012-07-07 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2747
    RP: -> 2012-07-07 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2746
    RP: -> 2012-07-07 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2745
    RP: -> 2012-07-07 00:28 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2744
    RP: -> 2012-07-07 00:06 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2743
    RP: -> 2012-07-06 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2742
    RP: -> 2012-07-06 22:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2741
    RP: -> 2012-07-06 20:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2740
    RP: -> 2012-07-06 18:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2739
    RP: -> 2012-07-06 16:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2738
    RP: -> 2012-07-06 14:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2737
    RP: -> 2012-07-06 12:31 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2736
    RP: -> 2012-07-06 00:36 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2735
    RP: -> 2012-07-06 00:16 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2734
    RP: -> 2012-07-05 22:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2733
    RP: -> 2012-07-05 20:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2732
    RP: -> 2012-07-05 18:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2731
    RP: -> 2012-07-05 16:33 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2730
    RP: -> 2012-07-05 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2729
    RP: -> 2012-07-05 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2728
    RP: -> 2012-07-05 00:37 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2727
    RP: -> 2012-07-05 00:23 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2726
    RP: -> 2012-07-04 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2725
    RP: -> 2012-07-04 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2724
    RP: -> 2012-07-04 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2723
    RP: -> 2012-07-04 20:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2722
    RP: -> 2012-07-04 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2721
    RP: -> 2012-07-04 18:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2720
    RP: -> 2012-07-04 16:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2719
    RP: -> 2012-07-04 16:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2718
    RP: -> 2012-07-04 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2717
    RP: -> 2012-07-04 14:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2716
    RP: -> 2012-07-04 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2715
    RP: -> 2012-07-04 12:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2714
    RP: -> 2012-07-04 00:14 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2713
    RP: -> 2012-07-04 00:01 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2712
    RP: -> 2012-07-03 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2711
    RP: -> 2012-07-03 22:32 - 032768 _restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP2710
    ========================= Memory info ======================
    Percentage of memory in use: 21%
    Total physical RAM: 1014.17 MB
    Available physical RAM: 794.05 MB
    Total Pagefile: 901.73 MB
    Available Pagefile: 840.25 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2002.18 MB
    ======================= Partitions =========================
    1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    2 Drive c: (Preload) (Fixed) (Total:145.58 GB) (Free:113.07 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive d: (MULTIBOOT) (Removable) (Total:7.52 GB) (Free:2.29 GB) FAT32
    4 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 146 GB 1024 KB
    Partition 2 OEM 3556 MB 146 GB
    Partition 3 Unknown 1872 KB 149 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C Preload NTFS Partition 146 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 12
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 SERVICEV001 FAT32 Partition 3556 MB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 Partition 2048 KB Healthy
    ==================================================================================
    ======================= End Of Log ==========================
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I skipped over the part where "ComboFix freezes". Which may not be good. If this is a business PC, I have no idea what to tell you. It's at own risk.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    NEXT, go to the Desktop of OTLPE front screen, and double click on OTL.exe. Please run a Quick Scan and post the logs from it as well.
     
  8. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    This particular machine is a friend's, but as a tech I try to make sure I mind my P's and Q's.

    Do you want me to run FRST out of the System Recover Options from a Windows XP boot disk, or are you referring to a particular program within the OTLPE?
     
  9. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Since this is one of those PCs that only comes with a recovery disk and no Windows startup one, I'm using a generic retail disk from Microsoft and booting off that. After it finishes all the driver loads and goes to "Starting Windows..." however, it blue-screens on pci.sys.

    Not sure if this is related to the other problems, or because I'm booting off a Home disk and this machine is XP Professional. I don't recall having seen that type of crash before, however, and I've often run CHKDSK this way off whatever boot disk was lying closest to me.
     
  10. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Sorry if it seems like comment spam. I just apparently don't have a disk that works while at home to get into a proper recovery environment. Will FRST run from Save Mode w/Command Prompt?
     
