FBI Moneypak ransomware

Solved
By familyman14
Jan 28, 2013
  1. My kids laptop got this after DL'ing flash player update. I can't open anything or run his avira or malwarebytes due to the bogus page coming up every time I reboot. What do I do?
    Also shows up on safe mode and safe mode with networking.
  2. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================

    What Windows version is it?
  3. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

  4. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  5. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-01-2013 02
    Ran by SYSTEM at 28-01-2013 22:46:02
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001
    ==================== Registry (Whitelisted) ===================
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-12-10] (Sendori, Inc.)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1573576 2012-10-16] (Ask)
    HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1046984 2012-12-12] ()
    HKLM-x32\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [2254768 2012-12-10] (LogMeIn Inc.)
    HKU\Owner\...\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-08-31] (Google Inc.)
    HKU\Owner\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1354736 2012-12-03] (Valve Corporation)
    HKU\Owner\...\Run: [PlayNC Launcher] [x]
    HKU\Owner\...\Run: [miulgou] rundll32 "C:\Users\Owner\AppData\Local\miulgou.dll",miulgou [17408 2013-01-28] ()
    HKU\Owner\...\Run: [crlob] rundll32.exe "C:\Users\Owner\AppData\Roaming\crlob.dll",GetDllMajorVersion [152576 2013-01-28] (Syntek Corporation)
    HKU\Owner\...\Run: [winpr] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\winpr.dll",set_rows [598016 2013-01-28] (S3 Graphics Co., Ltd.)
    HKU\Owner\...\Run: [nrvrs] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\nrvrs.dll",CheckReadBuffer [365568 2013-01-28] ()
    HKU\Owner\...\Winlogon: [Shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [56832 2011-11-16] ()
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\n. ATTENTION! ====> ZeroAccess
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}: [NameServer]216.146.35.240,216.146.36.240,192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
    ShortcutTarget: GamersFirst LIVE!.lnk -> C:\Program Files (x86)\GamersFirst\LIVE!\Live.exe (GamersFirst)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)
    ==================== Services (Whitelisted) ===================
    2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-12-10] (Sendori, Inc.)
    2 avgfws; "C:\Program Files (x86)\AVG\AVG2013\avgfws.exe" [1340976 2012-11-01] (AVG Technologies CZ, s.r.o.)
    2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)
    2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
    3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.)
    2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-12-10] (sendori)
    2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-12-10] (Sendori)
    2 vToolbarUpdater13.3.2; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe [894920 2012-12-12] ()
    3 WajamUpdater; "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" [109064 2012-10-05] (Wajam)
    ==================== Drivers (Whitelisted) =====================
    1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [50296 2012-09-04] (AVG Technologies CZ, s.r.o.)
    1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
    0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
    1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
    0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
    0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-05] (AVG Technologies CZ, s.r.o.)
    0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
    1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
    1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-12-12] (AVG Technologies)
    ==================== NetSvcs (Whitelisted) ====================

