TechSpot

Problems with SIREFEF.AB

Inactive
By itLEAKED
Oct 13, 2012
  1. Malwarebytes Anti-Malware 1.65.0.1400
    www.malwarebytes.org

    Database version: v2012.10.12.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    admin :: PICKERS-MANAGER [administrator]

    10/12/2012 11:08:16 PM
    mbam-log-2012-10-12 (23-08-16).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 242797
    Time elapsed: 27 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AA42713-5C1E-48E2-B432-D8BF420DD31D} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
    HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Delete on reboot.
    F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Delete on reboot.
    F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003(2)\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Quarantined and deleted successfully.
    F:\WINDOWS\assembly\GAC\Desktop(2).ini (Trojan.0access) -> Quarantined and deleted successfully.
    F:\WINDOWS\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-10-13 02:41:55
    Windows 5.1.2600 Service Pack 3
    Running: 8g8w7iji.exe; Driver: F:\DOCUME~1\admin\LOCALS~1\Temp\afxdrkoc.sys
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000276094fe4 (not active ControlSet)
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000276094fe4
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000276094fe4 (not active ControlSet)
    ---- EOF - GMER 1.0.15 ----
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
    Run by admin at 10:04:47 on 2012-10-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1221 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    F:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    F:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    F:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    F:\Program Files\Java\jre6\bin\jqs.exe
    F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    F:\WINDOWS\system32\HPZipm12.exe
    F:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    F:\WINDOWS\System32\svchost.exe -k imgsvc
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\msisear.exe
    F:\Program Files\Logitech\iTouch\iTouch.exe
    F:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    F:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    F:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    F:\Program Files\Google\Chrome\Application\chrome.exe
    F:\Program Files\Google\Chrome\Application\chrome.exe
    F:\Program Files\Google\Chrome\Application\chrome.exe
    "F:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
    F:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://ca.yahoo.com/?fr=fp-yie8
    uSearch Page = hxxp://www.google.com
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    uDefault_Page_URL = hxxp://ca.yahoo.com/?fr=fp-yie8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
    uRun: [Nyyfriydvo] "f:\documents and settings\admin\application data\neme\yzfog.exe"
    mRun: [zBrowser Launcher] f:\program files\logitech\itouch\iTouch.exe
    mRun: [MaxMenuMgr] "f:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [JMB36X Configure] f:\windows\system32\JMRaidTool.exe boot
    mRun: [HDAudDeck] f:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [CarboniteSetupLite] "f:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
    mRun: [BrStsWnd] f:\program files\brownie\BrstsWnd.exe Autorun
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [ATICCC] "f:\program files\ati technologies\ati.ace\cli.exe" runtime
    mRun: [Intuit SyncManager] f:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "f:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [RIMBBLaunchAgent.exe] f:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
    mRun: [MSC] "f:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRun: [DWQueuedReporting] "f:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163261152796
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164164878500
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: Interfaces\{1FC109AC-9A4B-4D6F-B252-F015FDA5314A} : NameServer = 192.168.0.1
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - f:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
    Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - f:\program files\common files\intuit\intu-res.dll
    Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - f:\program files\turbotax 2010\ic2010pp.dll
    Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - f:\program files\turbotax 2011\ic2011pp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - f:\progra~1\window~4\MpShHook.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - f:\windows\system32\rundll32.exe f:\windows\system32\advpack.dll,launchinfsectionex f:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - f:\documents and settings\admin\application data\mozilla\firefox\profiles\sa6yerhj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
    FF - prefs.js: keyword.URL - about:neterror?e=query&u=
    FF - prefs.js: network.proxy.type - 0
    FF - component: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: f:\documents and settings\admin\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: f:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: f:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: f:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\NPAdbESD.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: f:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: f:\program files\musicnotes\npmusicn.dll