  11. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Going to be largely away until Monday, so I hope it runs OK from in Safe Mode. The log file complained about it, but the actions seem to have taken place. Let me know if "Fix" in FRST was supposed to do more:


    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012
    Ran by Administrator at 2012-07-21 16:39:46 Run:1
    Running from E:\cleanup

    ATTENTION: THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

    ==============================================

    C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuwr moved successfully.
    C:\Documents and Settings\All Users\Application Data\-Eqhhx9McQjouuw moved successfully.
    C:\Documents and Settings\All Users\Application Data\Eqhhx9McQjouuw moved successfully.
    C:\Documents and Settings\kristine\1ee7e578-5753.exe moved successfully.

    ==== End of Fixlog ====


    OTL logfile created on: 7/21/2012 5:56:57 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,014.00 Mb Total Physical Memory | 772.00 Mb Available Physical Memory | 76.00% Memory free
    902.00 Mb Paging File | 844.00 Mb Available in Paging File | 94.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 145.58 Gb Total Space | 113.07 Gb Free Space | 77.67% Space Free | Partition Type: NTFS
    Drive D: | 7.52 Gb Total Space | 2.29 Gb Free Space | 30.42% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet004

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/07/12 18:25:51 | 000,136,616 | -H-- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
    SRV - [2012/07/12 18:25:15 | 000,374,184 | -H-- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2012/07/12 11:14:58 | 000,250,056 | -H-- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/02/23 17:41:45 | 000,086,856 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZWatchDog.exe -- (SAAZWatchDog)
    SRV - [2012/02/23 17:41:45 | 000,086,856 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZDPMACTL.exe -- (SAAZDPMACTL)
    SRV - [2012/02/23 17:41:45 | 000,078,664 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZRemoteSupport.exe -- (SAAZRemoteSupport)
    SRV - [2012/02/23 17:26:24 | 000,077,824 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZScheduler.exe -- (SAAZScheduler)
    SRV - [2011/08/09 13:31:24 | 000,230,216 | -H-- | M] (Zenith Infotech ltd.) [Disabled] -- C:\Program Files\SAAZOD\zSCC\zEvtSVC.exe -- (ZEvtSVC)
    SRV - [2011/05/31 14:15:16 | 000,082,760 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe -- (SAAZapsc)
    SRV - [2011/05/31 14:14:38 | 000,082,760 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe -- (SAAZappr)
    SRV - [2011/04/18 14:11:40 | 000,028,672 | -H-- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
    SRV - [2011/02/15 14:12:51 | 000,389,960 | -H-- | M] (CA) [Auto] -- C:\Program Files\CA\eTrustITM\InoTask.exe -- (InoTask)
    SRV - [2010/11/08 13:04:20 | 000,390,528 | -H-- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
    SRV - [2009/12/07 16:19:18 | 000,283,888 | -H-- | M] (CA, Inc.) [Auto] -- C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe -- (ITMRTSVC)
    SRV - [2009/09/29 15:23:54 | 000,192,512 | -H-- | M] (CA) [Auto] -- C:\Program Files\CA\eTrustITM\InoRpc.exe -- (InoRPC)
    SRV - [2009/09/29 15:23:53 | 000,208,896 | -H-- | M] (CA) [Auto] -- C:\Program Files\CA\eTrustITM\InoRT.exe -- (InoRT)
    SRV - [2009/09/16 19:22:08 | 000,020,480 | -H-- | M] (Intuit) [Auto] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
    SRV - [2009/04/30 20:46:58 | 000,077,824 | -H-- | M] (Zenith Infotech Ltd) [Auto] -- C:\Program Files\SAAZOD\SAAZServerPlus.exe -- (SAAZServerPlus)
    SRV - [2007/08/03 19:10:46 | 000,644,408 | -H-- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
    SRV - [2007/07/11 23:38:44 | 000,569,344 | -H-- | M] () [Auto] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