    ==================== One Month Created Files and Folders ========
    2013-01-28 22:45 - 2013-01-28 22:45 - 00000000 ____D C:\FRST
    2013-01-28 09:52 - 2013-01-28 09:52 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes
    2013-01-28 09:31 - 2013-01-28 09:51 - 00000365 ____A C:\Windows\System32\avgrep.txt
    2013-01-28 03:41 - 2013-01-28 03:41 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2013-01-28 03:38 - 2013-01-28 19:34 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini
    2013-01-28 03:37 - 2013-01-28 03:37 - 00365568 ____A () C:\Users\Owner\AppData\Roaming\nrvrs.dll
    2013-01-28 03:36 - 2013-01-28 19:34 - 00006528 ____A C:\Users\Owner\AppData\Local\045b083c-7415-4a22-ba9e-7a63e54675f8.crx
    2013-01-28 03:36 - 2013-01-28 03:36 - 00598016 ____A (S3 Graphics Co., Ltd.) C:\Users\Owner\AppData\Roaming\winpr.dll
    2013-01-28 03:33 - 2013-01-28 03:33 - 00152576 ____A (Syntek Corporation) C:\Users\Owner\AppData\Roaming\crlob.dll
    2013-01-28 03:33 - 2013-01-28 03:33 - 00017408 ____A C:\Users\Owner\AppData\Local\miulgou.dll
    2013-01-19 20:06 - 2010-02-04 07:01 - 00530776 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll
    2013-01-19 20:06 - 2010-02-04 07:01 - 00528216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
    2013-01-19 20:06 - 2010-02-04 07:01 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
    2013-01-19 20:06 - 2010-02-04 07:01 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll
    2013-01-19 20:06 - 2010-02-04 07:01 - 00078680 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll
    2013-01-19 20:06 - 2010-02-04 07:01 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
    2013-01-19 20:06 - 2009-09-04 14:44 - 00517960 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll
    2013-01-19 20:06 - 2009-09-04 14:44 - 00515416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_5.dll
    2013-01-19 20:06 - 2009-09-04 14:44 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_5.dll
    2013-01-19 20:06 - 2009-09-04 14:44 - 00176968 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_5.dll
    2013-01-19 20:06 - 2009-09-04 14:44 - 00073544 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll
    2013-01-19 20:06 - 2009-09-04 14:44 - 00069464 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_3.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 05554512 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 05501792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 02582888 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 02475352 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 01974616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 01892184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 00523088 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 00453456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 00285024 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_42.dll
    2013-01-19 20:06 - 2009-09-04 14:29 - 00235344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_42.dll
    2013-01-19 20:06 - 2009-03-16 11:18 - 00521560 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_4.dll
    2013-01-19 20:06 - 2009-03-16 11:18 - 00174936 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_4.dll
    2013-01-19 20:06 - 2009-03-16 11:18 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_6.dll
    2013-01-19 20:06 - 2009-03-09 12:27 - 05425496 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_41.dll
    2013-01-19 20:06 - 2009-03-09 12:27 - 04178264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_41.dll
    2013-01-19 20:06 - 2009-03-09 12:27 - 02430312 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_41.dll
    2013-01-19 20:06 - 2009-03-09 12:27 - 01846632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_41.dll
    2013-01-19 20:06 - 2009-03-09 12:27 - 00520544 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_41.dll
    2013-01-19 20:06 - 2009-03-09 12:27 - 00453456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_41.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00518480 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00514384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_3.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00235856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_3.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00175440 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00074576 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00070992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_2.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00025936 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll
    2013-01-19 20:06 - 2008-10-27 07:04 - 00023376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_5.dll
    2013-01-19 20:06 - 2008-10-15 03:22 - 05631312 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll
    2013-01-19 20:06 - 2008-10-15 03:22 - 04379984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
    2013-01-19 20:06 - 2008-10-15 03:22 - 02605920 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll
    2013-01-19 20:06 - 2008-10-15 03:22 - 02036576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
    2013-01-19 20:06 - 2008-10-15 03:22 - 00452440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
    2013-01-19 20:04 - 2013-01-19 20:04 - 00000000 ____D C:\Program Files (x86)\Microsoft XNA
    2013-01-19 20:04 - 2009-03-16 11:18 - 00517448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_4.dll
    2013-01-19 20:04 - 2009-03-16 11:18 - 00235352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_4.dll
    2013-01-19 20:04 - 2009-03-16 11:18 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_6.dll
    2013-01-17 13:28 - 2013-01-17 13:28 - 06168335 ____A C:\Users\Owner\Downloads\nick_mrfoster_040811_11893-L4D2.zip
    2013-01-17 13:26 - 2013-01-17 13:26 - 10522427 ____A C:\Users\Owner\Downloads\the_end_of_the_battle_death_music_121212_22174-L4D2 (2).zip
    2013-01-17 13:24 - 2013-01-17 13:24 - 22599137 ____A C:\Users\Owner\Downloads\intensetankmusic_150113_22876-L4D2.zip
    2013-01-17 13:22 - 2013-01-17 13:22 - 07933736 ____A C:\Users\Owner\Downloads\nostalgia_charger_200512_17540-L4D2.zip
    2013-01-17 13:20 - 2013-01-17 13:20 - 02572583 ____A C:\Users\Owner\Downloads\mod_infected_sfx_witch_110512_17306-L4D2.zip
    2013-01-17 13:18 - 2013-01-17 13:18 - 00524032 ____A C:\Users\Owner\Downloads\mod_tipgraphic_beta_260512_15667-L4D2.zip
    2013-01-17 13:16 - 2013-01-17 13:16 - 01643068 ____A C:\Users\Owner\Downloads\mod_map_previews_150512_17288-L4D2.zip
    2013-01-15 04:04 - 2013-01-15 04:04 - 00000000 ____D C:\Users\Owner\Downloads\New folder (2)
    2013-01-15 04:04 - 2013-01-15 04:04 - 00000000 ____D C:\Users\Owner\Downloads\New folder
    2013-01-11 03:29 - 2013-01-11 03:29 - 38312284 ____A C:\Users\Owner\Downloads\nazi_zombies_ndu_130112_9504-L4D2 (6).zip
    2013-01-09 03:44 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
    2013-01-09 03:44 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
    2013-01-09 03:43 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll
    2013-01-09 03:43 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll
    2013-01-09 03:43 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll
    2013-01-09 03:43 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll
    2013-01-09 03:43 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs
    2013-01-09 03:43 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs
    2013-01-09 03:43 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs
    2013-01-09 03:43 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs
    2013-01-09 03:43 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs
    2013-01-09 03:43 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs
    2013-01-09 03:43 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs
    2013-01-09 03:43 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs
    2013-01-09 03:43 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs
    2013-01-09 03:43 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll
    2013-01-09 03:43 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
    2013-01-09 03:43 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2013-01-09 03:43 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2013-01-09 03:43 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2013-01-09 03:43 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2013-01-09 03:43 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2013-01-09 03:43 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2013-01-09 03:42 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
    2013-01-09 03:42 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
    2013-01-09 03:42 - 2012-11-29 21:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
    2013-01-09 03:42 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
    2013-01-09 03:42 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
    2013-01-09 03:42 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
    2013-01-09 03:42 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2013-01-09 03:42 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
    2013-01-09 03:42 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
    2013-01-09 03:42 - 2012-11-29 18:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2013-01-09 03:42 - 2012-11-29 18:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2013-01-09 03:42 - 2012-11-29 18:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2013-01-09 03:42 - 2012-11-29 18:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2013-01-09 03:42 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
    2013-01-09 03:42 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls
    2013-01-09 03:42 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls
    2013-01-09 03:41 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-01-09 03:41 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
    2013-01-08 16:21 - 2013-01-08 16:21 - 16369160 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2013-01-06 14:36 - 2010-06-02 01:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
    2013-01-06 14:36 - 2010-06-02 01:55 - 00518488 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
    2013-01-06 14:36 - 2010-06-02 01:55 - 00077656 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
    2013-01-06 14:36 - 2010-06-02 01:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
    2013-01-06 14:36 - 2010-05-26 08:41 - 02526056 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
    2013-01-06 14:36 - 2010-05-26 08:41 - 02401112 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
    2013-01-06 14:36 - 2010-05-26 08:41 - 02106216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
    2013-01-06 14:36 - 2010-05-26 08:41 - 01998168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
    2013-01-06 14:36 - 2010-05-26 08:41 - 00276832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
    2013-01-06 14:36 - 2010-05-26 08:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
    2013-01-06 14:36 - 2010-02-04 07:01 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll
    2013-01-06 14:36 - 2010-02-04 07:01 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
    2013-01-04 19:11 - 2013-01-04 19:11 - 01228229 ____A C:\Users\Owner\Downloads\merry_christmas_231212_22437-L4D2.zip
    2013-01-03 03:41 - 2013-01-03 03:41 - 04431963 ____A C:\Users\Owner\Downloads\logan_nick_020113_22628-L4D2.zip
    2013-01-02 15:50 - 2013-01-02 15:50 - 05775777 ____A C:\Users\Owner\Downloads\cedathelaststand_280912_20744-L4D2.zip
    2013-01-02 15:46 - 2013-01-02 15:46 - 10522427 ____A C:\Users\Owner\Downloads\the_end_of_the_battle_death_music_121212_22174-L4D2 (1).zip
    2013-01-02 15:39 - 2013-01-02 15:39 - 00074993 ____A C:\Users\Owner\Downloads\walking_corpses_010113_22528-L4D2.zip
    ==================== One Month Modified Files and Folders =======
    2013-01-28 22:45 - 2013-01-28 22:45 - 00000000 ____D C:\FRST
    2013-01-28 19:34 - 2013-01-28 03:38 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini
    2013-01-28 19:34 - 2013-01-28 03:36 - 00006528 ____A C:\Users\Owner\AppData\Local\045b083c-7415-4a22-ba9e-7a63e54675f8.crx
    2013-01-28 19:34 - 2012-07-06 19:35 - 00000000 ____D C:\Users\Owner\AppData\Local\LogMeIn Hamachi
    2013-01-28 19:34 - 2012-04-08 08:16 - 00000000 ____D C:\Program Files (x86)\Steam
    2013-01-28 19:33 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-01-28 19:33 - 2009-07-13 20:51 - 00053559 ____A C:\Windows\setupact.log
    2013-01-28 09:52 - 2013-01-28 09:52 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Malwarebytes
    2013-01-28 09:51 - 2013-01-28 09:31 - 00000365 ____A C:\Windows\System32\avgrep.txt
    2013-01-28 09:31 - 2012-12-12 12:10 - 00000000 ____D C:\Users\Owner\AppData\Local\Avg2013
    2013-01-28 09:20 - 2012-04-13 13:16 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-01-28 09:18 - 2009-07-13 20:45 - 00015824 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-01-28 09:18 - 2009-07-13 20:45 - 00015824 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-01-28 09:16 - 2012-02-25 08:31 - 00000000 ____D C:\Users\All Users\MFAData
    2013-01-28 09:14 - 2012-02-24 10:26 - 01379032 ____A C:\Windows\WindowsUpdate.log
    2013-01-28 09:12 - 2012-02-25 08:27 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3886674033-3501889395-2250448632-1000UA.job
    2013-01-28 03:43 - 2012-02-25 08:27 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3886674033-3501889395-2250448632-1000Core.job
    2013-01-28 03:41 - 2013-01-28 03:41 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2013-01-28 03:38 - 2012-02-25 08:28 - 00000000 ____D C:\Users\All Users\Adobe
    2013-01-28 03:37 - 2013-01-28 03:37 - 00365568 ____A () C:\Users\Owner\AppData\Roaming\nrvrs.dll
    2013-01-28 03:36 - 2013-01-28 03:36 - 00598016 ____A (S3 Graphics Co., Ltd.) C:\Users\Owner\AppData\Roaming\winpr.dll
    2013-01-28 03:33 - 2013-01-28 03:33 - 00152576 ____A (Syntek Corporation) C:\Users\Owner\AppData\Roaming\crlob.dll
    2013-01-28 03:33 - 2013-01-28 03:33 - 00017408 ____A C:\Users\Owner\AppData\Local\miulgou.dll
    2013-01-27 19:00 - 2012-02-25 08:48 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
    2013-01-27 10:09 - 2012-09-13 15:32 - 00000000 ____D C:\Users\Owner\AppData\Local\ArmA 2 OA
    2013-01-19 20:06 - 2012-08-20 15:40 - 00097269 ____A C:\Windows\DirectX.log
    2013-01-19 20:04 - 2013-01-19 20:04 - 00000000 ____D C:\Program Files (x86)\Microsoft XNA
    2013-01-17 13:28 - 2013-01-17 13:28 - 06168335 ____A C:\Users\Owner\Downloads\nick_mrfoster_040811_11893-L4D2.zip
    2013-01-17 13:26 - 2013-01-17 13:26 - 10522427 ____A C:\Users\Owner\Downloads\the_end_of_the_battle_death_music_121212_22174-L4D2 (2).zip
    2013-01-17 13:24 - 2013-01-17 13:24 - 22599137 ____A C:\Users\Owner\Downloads\intensetankmusic_150113_22876-L4D2.zip
    2013-01-17 13:22 - 2013-01-17 13:22 - 07933736 ____A C:\Users\Owner\Downloads\nostalgia_charger_200512_17540-L4D2.zip
    2013-01-17 13:20 - 2013-01-17 13:20 - 02572583 ____A C:\Users\Owner\Downloads\mod_infected_sfx_witch_110512_17306-L4D2.zip
    2013-01-17 13:18 - 2013-01-17 13:18 - 00524032 ____A C:\Users\Owner\Downloads\mod_tipgraphic_beta_260512_15667-L4D2.zip
    2013-01-17 13:16 - 2013-01-17 13:16 - 01643068 ____A C:\Users\Owner\Downloads\mod_map_previews_150512_17288-L4D2.zip
    2013-01-15 04:04 - 2013-01-15 04:04 - 00000000 ____D C:\Users\Owner\Downloads\New folder (2)
    2013-01-15 04:04 - 2013-01-15 04:04 - 00000000 ____D C:\Users\Owner\Downloads\New folder
    2013-01-15 03:57 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-01-11 03:29 - 2013-01-11 03:29 - 38312284 ____A C:\Users\Owner\Downloads\nazi_zombies_ndu_130112_9504-L4D2 (6).zip
    2013-01-10 04:27 - 2009-07-13 20:45 - 00275712 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-01-10 03:37 - 2012-02-24 08:35 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-01-08 16:22 - 2012-04-13 13:16 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-01-08 16:22 - 2012-02-25 08:27 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-01-08 16:21 - 2013-01-08 16:21 - 16369160 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2013-01-06 14:37 - 2012-02-25 08:51 - 00000000 ____D C:\Users\Owner\Documents\My Games
    2013-01-06 14:35 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2013-01-04 19:11 - 2013-01-04 19:11 - 01228229 ____A C:\Users\Owner\Downloads\merry_christmas_231212_22437-L4D2.zip
    2013-01-03 03:41 - 2013-01-03 03:41 - 04431963 ____A C:\Users\Owner\Downloads\logan_nick_020113_22628-L4D2.zip
    2013-01-02 15:50 - 2013-01-02 15:50 - 05775777 ____A C:\Users\Owner\Downloads\cedathelaststand_280912_20744-L4D2.zip
    2013-01-02 15:46 - 2013-01-02 15:46 - 10522427 ____A C:\Users\Owner\Downloads\the_end_of_the_battle_death_music_121212_22174-L4D2 (1).zip
    2013-01-02 15:39 - 2013-01-02 15:39 - 00074993 ____A C:\Users\Owner\Downloads\walking_corpses_010113_22528-L4D2.zip