    FF - plugin: f:\program files\musicnotes\NPSibelius.dll
    FF - plugin: f:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;f:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
    R2 FreeAgentGoNext Service;Seagate Service;f:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
    R2 W32Serv;Windows Search Scheduler;f:\windows\msisear.exe [2012-10-12 308224]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;f:\windows\system32\drivers\viahduaa.sys [2009-9-15 845184]
    S1 cqgbqjuu;cqgbqjuu;\??\f:\windows\system32\drivers\cqgbqjuu.sys --> f:\windows\system32\drivers\cqgbqjuu.sys [?]
    S1 cqhzefuw;cqhzefuw;\??\f:\windows\system32\drivers\cqhzefuw.sys --> f:\windows\system32\drivers\cqhzefuw.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1cabcbf41688628;Google Update Service (gupdate1cabcbf41688628);f:\program files\google\update\GoogleUpdate.exe [2010-3-5 133104]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;f:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 250808]
    S3 gupdatem;Google Update Service (gupdatem);f:\program files\google\update\GoogleUpdate.exe [2010-3-5 133104]
    S3 MozillaMaintenance;Mozilla Maintenance Service;f:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-27 114144]
    S3 Netaapl;Apple Mobile Device Ethernet Service;f:\windows\system32\drivers\netaapl.sys [2010-11-18 18432]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-10-13 08:04:30365056----a-w-f:\documents and settings\admin\bhxzbuegunpttzkdqsvtqwr.exe
    2012-10-13 07:53:446980552----a-w-f:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{95602e44-6645-42b4-bae5-17e7a74216e4}\mpengine.dll
    2012-10-13 03:06:53--------d-----w-f:\documents and settings\admin\application data\Malwarebytes
    2012-10-13 03:06:29--------d-----w-f:\documents and settings\all users\application data\Malwarebytes
    2012-10-13 03:06:2622856----a-w-f:\windows\system32\drivers\mbam.sys
    2012-10-13 03:06:26--------d-----w-f:\program files\Malwarebytes' Anti-Malware
    2012-10-13 02:45:26--------d-----w-f:\documents and settings\admin\application data\FixZeroAccess
    2012-10-13 01:45:06--------d-----w-f:\program files\Microsoft Security Client
    2012-10-12 20:26:09308224----a-w-f:\windows\msisear.exe
    2012-10-12 19:04:20--------d-----w-f:\program files\Spybot - Search & Destroy
    2012-10-12 19:04:19--------d-----w-f:\program files\SpeedyPC Software
    2012-10-12 19:04:19--------d-----w-f:\documents and settings\all users\application data\SpeedyPC Software
    2012-10-12 17:35:13--------d-----w-f:\windows\system32\wbem\repository\FS
    2012-10-12 17:35:13--------d-----w-f:\windows\system32\wbem\Repository
    2012-10-11 22:12:02--------d-sha-r-F:\cmdcons
    2012-10-11 22:00:2398816----a-w-f:\windows\sed.exe
    2012-10-11 22:00:23518144----a-w-f:\windows\SWREG.exe
    2012-10-11 22:00:23256000----a-w-f:\windows\PEV.exe
    2012-10-11 22:00:23208896----a-w-f:\windows\MBR.exe
    2012-10-11 21:59:15--------d-----w-F:\ComboFix
    2012-10-11 21:49:28256904----a-w-f:\windows\system32\drivers\tmcomm.sys
    2012-10-11 21:37:43--------d-----w-f:\documents and settings\all users\application data\Spybot - Search & Destroy
    2012-09-20 14:25:21--------d-----w-f:\program files\iPod
    2012-09-20 14:25:16--------d-----w-f:\program files\iTunes
    2012-09-20 14:25:16--------d-----w-f:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Neme
    2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Kukoam
    2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Ekem
    .
    ==================== Find3M ====================
    .
    2012-10-08 22:20:37696760----a-w-f:\windows\system32\FlashPlayerApp.exe
    2012-10-08 22:20:3673656----a-w-f:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-31 02:03:50193552----a-w-f:\windows\system32\drivers\MpFilter.sys
    2012-08-28 15:14:53916992----a-w-f:\windows\system32\wininet.dll
    2012-08-28 15:14:5343520----a-w-f:\windows\system32\licmgr10.dll
    2012-08-28 15:14:521469440------w-f:\windows\system32\inetcpl.cpl
    2012-08-28 12:07:15385024----a-w-f:\windows\system32\html.iec
    2012-08-24 13:53:22177664----a-w-f:\windows\system32\wintrust.dll
    2012-08-21 17:01:2226840----a-w-f:\windows\system32\drivers\GEARAspiWDM.sys
    2012-08-21 17:01:22106928----a-w-f:\windows\system32\GEARAspi.dll
    2012-08-21 13:33:262148864----a-w-f:\windows\system32\ntoskrnl.exe
    2012-08-21 12:58:092027520----a-w-f:\windows\system32\ntkrnlpa.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Lexar___ rev.1100 -> Harddisk4\DR9 -> \Device\0000007a
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys USBSTOR.SYS hal.dll usbhub.sys USBPORT.SYS usbehci.sys
    1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk4\DR9[0x89CE9A38]
    3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\00000083[0x89E239F8]
    5 USBSTOR[0xBA3C0706] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\USBPDO-9[0x89CF13F0]
    7 usbhub[0xB9636596] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\USBPDO-4[0x888AF030]
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    user != kernel MBR !!!
    error: Read The parameter is incorrect.
    .
    ============= FINISH: 10:11:34.48 ===============
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 32-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
    itLEAKED likes this.
  3. itLEAKED