    SRV - [2007/07/11 22:19:00 | 000,045,056 | -H-- | M] () [Auto] -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
    SRV - [2007/05/24 07:08:44 | 000,061,440 | -H-- | M] (Intuit Inc.) [On_Demand] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
    SRV - [2007/02/05 07:57:24 | 000,106,496 | -H-- | M] (CA, Inc.) [Auto] -- C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe -- (iGateway)
    SRV - [2007/01/04 22:48:52 | 000,112,152 | RH-- | M] (InterVideo) [Auto] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
    SRV - [2007/01/04 17:38:08 | 000,024,652 | -H-- | M] (Viewpoint Corporation) [Auto] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
    SRV - [2006/09/13 10:32:12 | 000,128,536 | -H-- | M] (iAnywhere Solutions, Inc.) [Auto] -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -- (QuickBooksDB18)
    SRV - [2006/05/23 23:08:06 | 000,622,700 | -H-- | M] (Diskeeper Corporation) [Auto] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
    SRV - [2006/02/23 12:41:02 | 002,045,632 | -H-- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
    SRV - [2005/10/06 21:12:30 | 000,855,552 | -H-- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (USBAAPL)
    DRV - File not found [Kernel | On_Demand] -- -- (TVTPktFilter)
    DRV - File not found [Kernel | On_Demand] -- -- (SymIMMP)
    DRV - File not found [Kernel | On_Demand] -- -- (SymIM)
    DRV - File not found [Kernel | System] -- -- (SASKUTIL)
    DRV - File not found [Kernel | System] -- -- (SASDIFSV)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (mcdbus)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2012/01/31 22:30:34 | 000,083,360 | -H-- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2010/09/17 16:40:06 | 000,012,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
    DRV - [2008/04/29 04:00:00 | 000,288,896 | -H-- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
    DRV - [2007/10/22 04:41:34 | 004,622,848 | -H-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/10/18 21:14:32 | 000,184,080 | -H-- | M] (Computer Associates) [File_System | Auto] -- C:\WINDOWS\system32\drivers\ino_fltr.sys -- (INO_FLTR)
    DRV - [2007/08/06 22:07:02 | 000,027,536 | -H-- | M] (Computer Associates) [File_System | Boot] -- C:\WINDOWS\system32\drivers\ino_flpy.sys -- (INO_FLPY)
    DRV - [2007/05/22 18:59:38 | 000,030,336 | -H-- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tvti2c.sys -- (TVTI2C)
    DRV - [2007/05/22 03:59:34 | 000,021,376 | -H-- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
    DRV - [2006/02/02 08:20:00 | 000,094,332 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
    DRV - [2006/02/02 08:20:00 | 000,087,036 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
    DRV - [2006/02/02 08:20:00 | 000,086,652 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
    DRV - [2006/02/02 08:20:00 | 000,025,628 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
    DRV - [2006/02/02 08:20:00 | 000,014,684 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
    DRV - [2006/02/02 08:20:00 | 000,006,364 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
    DRV - [2006/02/02 08:20:00 | 000,002,496 | -H-- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
    DRV - [2005/11/18 15:02:50 | 000,005,660 | -H-- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
    DRV - [2005/11/18 15:02:10 | 000,022,684 | -H-- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
    DRV - [2003/02/11 16:25:14 | 000,009,216 | -H-- | M] (Primax Electronics Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PELUSBLF.SYS -- (pelusblf)
    DRV - [2003/01/10 16:55:32 | 000,016,384 | -H-- | M] (Primax Electronics Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS -- (pelmouse)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)