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a
    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a
    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================
    Restore point made on: 2013-01-19 20:04:32
    Restore point made on: 2013-01-19 20:05:30
    ==================== Memory info ===========================
    Percentage of memory in use: 17%
    Total physical RAM: 2933.86 MB
    Available physical RAM: 2413.94 MB
    Total Pagefile: 2932.01 MB
    Available Pagefile: 2407.93 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB
    ==================== Partitions =============================
    1 Drive c: () (Fixed) (Total:287.75 GB) (Free:35.81 GB) NTFS
    4 Drive g: () (Removable) (Total:0.48 GB) (Free:0.48 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (HDDRECOVERY) (Fixed) (Total:10.34 GB) (Free:0.59 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 492 MB 0 B
    Partitions of Disk 0:
    ===============
    Disk ID: C047B9AB
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 287 GB 1024 KB
    Partition 2 Primary 10 GB 287 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 287 GB Healthy
    =========================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 Y HDDRECOVERY NTFS Partition 10 GB Healthy
    =========================================================
    Partitions of Disk 2:
    ===============
    Disk ID: 00000000
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 491 MB 16 KB
    ==================================================================================
    Disk: 2
    Partition 1
    Type : 06
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT Removable 491 MB Healthy
    =========================================================
    Last Boot: 2012-09-07 13:34
  6. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    Can just open to his wallpaper, no icons.
  7. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally and see if your computer is running better.

    If so....

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Attached Files:

  8. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    I plug in the flashdrive with DL'ed fixlist.txt , press power on button and it goes to "starting windows" then welcome screen to white screen then to the fbi screen. Tried in safe mode and safe mode with networking and they both load up then log off and back to fbi screen.
  9. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    I tinkered with the laptop and pressed cont+alt+del and to task manager to shutdown. As it was waiting to force backround programs to close I clicked cancel and before it shutdown I was able to click on malwarebytes. My avg expired. will post results of malware when done scanning.
  10. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    I am now using the infected laptop
    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 3
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|crlob (Trojan.Medfos) -> Data: rundll32.exe "C:\Users\Owner\AppData\Roaming\crlob.dll",GetDllMajorVersion -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|shell (Trojan.Agent.RNS) -> Data: explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nrvrs (Trojan.RedirRdll2.Gen) -> Data: "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\nrvrs.dll",CheckReadBuffer -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 13
    C:\Users\Owner\AppData\Roaming\crlob.dll (Trojan.Medfos) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\n (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$Recycle.Bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\Users\Owner\AppData\Local\Temp\0M7S1QYI0.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Users\Owner\AppData\Local\Temp\~!#C24.tmp (Trojan.Winlock) -> Quarantined and deleted successfully.
    C:\Users\Owner\AppData\Local\Temp\~!#E771.tmp (Backdoor.Bot.ED) -> Quarantined and deleted successfully.
    C:\Users\Owner\AppData\Local\Temp\~!#EEF0.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Users\Owner\AppData\Roaming\skype.dat (Trojan.Winlock) -> Quarantined and deleted successfully.

    (end)
  11. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    I don't think you ran FRST fix correctly.
    You're supposed to boot back to System Recovery Options and run the fix from there.

    In any case since you can boot normally....
    MBAM log is incomplete.
    Re-run it one more time.

    Then I still need DDS logs.

    Uninstall it using AVG Remover: http://www.avg.com/us-en/utilities

    Install ONE of these:

    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    Note for Windows 8 users: Microsoft Security Essentials comes preinstalled and renamed as Windows Defender.
    You can keep it or you have to disable it before installing another AV program. How to...