    itLEAKED TS Rookie Topic Starter

    When I tried to locate the Repair feature within the Advanced Boot Options there is nothing there and my boss is unaware as to the location of our Windows XP cd.
    Am I out of luck until I can acquire that disc?
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sorry for that, I overlooked the fact you have Windows XP. Let's do the following instead:

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
    itLEAKED likes this.
  5. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Ran ComboFix in 'normal'
    Started, and wouldn't complete the scan after hour and a half
    Rebooted into 'safe mode'
    Started, again would not complete after hour and a half
    Tried iexplore.exe, again with same results in both modes

    How long should this scan typically take? Asking because of the coment within the cmd prompt about run time
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    40 minutes at the most usually. :p

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    itLEAKED likes this.
  7. itLEAKED

    itLEAKED TS Rookie Topic Starter

    When I got to run this application, it seems like it's going to work, then it doesn't do anything. I don't even get to the first window
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Next trial run...

    RogueKiller Scan

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
    itLEAKED likes this.
  9. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Can't tell if the scan completed or not. Clicked on Delete and it went to hour glass for over 10 minutes, then program became unresponsive.

    It did however make this log and Quarantine Dir:

    RogueKiller V8.1.1 [10/01/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : admin [Admin rights]
    Mode : Scan -- Date : 10/18/2012 10:10:15

    ¤¤¤ Bad processes : 2 ¤¤¤
    [SUSP PATH] msisear.exe -- F:\WINDOWS\msisear.exe -> KILLED [TermProc]
    [HIDDEN] msisear.exe -- F:\WINDOWS\msisear.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FOLDER] U : F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\U --> FOUND
    [ZeroAccess][FOLDER] U : F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\U --> FOUND
    [ZeroAccess][FOLDER] L : F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\L --> FOUND
    [ZeroAccess][FOLDER] L : F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\L --> FOUND

    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F156F2)
    IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F156F2)
    IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F15712)
    IRP[IRP_MJ_POWER] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F1573C)
    IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F1C336)
    IRP[IRP_MJ_PNP] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F1C302)
    IRP[DriverStartIo] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9F12864)

    ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> F:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500JS-98NCB1 +++++
    --- User ---
    [MBR] 0b2d64725d2c468a38b655bcb09ee167
    [BSP] 1bff3a84dd1bac7449d2e018771f1cdf : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] aa5b0088405d84d0cfc92b5410ed3861
    [BSP] 1bff3a84dd1bac7449d2e018771f1cdf : Windows XP MBR Code [possible maxSST in 1!]
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 488376000 | Size: 10 Mo

    +++++ PhysicalDrive1: Seagate FreeAgent USB Device +++++
    --- User ---
    [MBR] 25bc0c7e1936e0474ef5d29e443cf4f3
    [BSP] ff64d61c08d73aa2b1fc0f963ee69984 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Download OTLPENet.exe to your desktop
    • Download Farbar Recovery Scan Tool and save it to a flash drive.
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
    • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads [​IMG]
    • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
    • Insert the flash drive with FRST on it
    • Locate the flash drive and run FSRT
    • The tool will start to run.
    [​IMG]
    • When the tool opens click Yes to disclaimer.
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
    itLEAKED likes this.
  11. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-10-2012
    Ran by SYSTEM at 19-10-2012 20:34:09
    Running from G:\
    Microsoft Windows XP (X86) OS Language: English(US)
    The current controlset is ControlSet002