    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
    IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
    IE - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\audrey_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\audrey_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\audrey_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
    IE - HKU\audrey_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
    IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\kristine_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?mtmhp=txtlnkusaolp00000051
    IE - HKU\kristine_ON_C\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
    IE - HKU\kristine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\kristine_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
    IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
    IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
    IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



    O1 HOSTS File: ([2012/06/22 10:04:41 | 000,000,761 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O2 - BHO: (AOL Messaging Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
    O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
    O3 - HKLM\..\Toolbar: (AOL Messaging Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
    O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
    O3 - HKU\Administrator.SMALLBUSINESS_ON_C\..\Toolbar\WebBrowser: (AOL Messaging Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
    O3 - HKU\Administrator.SMALLBUSINESS_ON_C\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
    O3 - HKU\audrey_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
    O3 - HKU\audrey_ON_C\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
    O3 - HKU\kristine_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
    O3 - HKU\kristine_ON_C\..\Toolbar\WebBrowser: (AOL Messaging Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
    O3 - HKU\kristine_ON_C\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
    O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
    O4 - HKLM..\Run: [Realtime Monitor] C:\Program Files\CA\eTrustITM\realmon.exe (CA)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator.SMALLBUSINESS_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\Administrator.SMALLBUSINESS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\audrey_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\audrey_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\kristine_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\kristine_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\kristine_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
    O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LogMeInRemoteUser_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\LogMeInRemoteUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\QBDataServiceUser18_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\QBDataServiceUser18_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.25 24.225.193.110 24.225.193.111 208.67.222.222 208.67.220.220
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = smallbusiness.local
    O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
    O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
    O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/04/30 03:13:35 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{8e2c3f6f-b3c3-11e0-8132-0021971730ba}\Shell - "" = AutoRun
    O33 - MountPoints2\{8e2c3f6f-b3c3-11e0-8132-0021971730ba}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{8e2c3f6f-b3c3-11e0-8132-0021971730ba}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/20 15:29:44 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/20 14:07:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
    [2012/07/19 17:08:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kristine\Application Data\SUPERAntiSpyware.com
    [2012/07/19 17:08:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2012/07/19 17:01:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kristine\Application Data\Malwarebytes
    [2012/07/19 17:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/19 17:01:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/07/19 17:01:16 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/07/19 17:01:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/07/19 15:57:44 | 000,000,000 | --SD | C] -- C:\cfx
    [2012/07/19 15:41:43 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\kristine\Desktop\aswMBR.exe
    [2012/07/19 15:33:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\FixTDSS
    [2012/07/19 15:30:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2012/07/19 15:28:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\kristine\Recent
    [2012/07/19 10:38:30 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/07/19 10:32:47 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/07/19 10:32:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/07/19 10:32:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/07/19 10:32:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/07/19 10:31:33 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2012/07/19 10:29:56 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/19 10:28:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
    [2012/07/19 09:56:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\kristine\Start Menu\Programs\File Recovery
    [2012/06/22 15:24:32 | 000,000,000 | -H-D | C] -- C:\WINDOWS\pss
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/21 16:50:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/07/21 15:31:57 | 000,002,278 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/07/19 17:06:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/19 16:50:51 | 000,000,355 | RHS- | M] () -- C:\boot.ini
    [2012/07/19 15:38:52 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\kristine\Desktop\aswMBR.exe
    [2012/07/19 15:27:53 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\tasks\OGALogon.job
    [2012/07/19 15:27:51 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/19 10:38:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/07/19 10:12:07 | 000,000,245 | ---- | M] () -- C:\Boot.bak
    [2012/07/19 09:55:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
    [2012/07/19 09:55:45 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\ThinkVantage
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Syscan
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy SBE
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Remote Support
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Picasa2
    [2012/07/19 09:55:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Multimedia Center For Think Offerings
    [2012/07/19 09:55:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\PrintMe Internet Printing
    [2012/07/19 09:55:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC-Doctor 5 for Windows