    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

    Update, run full scan, report on any findings.
  12. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.29.10

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Owner :: OWNER-TOSHIBA [administrator]

    1/29/2013 10:56:58 PM
    mbam-log-2013-01-29 (22-56-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 209917
    Time elapsed: 4 minute(s), 58 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  13. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/24/2012 10:31:51 AM
    System Uptime: 1/29/2013 10:39:38 PM (1 hours ago)
    .
    Motherboard: Intel Corp. | | Base Board Product Name
    Processor: Intel(R) Pentium(R) CPU P6100 @ 2.00GHz | CPU | 1179/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 288 GiB total, 35.885 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ACPI\QCI0701\2&DABA3FF&1
    Manufacturer:
    Name:
    PNP Device ID: ACPI\QCI0701\2&DABA3FF&1
    Service:
    .
    ==== System Restore Points ===================
    .
    RP59: 1/19/2013 11:04:06 PM - Installed DirectX
    RP60: 1/19/2013 11:05:03 PM - Installed DirectX
    RP61: 1/29/2013 5:46:40 PM - avast! Free Antivirus Setup
    RP62: 1/29/2013 10:51:12 PM - Installed Java 7 Update 11
    .
    ==== Installed Programs ======================
    .
    7-zip v9.20
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.2)
    Adobe Shockwave Player 11.6
    Aion
    Apple Application Support
    Apple Software Update
    ARMA 2
    ARMA 2: Operation Arrowhead
    Ask Toolbar
    Ask Toolbar Updater
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    avast! Free Antivirus
    BattlEye for OA Uninstall
    BattlEye Uninstall
    Best Buy pc app
    Chivalry: Medieval Warfare
    DayZ Commander
    Dual-Core Optimizer
    Fallen Earth
    Fallout Mod Manager 0.13.21
    GamersFirst LIVE!
    Garry's Mod
    Garry's Mod 13 Beta
    GCFScape 1.8.2
    Google Chrome
    Horizon v2.5.9.0
    InstallIQ Updater
    Java 7 Update 11
    Java Auto Updater
    Java(TM) 6 Update 31
    JavaFX 2.1.0
    Left 4 Dead 2
    LogMeIn Hamachi
    Magicka
    Malwarebytes Anti-Malware version 1.70.0.1100
    McAfee Security Scan Plus
    Microsoft .NET Framework 4 Client Profile
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft XNA Framework Redistributable 3.1
    Moonbase Alpha
    Mount & Blade Demo
    NCsoft Launcher
    NVIDIA PhysX v8.10.29
    Pando Media Booster
    PlanetSide 2
    PricePeep
    QuickTime
    Realm of the Mad God
    SavetheChildren Reminder by We-Care.com v4.1.17.4
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Sendori
    Skype Click to Call
    Skype™ 6.0
    SMPlayer 0.6.9
    Steam
    swMSM
    System Requirements Lab CYRI
    Team Fortress 2
    TeamSpeak 3 Client
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Visual Studio 2008 x64 Redistributables
    Visual Studio 2010 x64 Redistributables
    VLC media player 2.0.0
    Wajam
    WinRAR 4.11 (64-bit)
    Yontoo 1.10.02
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/29/2013 5:36:31 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avgfws service.
    1/29/2013 5:35:55 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
    1/29/2013 3:00:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVGIDSDriver Avgldx64 discache spldr Wanarpv6
    1/29/2013 3:00:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/29/2013 3:00:05 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2013 3:00:05 PM, Error: Service Control Manager [7001] - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2013 2:47:35 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd AVGIDSDriver Avgldx64 Avgtdia DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl
    1/29/2013 2:47:34 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2013 2:47:34 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2013 2:47:34 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2013 2:47:34 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2013 2:47:34 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2013 2:47:33 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2013 2:47:33 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2013 2:47:33 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2013 2:47:33 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2013 10:45:34 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    1/29/2013 10:45:34 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    1/29/2013 10:44:03 PM, Error: Service Control Manager [7022] - The Service Sendori service hung on starting.
    1/29/2013 10:42:19 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    1/29/2013 10:42:16 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    1/29/2013 10:42:16 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    1/29/2013 10:34:34 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Service Sendori service to connect.
    1/29/2013 10:34:34 PM, Error: Service Control Manager [7000] - The Service Sendori service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/29/2013 10:33:47 PM, Error: Service Control Manager [7024] - The AVGIDSAgent service terminated with service-specific error %%-536753636.
    1/29/2013 10:33:47 PM, Error: Service Control Manager [7024] - The AVG Firewall service terminated with service-specific error %%-536805289.
    1/28/2013 12:38:11 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    1/28/2013 12:37:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service sndappv2 with arguments "-Service" in order to run the server: {B1A429DB-FB06-4645-B7C0-0CC405EAD3CD}
    1/28/2013 12:31:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/28/2013 12:31:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/28/2013 12:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    1/28/2013 12:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    1/28/2013 12:31:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/23/2013 2:58:55 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    .
    ==== End Of File ===========================
     