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe [892928 2004-03-18] (Logitech Inc.)
    HKLM\...\Run: [RIMBBLaunchAgent.exe] F:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
    HKLM\...\Run: [MaxMenuMgr] "F:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [185640 2009-09-26] (Seagate LLC)
    HKLM\...\Run: [Intuit SyncManager] F:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [623880 2008-11-18] (Intuit Inc. All rights reserved.)
    HKLM\...\Run: [HDAudDeck] F:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 [30003200 2008-08-14] (VIA Technologies, Inc.)
    HKLM\...\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [x]
    HKLM\...\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime [61440 2005-08-06] (ATI Technologies Inc.)
    HKLM\...\Run: [APSDaemon] "F:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
    HKLM\...\Run: [MSC] "F:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] "F:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
    HKLM\...\Run: [AppleSyncNotifier] F:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
    HKLM\...\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [926896 2012-09-23] (Adobe Systems Incorporated)
    HKU\admin\...\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    HKU\Administrator\...\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) ===================

    2 6to4; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-13] (Microsoft Corporation)
    2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [516096 2005-08-06] ()
    2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
    2 FreeAgentGoNext Service; "C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-09-26] (Seagate Technology LLC)
     
  12. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Farbar Recovery Scan Tool (x86) Version: 15-10-2012
    Ran by SYSTEM at 2012-10-19 20:28:06
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\WINDOWS\system32\services.exe
    [2003-03-31 08:00] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

    C:\WINDOWS\system32\dllcache\services.exe
    [2003-03-31 08:00] - [2009-02-06 07:11] - 0110592 ___AC (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

    C:\WINDOWS\ServicePackFiles\i386\services.exe
    [2006-11-12 03:10] - [2008-04-13 20:12] - 0108544 ___AC (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

    C:\WINDOWS\erdnt\cache\services.exe
    [2012-10-11 18:55] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

    C:\WINDOWS\$NtUninstallKB956572$\services.exe
    [2009-04-17 03:03] - [2008-04-13 20:12] - 0108544 ___AC (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

    C:\WINDOWS\$NtServicePackUninstall$\services.exe
    [2008-07-11 21:28] - [2004-08-04 04:56] - 0108032 ___AC (Microsoft Corporation) c6ce6eec82f187615d1002bb3bb50ed4

    C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
    [2009-04-16 19:11] - [2009-02-06 07:06] - 0110592 ____A (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6

    === End Of Search ===
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    The FRST.txt is incomplete. Would you re-post that log, please.
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, are you still with us? Please update us with the state of your situation, so we know how to continue from here.

    We'd still like to help. Topic marked inactive, until your return.
  15. itLEAKED

    itLEAKED TS Rookie Topic Starter

    HKLM\...\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
    HKLM\...\Run: [AppleSyncNotifier] F:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
    HKLM\...\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [926896 2012-09-23] (Adobe Systems Incorporated)
    HKU\admin\...\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    HKU\Administrator\...\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
    Winlogon\Notify\AtiExtEvent: Ati2evxx.dll (ATI Technologies Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) ===================

    2 6to4; C:\Windows\System32\svchost.exe -k netsvcs [14336 2008-04-13] (Microsoft Corporation)
    2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [516096 2005-08-06] ()
    2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
    2 FreeAgentGoNext Service; "C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-09-26] (Seagate Technology LLC)
    3 GoogleDesktopManager; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [1838592 2012-10-15] (Google)
    2 gupdate1cabcbf41688628; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2010-03-05] (Google Inc.)
    2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)
    2 W32Serv; C:\WINDOWS\msisear.exe [304128 2012-10-15] ()
    2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