    [2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Mouse
    [2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Keyboard
    [2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\JMA
    [2012/07/19 09:55:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\HP
    [2012/07/19 09:55:43 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
    [2012/07/19 09:55:43 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
    [2012/07/19 09:55:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Desktop
    [2012/07/19 09:55:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Diskeeper Corporation
    [2012/07/19 09:55:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\AIM
    [2012/07/19 09:55:42 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2012/07/19 09:50:00 | 000,000,256 | -H-- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
    [2012/07/19 09:47:26 | 000,000,564 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\106.7 Lite fm - 106.7 Lite fm New York.url
    [2012/07/19 09:20:00 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/19 09:14:00 | 000,000,830 | -H-- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/07/19 09:13:47 | 000,318,531 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\ERBOE.jpg
    [2012/07/19 09:07:10 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\kristine\Desktop\Microsoft Office Outlook 2003.lnk
    [2012/07/19 00:42:54 | 000,445,452 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/07/19 00:42:54 | 000,073,202 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/07/19 00:35:11 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/07/17 15:01:48 | 000,011,778 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\Intuit.pdf
    [2012/07/17 10:14:23 | 000,000,322 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\PNC Bank.url
    [2012/07/16 15:17:23 | 000,011,778 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\ERutherford.pdf
    [2012/07/16 10:46:58 | 000,233,455 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\cosco.jpg
    [2012/07/12 18:25:15 | 000,087,456 | -H-- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
    [2012/07/12 18:25:15 | 000,030,624 | -H-- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
    [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/06/28 09:42:34 | 000,309,173 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\carrabbas.jpg
    [2012/06/26 13:07:07 | 000,134,731 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\louie.jpg
    [2012/06/22 15:24:11 | 000,001,116 | -H-- | M] () -- C:\IPH.PH
    [2012/06/22 15:22:20 | 000,002,029 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
    [2012/06/22 14:46:20 | 000,360,823 | -H-- | M] () -- C:\Documents and Settings\kristine\Desktop\Better Proposal for Louie.jpg
    [2012/06/22 10:04:41 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120625-000705.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120717-001837.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120717-001734.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120717-001629.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120716-003026.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120716-002925.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120716-002824.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120713-003030.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120713-002927.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120713-002755.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120710-002002.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120710-001900.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120710-001758.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120709-002508.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120709-002405.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120709-002258.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120706-002327.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120706-002226.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120706-002121.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120703-001444.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120703-001340.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120703-001236.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120702-002509.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120702-002407.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120702-002300.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120629-002334.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120629-002231.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120629-002112.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120626-001514.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120626-001413.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120626-001312.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120625-000908.backup
    [2012/06/22 10:04:41 | 000,000,761 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120625-000807.backup
    [2012/06/22 10:04:41 | 000,000,761 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120719-171050.backup
    [2012/06/22 10:04:41 | 000,000,761 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/06/22 00:28:43 | 000,440,483 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120622-002956.backup
    [2012/06/22 00:27:33 | 000,440,483 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120622-002843.backup
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/19 10:38:46 | 000,000,245 | ---- | C] () -- C:\Boot.bak
    [2012/07/19 10:38:34 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/07/19 10:32:47 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/07/19 10:32:47 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/07/19 10:32:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/07/19 10:32:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/07/19 10:32:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/07/19 10:32:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/07/19 09:13:26 | 000,318,531 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\ERBOE.jpg
    [2012/07/17 15:01:35 | 000,011,778 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\Intuit.pdf
    [2012/07/16 15:17:09 | 000,011,778 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\ERutherford.pdf
    [2012/07/16 10:46:04 | 000,233,455 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\cosco.jpg
    [2012/06/28 09:41:39 | 000,309,173 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\carrabbas.jpg
    [2012/06/26 13:02:06 | 000,134,731 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\louie.jpg
    [2012/06/22 15:23:17 | 000,000,830 | -H-- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/06/22 15:22:15 | 000,002,029 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\Retry AIM Installation.lnk
    [2012/06/22 14:45:26 | 000,360,823 | -H-- | C] () -- C:\Documents and Settings\kristine\Desktop\Better Proposal for Louie.jpg