  14. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.4.1
    Run by Owner at 23:06:58 on 2013-01-29
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2934.1368 [GMT -5:00]
    .
    AV: AVG Internet Security 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AVG Internet Security 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
    C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Program Files (x86)\Sendori\sndappv2.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Sendori\SendoriSvc.exe
    C:\Program Files (x86)\Sendori\Sendori.Service.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files (x86)\Sendori\SendoriUp.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
    C:\Program Files (x86)\Sendori\SendoriTray.exe
    C:\Program Files (x86)\Ask.com\Updater\Updater.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\notepad.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://yahoo.genieo.com/?v=w3i8
    uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Wajam: {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files (x86)\Wajam\IE\priam_bho.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    BHO: PricePeep: {FD6D90C0-E6EE-4BC6-B9F7-9ED319698007} - C:\Program Files (x86)\PricePeep\pricepeep.dll
    BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
    TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    uRun: [PlayNC Launcher] <no file>
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe"
    mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
    mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GAMERS~1.LNK - C:\Program Files (x86)\GamersFirst\LIVE!\Live.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    LSP: C:\Windows\System32\Sendori.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E} : NameServer = 216.146.35.240,216.146.36.240,192.168.1.1
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\131364850313234373238383 : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\34F6272656474737 : DHCPNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\3554253544D27455543545 : DHCPNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\C496E6B6379737 : NameServer = 75.75.75.75,75.75.76.76
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\C496E6B6379737 : DHCPNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\C696E6B6379737 : NameServer = 75.75.75.75,75.75.76.76
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\C696E6B6379737 : DHCPNameServer = 75.75.75.75 75.75.76.76
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    SSODL: WebCheck - <orphaned>
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
    x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
    x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-1-29 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-1-29 370288]
    R2 Application Sendori;Application Sendori;C:\Program Files (x86)\Sendori\SendoriSvc.exe [2012-12-10 118632]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-1-29 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-1-29 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-1-29 44808]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-12-10 2465712]
    R2 Service Sendori;Service Sendori;C:\Program Files (x86)\Sendori\Sendori.Service.exe [2012-12-10 14696]
    R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]
    R2 sndappv2;sndappv2;C:\Program Files (x86)\Sendori\sndappv2.exe [2012-12-10 3569512]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
    R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-4-20 169584]
    R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192Ce.sys [2010-4-28 932384]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-2-25 59392]
    S3 WajamUpdater;WajamUpdater;C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [2012-10-5 109064]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-2-24 1255736]
    .
    =============== Created Last 30 ================
    .
    2013-01-30 03:52:3295648----a-w-C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    2013-01-29 22:48:4154072----a-w-C:\Windows\System32\drivers\aswRdr2.sys
    2013-01-29 22:48:38984144----a-w-C:\Windows\System32\drivers\aswSnx.sys
    2013-01-29 22:48:3271600----a-w-C:\Windows\System32\drivers\aswMonFlt.sys
    2013-01-29 22:47:5041224----a-w-C:\Windows\avastSS.scr
    2013-01-29 22:47:30--------d-----w-C:\ProgramData\AVAST Software
    2013-01-29 22:47:30--------d-----w-C:\Program Files\AVAST Software
    2013-01-29 06:45:53--------d-----w-C:\FRST
    2013-01-28 17:52:12--------d-----w-C:\Users\Owner\AppData\Roaming\Malwarebytes
    2013-01-28 11:41:48--------d-sh--w-C:\Windows\System32\%APPDATA%
    2013-01-28 11:37:07365568----a-w-C:\Users\Owner\AppData\Roaming\nrvrs.dll
    2013-01-28 11:36:43598016----a-w-C:\Users\Owner\AppData\Roaming\winpr.dll
    2013-01-28 11:33:4917408----a-w-C:\Users\Owner\AppData\Local\miulgou.dll
    2013-01-20 04:04:56517448----a-w-C:\Windows\SysWow64\XAudio2_4.dll
    2013-01-20 04:04:56235352----a-w-C:\Windows\SysWow64\xactengine3_4.dll
    2013-01-20 04:04:5522360----a-w-C:\Windows\SysWow64\X3DAudio1_6.dll
    2013-01-20 04:04:02--------d-----w-C:\Program Files (x86)\Microsoft XNA
    2013-01-09 11:44:10750592----a-w-C:\Windows\System32\win32spl.dll
    2013-01-09 11:44:10492032----a-w-C:\Windows\SysWow64\win32spl.dll
    2013-01-09 11:42:28424448----a-w-C:\Windows\System32\KernelBase.dll
    2013-01-09 11:41:4968608----a-w-C:\Windows\System32\taskhost.exe
    2013-01-09 11:41:473149824----a-w-C:\Windows\System32\win32k.sys
    2013-01-09 00:21:5216369160----a-w-C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2013-01-06 22:36:5477656----a-w-C:\Windows\System32\XAPOFX1_5.dll
    2013-01-06 22:36:5474072----a-w-C:\Windows\SysWow64\XAPOFX1_5.dll
    2013-01-06 22:36:53527192----a-w-C:\Windows\SysWow64\XAudio2_7.dll
    2013-01-06 22:36:53518488----a-w-C:\Windows\System32\XAudio2_7.dll
    2013-01-06 22:36:492526056----a-w-C:\Windows\System32\D3DCompiler_43.dll
    2013-01-06 22:36:492106216----a-w-C:\Windows\SysWow64\D3DCompiler_43.dll
    2013-01-06 22:36:45276832----a-w-C:\Windows\System32\d3dx11_43.dll
    2013-01-06 22:36:45248672----a-w-C:\Windows\SysWow64\d3dx11_43.dll
    2013-01-06 22:36:382401112----a-w-C:\Windows\System32\D3DX9_43.dll
    2013-01-06 22:36:381998168----a-w-C:\Windows\SysWow64\D3DX9_43.dll
    2013-01-06 22:36:3324920----a-w-C:\Windows\System32\X3DAudio1_7.dll
    2013-01-06 22:36:3322360----a-w-C:\Windows\SysWow64\X3DAudio1_7.dll
    .
    ==================== Find3M ====================
    .
    2013-01-09 00:22:0474248----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-01-09 00:22:04697864----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-12-16 17:11:2246080----a-w-C:\Windows\System32\atmlib.dll
    2012-12-16 14:45:03367616----a-w-C:\Windows\System32\atmfd.dll
    2012-12-16 14:13:28295424----a-w-C:\Windows\SysWow64\atmfd.dll
    2012-12-16 14:13:2034304----a-w-C:\Windows\SysWow64\atmlib.dll
    2012-12-14 21:49:2824176----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-12-10 23:01:54321384----a-w-C:\Windows\SysWow64\Sendori.dll
    2012-12-07 13:20:16441856----a-w-C:\Windows\System32\Wpc.dll
    2012-12-07 13:15:312746368----a-w-C:\Windows\System32\gameux.dll
    2012-12-07 12:26:17308736----a-w-C:\Windows\SysWow64\Wpc.dll
    2012-12-07 12:20:432576384----a-w-C:\Windows\SysWow64\gameux.dll
    2012-12-07 11:20:0430720----a-w-C:\Windows\System32\usk.rs
    2012-12-07 11:20:0343520----a-w-C:\Windows\System32\csrr.rs
    2012-12-07 11:20:0323552----a-w-C:\Windows\System32\oflc.rs
    2012-12-07 11:20:0145568----a-w-C:\Windows\System32\oflc-nz.rs
    2012-12-07 11:20:0144544----a-w-C:\Windows\System32\pegibbfc.rs
    2012-12-07 11:20:0120480----a-w-C:\Windows\System32\pegi-fi.rs
    2012-12-07 11:20:0020480----a-w-C:\Windows\System32\pegi-pt.rs
    2012-12-07 11:19:5920480----a-w-C:\Windows\System32\pegi.rs
    2012-12-07 11:19:5846592----a-w-C:\Windows\System32\fpb.rs
    2012-12-07 11:19:5740960----a-w-C:\Windows\System32\cob-au.rs
    2012-12-07 11:19:5721504----a-w-C:\Windows\System32\grb.rs
    2012-12-07 11:19:5715360----a-w-C:\Windows\System32\djctq.rs
    2012-12-07 11:19:5655296----a-w-C:\Windows\System32\cero.rs
    2012-12-07 11:19:5551712----a-w-C:\Windows\System32\esrb.rs
    2012-11-30 05:45:35362496----a-w-C:\Windows\System32\wow64win.dll
    2012-11-30 05:45:35243200----a-w-C:\Windows\System32\wow64.dll
    2012-11-30 05:45:3513312----a-w-C:\Windows\System32\wow64cpu.dll
    2012-11-30 05:45:14215040----a-w-C:\Windows\System32\winsrv.dll
    2012-11-30 05:43:1216384----a-w-C:\Windows\System32\ntvdm64.dll
    2012-11-30 04:54:005120----a-w-C:\Windows\SysWow64\wow32.dll
    2012-11-30 04:53:59274944----a-w-C:\Windows\SysWow64\KernelBase.dll
    2012-11-30 03:23:48338432----a-w-C:\Windows\System32\conhost.exe
    2012-11-30 02:44:0625600----a-w-C:\Windows\SysWow64\setup16.exe
    2012-11-30 02:44:047680----a-w-C:\Windows\SysWow64\instnm.exe
    2012-11-30 02:44:0414336----a-w-C:\Windows\SysWow64\ntvdm64.dll
    2012-11-30 02:44:032048----a-w-C:\Windows\SysWow64\user.exe
    2012-11-30 02:38:596144---ha-w-C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 02:38:594608---ha-w-C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 02:38:593584---ha-w-C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 02:38:593072---ha-w-C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-11-22 05:44:23800768----a-w-C:\Windows\System32\usp10.dll
    2012-11-22 04:45:03626688----a-w-C:\Windows\SysWow64\usp10.dll
    2012-11-20 05:48:49307200----a-w-C:\Windows\System32\ncrypt.dll
    2012-11-20 04:51:09220160----a-w-C:\Windows\SysWow64\ncrypt.dll
    2012-11-14 06:11:442312704----a-w-C:\Windows\System32\jscript9.dll
    2012-11-14 06:04:111392128----a-w-C:\Windows\System32\wininet.dll
    2012-11-14 06:02:491494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-11-14 05:57:46599040----a-w-C:\Windows\System32\vbscript.dll
    2012-11-14 05:57:35173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-11-14 05:52:402382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-11-14 02:09:221800704----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:151427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:371129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27420864----a-w-C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:422382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:092048----a-w-C:\Windows\System32\tzres.dll
    2012-11-09 04:42:492048----a-w-C:\Windows\SysWow64\tzres.dll
    2012-11-02 05:59:11478208----a-w-C:\Windows\System32\dpnet.dll
    2012-11-02 05:11:31376832----a-w-C:\Windows\SysWow64\dpnet.dll
    2012-11-01 05:43:422002432----a-w-C:\Windows\System32\msxml6.dll
    2012-11-01 05:43:421882624----a-w-C:\Windows\System32\msxml3.dll
    2012-11-01 04:47:541389568----a-w-C:\Windows\SysWow64\msxml6.dll
    2012-11-01 04:47:541236992----a-w-C:\Windows\SysWow64\msxml3.dll
    .
    ============= FINISH: 23:07:48.12 ===============
  15. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==================================