    ==================== Drivers (Whitelisted) ====================

    3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [1273344 2005-08-03] (ATI Technologies Inc.)
    2 BrPar; C:\Windows\System32\drivers\BrPar.sys [19537 2000-07-24] (Brother Industries Ltd.)
    3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows (R) Server 2003 DDK provider)
    3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49664 2006-04-12] (HP)
    3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2006-04-12] (HP)
    3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2006-04-12] (HP)
    3 itchfltr; C:\Windows\System32\DRIVERS\itchfltr.sys [12953 2004-03-10] (Logitech, Inc.)
    0 JGOGO; C:\Windows\System32\DRIVERS\JGOGO.sys [6912 2006-02-07] (JMicron )
    0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [43392 2006-07-05] (JMicron Technology Corp.)
    3 L1e; C:\Windows\System32\DRIVERS\l1e51x86.sys [38400 2008-09-23] (Atheros Communications, Inc.)
    3 LCcfltr; C:\Windows\System32\drivers\lccfltr.sys [14095 2004-03-03] (Logitech, Inc.)
    3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
    3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-12] ()
    3 RTLE8023xp; C:\Windows\System32\DRIVERS\Rtenicxp.sys [83712 2006-07-13] (Realtek Semiconductor Corporation )
    3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
    3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [845184 2008-07-25] (VIA Technologies, Inc.)
    4 Abiosdsk; [x]
    4 abp480n5; [x]
    3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [x]
    4 adpu160m; [x]
    3 AEAudio; C:\Windows\System32\drivers\AEAudio.sys [x]
    4 Aha154x; [x]
    4 aic78u2; [x]
    4 aic78xx; [x]
    4 AliIde; [x]
    4 amsint; [x]
    4 asc; [x]
    4 asc3350p; [x]
    4 asc3550; [x]
    4 Atdisk; [x]
    3 catchme; \??\F:\32788R22FWJFW\catchme.sys [x]
    4 cd20xrnt; [x]
    1 Changer; [x]
    4 CmdIde; [x]
    4 Cpqarray; [x]
    1 cqgbqjuu; \??\F:\WINDOWS\system32\drivers\cqgbqjuu.sys [x]
    1 cqhzefuw; \??\F:\WINDOWS\system32\drivers\cqhzefuw.sys [x]
    4 dac2w2k; [x]
    4 dac960nt; [x]
    4 dpti2o; [x]
    4 hpn; [x]
    1 i2omgmt; [x]
    4 i2omp; [x]
    4 InCDFs; C:\Windows\System32\drivers\InCDFs.sys [x]
    1 InCDPass; C:\Windows\System32\drivers\InCDPass.sys [x]
    1 InCDRm; C:\Windows\System32\drivers\InCDRm.sys [x]
    4 ini910u; [x]
    4 IntelIde; [x]
    1 lbrtfdc; [x]
    3 MBAMProtector; \??\F:\WINDOWS\system32\drivers\mbam.sys [x]
    3 MFE_RR; \??\F:\DOCUME~1\admin\LOCALS~1\Temp\mfe_rr.sys [x]
    4 mraid35x; [x]
    1 PCIDump; [x]
    3 PDCOMP; [x]
    3 PDFRAME; [x]
    3 PDRELI; [x]
    3 PDRFRAME; [x]
    4 perc2; [x]
    4 perc2hib; [x]
    2 PEVSystemStart; "F:\ComboFix\pev.3XE" EXEC /I "F:\ComboFix\HIDEC.3XE" "F:\ComboFix\SWREG.3XE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q [x]
    4 ql1080; [x]
    4 Ql10wnt; [x]
    4 ql12160; [x]
    4 ql1240; [x]
    4 ql1280; [x]
    2 RPSKT; C:\Windows\System32\DRIVERS\rp_skt32.sys [x]
    3 SenFiltService; C:\Windows\System32\drivers\Senfilt.sys [x]
    4 Simbad; [x]
    4 Sparrow; [x]
    4 symc810; [x]
    4 symc8xx; [x]
    4 sym_hi; [x]
    4 sym_u3; [x]
    4 TosIde; [x]
    4 ultra; [x]
    4 ViaIde; [x]
    3 WDICA; [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2012-10-26 13:06 - 2012-10-26 13:09 - 55101172 ____A C:\FRI.TRS
    2012-10-26 12:38 - 2012-10-26 12:38 - 76292096 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 26, 2012 12 36 PM).QBB
    2012-10-26 12:38 - 2012-10-26 12:38 - 00042496 ____A C:\Documents and Settings\admin\My Documents\money notes 2012-1.xls
    2012-10-26 12:37 - 2012-10-26 12:37 - 00042496 ____A C:\Documents and Settings\admin\My Documents\money notes 2012 update.xls
    2012-10-26 12:12 - 2012-10-26 12:16 - 55100350 ____A C:\102620121216.TRS
    2012-10-25 19:19 - 2012-10-25 19:19 - 00000000 ____D C:\Windows\LastGood
    2012-10-25 16:10 - 2012-10-25 16:14 - 55089896 ____A C:\10252012414.TRS