    [2012/04/26 11:11:31 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\kristine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/16 02:17:16 | 000,003,072 | -H-- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/01/17 00:26:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator.SMALLBUSINESS\Ÿ9Ÿ9
    [2009/08/03 15:07:42 | 000,403,816 | -H-- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/08/03 15:07:42 | 000,230,768 | -H-- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
    [2009/04/13 14:16:40 | 004,111,360 | -H-- | C] () -- C:\Program Files\Common Files\Remote Deposit Client.msi
    [2008/11/13 15:17:27 | 000,007,680 | -H-- | C] () -- C:\Documents and Settings\audrey\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/11/13 13:29:24 | 000,157,672 | -H-- | C] () -- C:\WINDOWS\hpoins28.dat
    [2008/11/13 13:29:24 | 000,000,932 | -H-- | C] () -- C:\WINDOWS\hpomdl28.dat
    [2008/11/12 12:17:39 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
    [2008/10/10 13:27:08 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
    [2008/10/10 13:06:15 | 000,114,688 | -H-- | C] () -- C:\WINDOWS\desktopset.exe
    [2008/10/10 13:02:46 | 000,204,800 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
    [2008/10/10 13:02:46 | 000,200,704 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
    [2008/10/10 13:02:46 | 000,192,512 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
    [2008/10/10 13:02:46 | 000,192,512 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
    [2008/10/10 13:02:46 | 000,188,416 | -H-- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
    [2008/10/10 13:02:46 | 000,020,480 | -H-- | C] () -- C:\WINDOWS\System32\IVIresize.dll
    [2008/10/10 13:00:59 | 000,000,124 | -H-- | C] () -- C:\WINDOWS\wininit.ini
    [2008/10/10 12:56:28 | 000,147,456 | -H-- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4873.dll
    [2008/10/10 12:56:14 | 000,049,152 | -H-- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2008/10/10 12:55:47 | 000,005,528 | -H-- | C] () -- C:\WINDOWS\System32\Setup2k.ini
    [2008/10/10 12:55:47 | 000,000,296 | -H-- | C] () -- C:\WINDOWS\System32\presetup.ini
    [2008/10/10 12:55:46 | 000,024,576 | -H-- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
    [2008/10/10 12:55:46 | 000,020,480 | -H-- | C] () -- C:\WINDOWS\System32\FSRremoS.EXE
    [2008/10/10 12:51:22 | 000,000,138 | -H-- | C] () -- C:\WINDOWS\System32\Softkbd.exe.config
    [2007/02/19 15:15:38 | 000,331,264 | -H-- | C] () -- C:\WINDOWS\System32\DP485WIA.dll
    [2007/01/16 11:12:12 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\px.ini
    [2006/09/05 17:20:36 | 000,079,400 | -H-- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
    [2006/04/30 03:31:51 | 000,004,670 | -H-- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2006/04/30 03:22:10 | 000,000,791 | -H-- | C] () -- C:\WINDOWS\orun32.ini
    [2006/04/30 03:19:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2006/04/30 03:10:07 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2006/04/30 02:55:59 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2006/04/30 02:55:55 | 000,445,452 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2006/04/30 02:55:55 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2006/04/30 02:55:55 | 000,073,202 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2006/04/30 02:55:55 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2006/04/30 02:55:54 | 000,004,547 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2006/04/30 02:55:52 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2006/04/30 02:55:50 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
    [2006/04/30 02:55:44 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2006/04/30 02:55:44 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
    [2006/04/30 02:55:37 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2006/04/30 02:55:28 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2006/04/29 20:04:28 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006/04/29 20:03:29 | 000,282,928 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2003/01/07 16:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator.SMALLBUSINESS\Application Data\Lenovo
    [2012/07/19 15:33:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FixTDSS
    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data\Lenovo
    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\audrey\Application Data\Lenovo
    [2010/01/28 12:37:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\3M
    [2010/09/23 13:13:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\acccore
    [2010/01/28 12:36:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\GetRightToGo
    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\Lenovo
    [2010/11/19 12:58:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\PriceGong
    [2009/05/19 08:04:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\kristine\Application Data\Viewpoint
    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Lenovo
    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\QBDataServiceUser18\Application Data\Lenovo
    [2010/09/23 13:11:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
    [2008/11/18 13:03:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AIM Toolbar
    [2008/11/13 14:24:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
    [2010/09/09 14:50:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DNC
    [2010/01/04 11:54:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
    [2009/04/15 15:30:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\kinoma
    [2008/10/10 13:11:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
    [2012/07/20 10:17:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
    [2009/04/15 15:31:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Marlin
    [2009/04/13 13:56:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
    [2008/10/10 13:14:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
    [2009/04/13 13:55:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Syscan
    [2010/05/10 13:53:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/08/10 09:56:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2012/01/16 10:02:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2012/07/19 09:50:00 | 000,000,256 | -H-- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    [2012/07/19 15:27:53 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 834 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34
    < End of report >
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  13. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Thanks. I'm used to renaming ComboFix to a "randomstring.com" username, but not giving those kinds of names. It still froze as svchost.exe, but I'll try through all of them in succession now. Just wanted to update a bit more I was able to do before your current update from your previous instructions first.