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  16. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    RogueKiller V8.4.3 [Jan 27 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Owner [Admin rights]
    Mode : Remove -- Date : 01/30/2013 10:07:51
    | ARK || MBR |

    ¤¤¤ Bad processes : 5 ¤¤¤
    [DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Owner\AppData\Local\miulgou.dll -> KILLED [TermProc]
    [DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Owner\AppData\Local\miulgou.dll -> KILLED [TermProc]
    [DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Owner\AppData\Roaming\winpr.dll -> KILLED [TermProc]
    [DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Owner\AppData\Roaming\winpr.dll -> KILLED [TermProc]
    [SUSP PATH] ReminderHelper.exe -- C:\ProgramData\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 8 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : miulgou (rundll32 "C:\Users\Owner\AppData\Local\miulgou.dll",miulgou) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : winpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\winpr.dll",set_rows) -> DELETED
    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E} : NameServer (216.146.35.240,216.146.36.240,192.168.1.1) -> NOT REMOVED, USE DNSFIX
    [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E} : NameServer (216.146.35.240,216.146.36.240,192.168.1.1) -> NOT REMOVED, USE DNSFIX
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\n.) -> REPLACED (C:\Windows\system32\shell32.dll)
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\n.) -> REPLACED (C:\Windows\system32\wbem\fastprox.dll)

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\@ --> REMOVED
    [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a\L --> REMOVED

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: TOSHIBA MK3265GSXN ATA Device +++++
    --- User ---
    [MBR] 60d2d1aac8e9121be320f785cfa6f44a
    [BSP] c35e88aa5278cbec57153136e1a5917d : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 294659 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 603463680 | Size: 10585 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2]_D_01302013_02d1007.txt >>
    RKreport[1]_S_01302013_02d1007.txt ; RKreport[2]_D_01302013_02d1007.txt
  17. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    Malwarebytes Anti-Rootkit BETA 1.01.0.1017
    www.malwarebytes.org

    Database version: v2013.01.30.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Owner :: OWNER-TOSHIBA [administrator]

    1/30/2013 11:00:31 AM
    mbar-log-2013-01-30 (11-00-31).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 28449
    Time elapsed: 20 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  18. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1017
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3076374528, free: 1984856064
    ------------ Kernel report ------------
    01/30/2013 10:15:51
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\wd.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\aswSnx.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\Drivers\aswTdi.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\Drivers\aswrdr2.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\System32\Drivers\aswSP.SYS
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\rtl8192Ce.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\L1C62x64.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\hamachi.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_msahci.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \??\C:\Windows\system32\drivers\aswMonFlt.sys
    \SystemRoot\System32\Drivers\aswFsBlk.SYS
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\wininet.dll
    \Windows\System32\imm32.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\nsi.dll
    \Windows\System32\usp10.dll
    \Windows\System32\sechost.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\msctf.dll
    \Windows\System32\psapi.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\lpk.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\user32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\msasn1.dll
    \Windows\SysWOW64\normaliz.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa800550a790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000006c\
    Lower Device Object: 0xfffffa80045b8350
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    Initialization returned 0x0
    Load Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80032e5740
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xfffffa800315a060
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    Initialization returned 0x0
    Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
    Load Function returned 0x0
    Downloaded database version: v2013.01.30.05
    Downloaded database version: v2013.01.23.01
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80032e5740, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80032e5190, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80032e5740, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800315a060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a002ab8770, 0xfffffa80032e5740, 0xfffffa8002a73790
    Lower DeviceData: 0xfffff8a00d8cd110, 0xfffffa800315a060, 0xfffffa8002cfba90
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: C047B9AB
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 603461632
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 603463680 Numsec = 21678080
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 320072933376 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa800550a790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80045be380, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa800550a790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80045b8350, DeviceName: \Device\0000006c\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Done!
    Performing system, memory and registry scan...
    Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]
    Infected: c:\$Recycle.Bin\S-1-5-18\$9055f4d06b32151c09042282ba5bfa9a --> [Trojan.Siredef.C]
    Infected: c:\$Recycle.Bin\S-1-5-21-3886674033-3501889395-2250448632-1000\$9055f4d06b32151c09042282ba5bfa9a --> [Trojan.Siredef.C]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal successful. No system shutdown is required.
    =======================================
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1017
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_31
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3076374528, free: 1841958912
    ------------ Kernel report ------------
    01/30/2013 10:40:15
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\wd.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\aswSnx.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\Drivers\aswTdi.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\Drivers\aswrdr2.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\System32\Drivers\aswSP.SYS
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\rtl8192Ce.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\L1C62x64.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\hamachi.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_msahci.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \??\C:\Windows\system32\drivers\aswMonFlt.sys
    \SystemRoot\System32\Drivers\aswFsBlk.SYS
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\wininet.dll
    \Windows\System32\imm32.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\nsi.dll
    \Windows\System32\usp10.dll
    \Windows\System32\sechost.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\msctf.dll
    \Windows\System32\psapi.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\lpk.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\user32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\msasn1.dll
    \Windows\SysWOW64\normaliz.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa800550a790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000006c\
    Lower Device Object: 0xfffffa80045b8350
    Lower Device Driver Name: \Driver\USBSTOR\
    Device already Exists: 0xfffffa8003058090
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80032e5740
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xfffffa800315a060
    Lower Device Driver Name: \Driver\atapi\
    Device already Exists: 0xfffffa8002cfba90
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80032e5740, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80032e5190, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80032e5740, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800315a060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00b391460, 0xfffffa80032e5740, 0xfffffa8002a73790
    Lower DeviceData: 0xfffff8a00af81460, 0xfffffa800315a060, 0xfffffa8002cfba90
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: C047B9AB
    Partition information:
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 603461632
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 603463680 Numsec = 21678080
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 320072933376 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa800550a790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80045be380, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa800550a790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80045b8350, DeviceName: \Device\0000006c\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Done!
    Performing system, memory and registry scan...
    Done!
    Scan finished
    =======================================
  19. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Very good :)

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    =========================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  20. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    This is the msg I get trying to make restore point.
    "The restore point could not be created because of the following reason: The creation of a shadow copy has timed out. Try this operation again. (0x81000101)
  21. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Skip that step.
  22. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    Was able to run rkill and immediately ran combofix which froze a third of the way through. Should I force shutdown as option to x out isnt there?
  23. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Go ahead.
  24. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    Rkill 2.4.6 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 01/30/2013 11:08:29 PM in x64 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

    Backup Registry file created at:
    C:\Users\Owner\Desktop\rkill\rkill-01-30-2013-11-08-42.reg

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Defender Disabled

    [HKLM\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware" = dword:00000001

    Checking Windows Service Integrity:

    * Base Filtering Engine (BFE) is not Running.
    Startup Type set to: Automatic

    * DHCP Client (Dhcp) is not Running.
    Startup Type set to: Automatic

    * DNS Client (Dnscache) is not Running.
    Startup Type set to: Automatic

    * COM+ Event System (EventSystem) is not Running.
    Startup Type set to: Automatic

    * COM+ Event System (MpsSvc) is not Running.
    Startup Type set to: Automatic

    * Network Connections (Netman) is not Running.
    Startup Type set to: Manual

    * Network Store Interface Service (nsi) is not Running.
    Startup Type set to: Automatic

    * Windows Defender (WinDefend) is not Running.
    Startup Type set to: Manual

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    * Ancillary Function Driver for Winsock (AFD) is not Running.
    Startup Type set to: System

    * Windows Firewall Authorization Driver (mpsdrv) is not Running.
    Startup Type set to: Manual

    * NetBT (NetBT) is not Running.
    Startup Type set to: System

    * NSI proxy service driver. (nsiproxy) is not Running.
    Startup Type set to: System

    * NetIO Legacy TDI Support Driver (tdx) is not Running.
    Startup Type set to: System

    * iphlpsvc [Missing Service]

    * MpsSvc [Missing ImagePath]
    * SharedAccess [Missing ImagePath]

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * No issues found.

    Program finished at: 01/30/2013 11:08:53 PM
    Execution time: 0 hours(s), 0 minute(s), and 24 seconds(s)
  25. familyman14

    familyman14 TechSpot Enthusiast Topic Starter Posts: 184

    ComboFix 13-01-30.04 - Owner 01/30/2013 23:53:01.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2934.1750 [GMT -5:00]
    Running from: C:\Users\Owner\Desktop\sean.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Users\Owner\AppData\Local\assembly\tmp
    C:\Users\Owner\AppData\Local\miulgou.dll
    C:\Users\Owner\AppData\Roaming\nrvrs.dll
    C:\Users\Owner\AppData\Roaming\skype.ini
    C:\Users\Owner\AppData\Roaming\winpr.dll


    ((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-31 )))))))))))))))))))))))))))))))


    2013-01-31 05:08:07 . 2013-01-31 05:08:07--------d-----w-C:\Users\Default\AppData\Local\temp
    2013-01-30 03:53:42 . 2013-01-30 03:53:42--------d-----w-C:\Windows\Sun
    2013-01-30 03:52:32 . 2013-01-12 08:30:1895648----a-w-C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    2013-01-29 22:48:52 . 2012-10-30 23:51:5325232----a-w-C:\Windows\system32\drivers\aswFsBlk.sys
    2013-01-29 22:48:51 . 2012-10-30 23:51:55370288----a-w-C:\Windows\system32\drivers\aswSP.sys
    2013-01-29 22:48:41 . 2012-10-15 16:59:2854072----a-w-C:\Windows\system32\drivers\aswRdr2.sys
    2013-01-29 22:48:39 . 2012-10-30 23:51:5659728----a-w-C:\Windows\system32\drivers\aswTdi.sys
    2013-01-29 22:48:38 . 2012-10-30 23:51:55984144----a-w-C:\Windows\system32\drivers\aswSnx.sys
    2013-01-29 22:48:32 . 2012-10-30 23:51:5571600----a-w-C:\Windows\system32\drivers\aswMonFlt.sys
    2013-01-29 22:48:31 . 2012-10-30 23:50:30285328----a-w-C:\Windows\system32\aswBoot.exe
    2013-01-29 22:47:50 . 2012-10-30 23:51:0741224----a-w-C:\Windows\avastSS.scr
    2013-01-29 22:47:49 . 2012-10-30 23:50:59227648----a-w-C:\Windows\SysWow64\aswBoot.exe
    2013-01-29 22:47:30 . 2013-01-29 22:47:30--------d-----w-C:\ProgramData\AVAST Software
    2013-01-29 22:47:30 . 2013-01-29 22:47:30--------d-----w-C:\Program Files\AVAST Software
    2013-01-29 06:45:53 . 2013-01-29 06:45:53--------d-----w-C:\FRST
    2013-01-28 17:52:12 . 2013-01-28 17:52:12--------d-----w-C:\Users\Owner\AppData\Roaming\Malwarebytes
    2013-01-28 11:41:48 . 2013-01-28 11:41:48--------d-sh--w-C:\Windows\system32\%APPDATA%
    2013-01-20 04:04:56 . 2009-03-16 19:18:32517448----a-w-C:\Windows\SysWow64\XAudio2_4.dll
    2013-01-20 04:04:56 . 2009-03-16 19:18:32235352----a-w-C:\Windows\SysWow64\xactengine3_4.dll
    2013-01-20 04:04:55 . 2009-03-16 19:18:3222360----a-w-C:\Windows\SysWow64\X3DAudio1_6.dll
    2013-01-20 04:04:02 . 2013-01-20 04:04:02--------d-----w-C:\Program Files (x86)\Microsoft XNA
    2013-01-09 11:44:10 . 2012-11-09 05:45:32750592----a-w-C:\Windows\system32\win32spl.dll
    2013-01-09 11:44:10 . 2012-11-09 04:43:04492032----a-w-C:\Windows\SysWow64\win32spl.dll
    2013-01-09 11:42:28 . 2012-11-30 05:41:07424448----a-w-C:\Windows\system32\KernelBase.dll
    2013-01-09 11:41:49 . 2012-11-23 03:13:5768608----a-w-C:\Windows\system32\taskhost.exe
    2013-01-09 11:41:47 . 2012-11-23 03:26:313149824----a-w-C:\Windows\system32\win32k.sys
    2013-01-09 00:21:52 . 2013-01-09 00:21:5216369160----a-w-C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2013-01-06 22:36:54 . 2010-06-02 09:55:3077656----a-w-C:\Windows\system32\XAPOFX1_5.dll
    2013-01-06 22:36:54 . 2010-06-02 09:55:3074072----a-w-C:\Windows\SysWow64\XAPOFX1_5.dll
    2013-01-06 22:36:53 . 2010-06-02 09:55:30527192----a-w-C:\Windows\SysWow64\XAudio2_7.dll
    2013-01-06 22:36:53 . 2010-06-02 09:55:30518488----a-w-C:\Windows\system32\XAudio2_7.dll
    2013-01-06 22:36:49 . 2010-05-26 16:41:022526056----a-w-C:\Windows\system32\D3DCompiler_43.dll
    2013-01-06 22:36:49 . 2010-05-26 16:41:022106216----a-w-C:\Windows\SysWow64\D3DCompiler_43.dll
    2013-01-06 22:36:45 . 2010-05-26 16:41:02276832----a-w-C:\Windows\system32\d3dx11_43.dll
    2013-01-06 22:36:45 . 2010-05-26 16:41:02248672----a-w-C:\Windows\SysWow64\d3dx11_43.dll
    2013-01-06 22:36:38 . 2010-05-26 16:41:021998168----a-w-C:\Windows\SysWow64\D3DX9_43.dll
    2013-01-06 22:36:38 . 2010-05-26 16:41:002401112----a-w-C:\Windows\system32\D3DX9_43.dll
    2013-01-06 22:36:33 . 2010-02-04 15:01:1424920----a-w-C:\Windows\system32\X3DAudio1_7.dll
    2013-01-06 22:36:33 . 2010-02-04 15:01:1422360----a-w-C:\Windows\SysWow64\X3DAudio1_7.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2013-01-10 11:37:36 . 2012-02-24 16:35:5667599240----a-w-C:\Windows\system32\MRT.exe
    2013-01-09 00:22:04 . 2012-04-13 21:16:06697864----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-01-09 00:22:04 . 2012-02-25 16:27:5774248----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-16 17:11:22 . 2012-12-22 00:07:3046080----a-w-C:\Windows\system32\atmlib.dll
    2012-12-16 14:45:03 . 2012-12-22 00:07:29367616----a-w-C:\Windows\system32\atmfd.dll
    2012-12-16 14:13:28 . 2012-12-22 00:07:29295424----a-w-C:\Windows\SysWow64\atmfd.dll
    2012-12-16 14:13:20 . 2012-12-22 00:07:3134304----a-w-C:\Windows\SysWow64\atmlib.dll
    2012-12-14 21:49:28 . 2012-02-25 16:31:0824176----a-w-C:\Windows\system32\drivers\mbam.sys
    2012-12-10 23:01:54 . 2012-10-13 02:41:20321384----a-w-C:\Windows\SysWow64\Sendori.dll
    2012-11-30 04:45:10 . 2013-01-09 11:42:1944032----a-w-C:\Windows\apppatch\acwow64.dll
    2012-11-14 07:06:18 . 2012-12-14 11:09:0217811968----a-w-C:\Windows\system32\mshtml.dll
    2012-11-14 06:32:33 . 2012-12-14 11:09:0110925568----a-w-C:\Windows\system32\ieframe.dll
    2012-11-14 06:11:44 . 2012-12-14 11:09:152312704----a-w-C:\Windows\system32\jscript9.dll
    2012-11-14 06:04:44 . 2012-12-14 11:09:161346048----a-w-C:\Windows\system32\urlmon.dll
    2012-11-14 06:04:11 . 2012-12-14 11:09:131392128----a-w-C:\Windows\system32\wininet.dll
    2012-11-14 06:02:49 . 2012-12-14 11:09:151494528----a-w-C:\Windows\system32\inetcpl.cpl
    2012-11-14 06:02:04 . 2012-12-14 11:09:18237056----a-w-C:\Windows\system32\url.dll
    2012-11-14 05:59:52 . 2012-12-14 11:09:1085504----a-w-C:\Windows\system32\jsproxy.dll
    2012-11-14 05:58:36 . 2012-12-14 11:09:09816640----a-w-C:\Windows\system32\jscript.dll
    2012-11-14 05:57:46 . 2012-12-14 11:09:09599040----a-w-C:\Windows\system32\vbscript.dll
    2012-11-14 05:57:35 . 2012-12-14 11:09:19173056----a-w-C:\Windows\system32\ieUnatt.exe
    2012-11-14 05:55:45 . 2012-12-14 11:09:082144768----a-w-C:\Windows\system32\iertutil.dll
    2012-11-14 05:55:26 . 2012-12-14 11:09:15729088----a-w-C:\Windows\system32\msfeeds.dll
    2012-11-14 05:53:22 . 2012-12-14 11:09:2696768----a-w-C:\Windows\system32\mshtmled.dll
    2012-11-14 05:52:40 . 2012-12-14 11:09:272382848----a-w-C:\Windows\system32\mshtml.tlb
    2012-11-14 05:46:25 . 2012-12-14 11:09:20248320----a-w-C:\Windows\system32\ieui.dll
    2012-11-14 02:09:22 . 2012-12-14 11:09:101800704----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 . 2012-12-14 11:09:161427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 . 2012-12-14 11:09:131129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 . 2012-12-14 11:09:19142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 . 2012-12-14 11:09:24420864----a-w-C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 . 2012-12-14 11:09:272382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 . 2012-12-13 11:19:042048----a-w-C:\Windows\system32\tzres.dll
    2012-11-09 04:42:49 . 2012-12-13 11:19:042048----a-w-C:\Windows\SysWow64\tzres.dll
    2012-11-02 05:59:11 . 2012-12-13 11:18:30478208----a-w-C:\Windows\system32\dpnet.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2012-10-17 04:46:28 1521352]