    2012-10-23 14:23 - 2012-10-23 14:56 - 55063452 ____A C:\10232012256.TRS
    2012-10-23 14:23 - 2012-10-23 14:27 - 55063103 ____A C:\10232012227.TRS
    2012-10-23 12:38 - 2012-10-23 12:38 - 00041984 ____A C:\Documents and Settings\admin\My Documents\money notes 2012 2.xls
    2012-10-22 12:26 - 2012-10-22 15:21 - 55051886 ____A C:\10222012321.TRS
    2012-10-22 12:26 - 2012-10-22 12:29 - 55050287 ____A C:\102220121229.TRS
    2012-10-20 17:41 - 2012-10-20 17:41 - 76288000 ____N C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 20, 2012 05 39 PM).QBB
    2012-10-20 17:20 - 2012-10-20 17:22 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2012-10-20 14:35 - 2012-10-20 17:42 - 55037694 ____A C:\10202012442.TRS
    2012-10-20 14:35 - 2012-10-20 14:39 - 55034721 ____A C:\10202012139.TRS
    2012-10-20 14:22 - 2012-10-20 14:33 - 55034054 ____A C:\10202012133.TRS
    2012-10-19 20:18 - 2012-10-19 20:18 - 00000000 ____D C:\FRST
    2012-10-19 14:42 - 2012-10-19 14:45 - 55015306 ____A C:\10192012245.TRS
    2012-10-19 12:52 - 2012-10-19 12:52 - 76304384 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 19, 2012 12 50 PM).QBB
    2012-10-18 19:50 - 2012-10-18 19:50 - 76292096 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 18, 2012 07 48 PM).QBB
    2012-10-18 17:04 - 2012-10-18 17:09 - 55001990 ____A C:\10182012509.TRS
    2012-10-18 10:10 - 2012-10-18 10:10 - 00002830 ____A C:\Documents and Settings\admin\Desktop\RKreport[1].txt
    2012-10-18 10:09 - 2012-10-18 10:40 - 00000000 ____D C:\Documents and Settings\admin\Desktop\RK_Quarantine
    2012-10-18 10:08 - 2012-10-18 10:08 - 01425920 ____A C:\Documents and Settings\admin\Desktop\RogueKiller.exe
    2012-10-17 19:42 - 2012-10-17 19:42 - 00008844 ____A C:\Windows\System32\reset.log
    2012-10-17 19:32 - 2012-10-17 19:48 - 00005404 ____A C:\Windows\bitssetup.log
    2012-10-17 19:14 - 2004-06-11 19:33 - 00290304 ____A (Microsoft Corporation) C:\subinacl.exe
    2012-10-17 19:11 - 2012-10-17 19:11 - 00000000 ____D C:\RegBackup
    2012-10-17 17:06 - 2012-10-17 19:54 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
    2012-10-16 19:19 - 2012-10-16 19:19 - 00043062 ____A C:\Documents and Settings\admin\My Documents\UserImages.bmp
    2012-10-16 19:18 - 2012-10-16 19:19 - 55378076 ____A C:\Documents and Settings\admin\My Documents\Tuesdays Backups.nrg
    2012-10-16 18:40 - 2012-10-16 18:40 - 76283904 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 16, 2012 06 38 PM).QBB
    2012-10-16 17:13 - 2012-10-16 17:15 - 00034816 ____A C:\Documents and Settings\admin\My Documents\Erikson's Adjusted Statement Oct 10 2012.xls
    2012-10-16 17:12 - 2012-10-26 17:21 - 00000402 ____A C:\Windows\Tasks\ReclaimerUpdateXML_admin.job
    2012-10-16 17:12 - 2012-10-26 12:22 - 00000406 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_admin.job
    2012-10-16 17:12 - 2012-10-25 18:59 - 00000412 ____A C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_admin.job
    2012-10-16 13:39 - 2012-08-21 13:01 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
    2012-10-16 13:38 - 2012-10-16 13:39 - 00000000 ____D C:\Program Files\iTunes
    2012-10-16 13:38 - 2012-10-16 13:39 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-10-16 13:38 - 2012-10-16 13:38 - 00000000 ____D C:\Program Files\iPod
    2012-10-16 13:36 - 2012-10-16 13:47 - 54980182 ____A C:\10162012147.TRS
    2012-10-16 10:32 - 2012-10-25 23:54 - 00000384 ___AH C:\Windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    2012-10-16 10:22 - 2012-10-16 10:22 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-10-16 09:29 - 2012-10-16 09:37 - 00000000 ____D C:\Program Files\HijackThis
    2012-10-16 08:46 - 2012-10-17 16:54 - 00000796 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-10-15 19:34 - 2012-10-15 19:38 - 54978149 ____A C:\10152012738.TRS
    2012-10-15 19:10 - 2012-10-15 19:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Ask