    I was unable to run the FRST steps from a Recovery Console, but it seemed to run OK from Safe Mode and apparently removed enough that I could run TDSSkiller (which found and killed an Rloader.a infection in ACPI.sys) and aswMBR (which locates but cannot fix an infection, and whose log file I will list below.)

    HitmanPro can run now as well and sees some temp infections and rates mscomm32.ocx as "suspicious" as well. (Did not have it clean, just tested.)

    dds.scr still fails to complete, and I have not successfully gotten ComboFix to run yet, but I'll continue through the other renamings.
     
  14. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-23 00:43:50
    -----------------------------
    00:43:50.359 OS Version: Windows 5.1.2600 Service Pack 3
    00:43:50.359 Number of processors: 2 586 0xF0D
    00:43:50.359 ComputerName: HL111008 UserName: Kristine
    00:43:50.640 Initialize success
    00:45:31.671 AVAST engine defs: 12072201
    00:46:01.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    00:46:01.796 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
    00:46:01.828 Disk 0 MBR read successfully
    00:46:01.828 Disk 0 MBR scan
    00:46:01.875 Disk 0 Windows XP default MBR code
    00:46:01.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
    00:46:01.937 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
    00:46:01.953 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
    00:46:01.968 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
    00:46:02.015 Disk 0 scanning sectors +312581792
    00:46:03.484 Disk 0 scanning C:\WINDOWS\system32\drivers
    00:46:13.218 Service scanning
    00:46:32.640 Modules scanning
    00:46:38.359 Disk 0 trace - called modules:
    00:46:38.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    00:46:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87375ab8]
    00:46:38.515 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000063[0x873ca9e8]
    00:46:38.546 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87378d98]
    00:46:38.921 AVAST engine scan C:\WINDOWS
    00:47:03.859 AVAST engine scan C:\WINDOWS\system32
    00:49:16.906 AVAST engine scan C:\WINDOWS\system32\drivers
    00:49:37.046 AVAST engine scan C:\Documents and Settings\kristine
    00:51:51.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
    00:51:51.359 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
    00:51:51.531 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
    00:52:29.156 AVAST engine scan C:\Documents and Settings\All Users
    00:53:11.328 Scan finished successfully
    00:53:19.890 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
    00:53:19.937 The log file has been saved successfully to "C:\download\aswMBR.txt
     
  15. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Looks like ComboFix with any given name is causing the PC to freeze still. I have disabled all 3rd party services and startup items, meanwhile, to rule out any of that interaction.
     
  16. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    I don't want to run a tool like ComboFix out of the reatogo-X-PE environment without asking, but would it do a thing? Are there other tools that might be able to scour the MBR and registry properly loaded from in there? I imagine they are not able to work as WELL, but if they're able to work at ALL would it help peel back the layers of this malware onion?
     
  17. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Also, something is definitely watching and scrubbing those processes after they run. ComboFix.exe when named to svchost.exe or winlogon.exe or iexplore.exe or explore.exe all freeze at some point, and their file also disappears from the directory they were run out of.
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Yeah, it's a bad rootkit. Did you run aswMBR from OTLPE?
     
  19. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    I was running it out of Safe Mode. Hadn't run anything out of OTLPE except what you were explicitly mentioning, just because I wasn't sure what would still target the Windows install properly.

    I guess you're saying aswMBR is safe to run. ;-) But what about ComboFix? Other tools? There a hard and fast guide?

    For reference, after doing the other cleanup and getting TDSSKiller and asdMBR to run at all, I could also run FixTDSS and it found and fixed... SOMEthing. I guess? But in the end it couldn't catch it all. It didn't throw the PC into a boot loop after running which needed to be Last Known'd back out of, however.
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    O...kay.... go ahead with another aswMBR scan and post a new log, please.
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    O...kay.... go ahead with another aswMBR scan and post a new log, please.
     
  22. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    aswMBR does not detect any of the same infections when run from the PE as when it's run from Safe Mode, so it's still best to refer to the log listed above, rather than the one I will paste below. (I imagine.) Hence my questions about which tools to expect would work better or worse (or not at all) from the PE, or if there are any other steps I have to take first before they do operate effectively.