    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-10-17 04:46:281521352----a-w-C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}]
    2012-09-25 18:02:28497008----a-w-C:\Program Files (x86)\PricePeep\pricepeep.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2012-07-31 17:19:21194928----a-w-C:\Program Files (x86)\Yontoo\YontooIEClient.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll" [2012-10-17 04:46:28 1521352]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files (x86)\Steam\steam.exe" [2012-12-03 20:04:04 1354736]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2010-11-20 13:25:17 1475584]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 13:10:42 843712]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 01:28:32 59240]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2012-04-19 00:56:22 421888]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 13:04:54 252848]
    "Sendori Tray"="C:\Program Files (x86)\Sendori\SendoriTray.exe" [2012-12-10 23:01:54 82792]
    "ApnUpdater"="C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [2012-10-17 04:46:34 1573576]
    "amd_dc_opt"="C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 18:53:10 77824]
    "LogMeIn Hamachi Ui"="C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-12-10 22:29:46 2254768]
    "avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2012-10-30 23:50:59 4297136]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    GamersFirst LIVE!.lnk - C:\Program Files (x86)\GamersFirst\LIVE!\Live.exe [2012-4-29 2647664]
    McAfee Security Scan Plus.lnk - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 19:27:14 138576]
    R2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-09 16:21:24 160944]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 06:45:02 227232]
    R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 11:07:05 59392]
    R3 WajamUpdater;WajamUpdater;C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [2012-10-05 15:08:42 109064]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2012-02-24 17:32:51 1255736]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 Application Sendori;Application Sendori;C:\Program Files (x86)\Sendori\SendoriSvc.exe [2012-12-10 23:01:54 118632]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [2012-10-30 23:51:55 71600]
    S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-12-10 22:29:46 2465712]
    S2 Service Sendori;Service Sendori;C:\Program Files (x86)\Sendori\Sendori.Service.exe [2012-12-10 23:01:54 14696]
    S2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 19:26:20 3290896]
    S2 sndappv2;sndappv2;C:\Program Files (x86)\Sendori\sndappv2.exe [2012-12-10 23:01:54 3569512]
    S3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys [2009-09-18 00:54:54 56344]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys [2011-04-20 14:24:56 169584]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys [2010-04-28 08:32:20 932384]


    Contents of the 'Scheduled Tasks' folder

    2013-01-31 C:\Windows\Tasks\Adobe Flash Player Updater.job
    - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 21:16:06 . 2013-01-09 00:22:04]

    2013-01-28 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3886674033-3501889395-2250448632-1000Core.job
    - C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-25 16:26:59 . 2010-09-01 06:15:55]

    2013-01-31 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3886674033-3501889395-2250448632-1000UA.job
    - C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-25 16:26:59 . 2010-09-01 06:15:55]


    --------- X64 Entries -----------


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-10-30 23:50:24133400----a-w-C:\Program Files\AVAST Software\Avast\ashShA64.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2012-01-11 03:43:30 167704]
    "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2012-01-11 03:43:08 392984]
    "Persistence"="C:\Windows\system32\igfxpers.exe" [2012-01-11 03:43:26 417560]

    ------- Supplementary Scan -------

    uLocal Page = C:\Windows\system32\blank.htm
    uStart Page = hxxp://yahoo.genieo.com/?v=w3i8
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}: NameServer = 216.146.35.240,216.146.36.240,192.168.1.1
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\C496E6B6379737: NameServer = 75.75.75.75,75.75.76.76
    TCP: Interfaces\{B62143FB-A54D-4B79-952B-12D76346D51E}\C696E6B6379737: NameServer = 75.75.75.75,75.75.76.76

    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKCU-Run-PlayNC Launcher - (no file)
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-Adobe Shockwave Player - C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-BattlEye for A2 - C:\Program Files (x86)\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe



    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.