    -----------

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-24 18:15:18
    -----------------------------
    18:15:18.421 OS Version: Windows 5.1.2600
    18:15:18.421 Number of processors: 1 586 0xF0D
    18:15:18.421 ComputerName: REATOGO UserName: SYSTEM
    18:15:18.656 Initialze error 0
    18:29:03.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    18:29:03.468 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
    18:29:03.484 Disk 0 MBR read successfully
    18:29:03.500 Disk 0 MBR scan
    18:29:03.515 Disk 0 Windows XP default MBR code
    18:29:03.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
    18:29:03.578 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
    18:29:03.609 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
    18:29:03.640 Disk 0 scanning sectors +312581792
    18:29:04.984 Disk 0 scanning X:\i386\system32\drivers
    18:29:05.000 Service scanning
    18:29:09.359 Modules scanning
    18:29:09.921 Disk 0 trace - called modules:
    18:29:09.968 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys halaacpi.dll atapi.sys pciide.sys PCIIDEX.SYS
    18:29:11.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872dfab8]
    18:29:11.031 3 CLASSPNP.SYS[f75d705b] -> nt!IofCallDriver -> \Device\0000004a[0x872dc9e8]
    18:29:11.078 5 acpi.sys[f74a2620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x872ded98]
    18:29:11.125 Scan finished successfully
    18:29:45.937 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
    18:29:46.031 The log file has been saved successfully to "C:\download\aswMBR5.txt"
     
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We need the scan to be run from Safe Mode, as done before, please.

    This scan in REATOGO (didn't mean to confuse you), is inaccurate because it is listing the REATOGO system's attributes rather than the actual PC's attributes.
     
  24. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    That's what I thought, but your "Did you run aswMBR from OTLPE?" question threw me off, so I wasn't sure if there WERE some tools to run out of it.


    I don't have a current scan available to me, but of the times I was running it the results were basically the same as logged upthread:

    -------------------------

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-23 00:43:50
    -----------------------------
    00:43:50.359 OS Version: Windows 5.1.2600 Service Pack 3
    00:43:50.359 Number of processors: 2 586 0xF0D
    00:43:50.359 ComputerName: HL111008 UserName: Kristine
    00:43:50.640 Initialize success
    00:45:31.671 AVAST engine defs: 12072201
    00:46:01.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    00:46:01.796 Disk 0 Vendor: ST3160815AS 4.CCC Size: 152627MB BusType: 3
    00:46:01.828 Disk 0 MBR read successfully
    00:46:01.828 Disk 0 MBR scan
    00:46:01.875 Disk 0 Windows XP default MBR code
    00:46:01.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 149069 MB offset 2048
    00:46:01.937 Disk 0 Partition 2 00 12 Compaq diag MSDOS5.0 3556 MB offset 305295360
    00:46:01.953 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 312578048
    00:46:01.968 Disk 0 Partition 3 **INFECTED** MBR:SST [Rtk]
    00:46:02.015 Disk 0 scanning sectors +312581792
    00:46:03.484 Disk 0 scanning C:\WINDOWS\system32\drivers
    00:46:13.218 Service scanning
    00:46:32.640 Modules scanning
    00:46:38.359 Disk 0 trace - called modules:
    00:46:38.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    00:46:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87375ab8]
    00:46:38.515 3 CLASSPNP.SYS[f774cfd7] -> nt!IofCallDriver -> \Device\00000063[0x873ca9e8]
    00:46:38.546 5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x87378d98]
    00:46:38.921 AVAST engine scan C:\WINDOWS
    00:47:03.859 AVAST engine scan C:\WINDOWS\system32
    00:49:16.906 AVAST engine scan C:\WINDOWS\system32\drivers
    00:49:37.046 AVAST engine scan C:\Documents and Settings\kristine
    00:51:51.234 File: C:\Documents and Settings\kristine\Local Settings\Temp\34acf1a4-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
    00:51:51.359 File: C:\Documents and Settings\kristine\Local Settings\Temp\35ad8ae8-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
    00:51:51.531 File: C:\Documents and Settings\kristine\Local Settings\Temp\7ea807b2-5753.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
    00:52:29.156 AVAST engine scan C:\Documents and Settings\All Users
    00:53:11.328 Scan finished successfully
    00:53:19.890 Disk 0 MBR has been saved successfully to "C:\download\MBR.dat"
    00:53:19.937 The log file has been saved successfully to "C:\download\aswMBR.txt

    --------------------

    The **INFECTED** lines were always the same. Even if I used something like ATF-Cleaner to wipe the temps, there would be infected temps right back in with another aswMBR scan.
     
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    See if you can run this tool, please...

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.