    2012-10-15 19:09 - 2012-10-15 19:09 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-10-15 19:09 - 2012-10-15 19:09 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-10-15 19:09 - 2012-10-15 19:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-10-15 19:09 - 2012-10-15 19:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-10-15 17:17 - 2012-10-15 17:18 - 00000000 ___DC C:\Windows\ie8
    2012-10-15 14:43 - 2012-10-15 14:46 - 54970023 ____A C:\10152012246.TRS
    2012-10-15 13:22 - 2012-10-15 13:22 - 00304128 ____A () C:\Windows\msisear.exe
    2012-10-15 12:22 - 2012-10-15 12:22 - 76288000 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 15, 2012 12 21 PM).QBB
    2012-10-13 18:53 - 2012-10-13 18:53 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Intuit
    2012-10-13 18:18 - 2012-10-13 18:18 - 00000000 ____D C:\ComboFix
    2012-10-13 12:26 - 2012-10-13 12:26 - 00000000 ____D C:\Program Files\uTorrent
    2012-10-13 12:25 - 2012-10-13 12:30 - 00000000 ____D C:\Documents and Settings\admin\Application Data\uTorrent
    2012-10-13 02:46 - 2012-10-13 02:46 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
    2012-10-12 23:06 - 2012-10-17 16:54 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-10-12 23:06 - 2012-10-12 23:06 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2012-10-12 23:06 - 2012-10-12 23:06 - 00000000 ____D C:\Documents and Settings\admin\Application Data\Malwarebytes
    2012-10-12 22:45 - 2012-10-12 22:45 - 00000000 ____D C:\Documents and Settings\admin\Application Data\FixZeroAccess
    2012-10-12 21:47 - 2012-10-12 21:47 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
    2012-10-12 21:46 - 2012-10-12 21:46 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
    2012-10-12 21:34 - 2012-10-12 21:35 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Mozilla
    2012-10-12 21:34 - 2012-10-12 21:34 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
    2012-10-12 16:27 - 2012-10-12 16:27 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
    2012-10-12 16:26 - 2012-10-12 16:26 - 00308224 ____A () C:\Windows\msisear.ex
    2012-10-12 15:04 - 2012-10-12 15:04 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
    2012-10-12 15:04 - 2012-10-12 15:04 - 00000000 ____D C:\Program Files\SpeedyPC Software
    2012-10-12 15:04 - 2012-10-12 15:04 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
    2012-10-12 15:04 - 2012-10-12 15:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SpeedyPC Software
    2012-10-12 15:04 - 2012-10-12 15:04 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\SpeedyPC Software
    2012-10-12 15:04 - 2012-10-12 15:04 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Adobe
    2012-10-12 14:44 - 2012-10-12 14:44 - 00098304 ____A C:\Windows\Minidump\Mini101212-01.dmp
    2012-10-12 14:05 - 2012-10-12 14:08 - 54932826 ____A C:\10122012208.TRS
    2012-10-12 13:29 - 2012-10-12 13:29 - 00011419 ____A C:\Documents and Settings\admin\hs_err_pid4048.log
    2012-10-11 19:10 - 2012-10-11 19:10 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
    2012-10-11 18:12 - 2012-10-12 15:04 - 00000000 _RASD C:\cmdcons
    2012-10-11 18:12 - 2006-11-12 03:12 - 00000210 ____A C:\Boot.bak
    2012-10-11 18:12 - 2004-08-03 23:00 - 00260272 __RAS C:\cmldr
    2012-10-11 18:00 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-10-11 18:00 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-10-11 18:00 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-10-11 18:00 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-10-11 18:00 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-10-11 18:00 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
    2012-10-11 18:00 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
    2012-10-11 18:00 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
    2012-10-11 18:00 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
    2012-10-11 17:57 - 2012-10-13 12:50 - 00000000 ___AD C:\Qoobox
    2012-10-11 17:57 - 2012-10-11 18:55 - 00000000 ____D C:\Windows\erdnt
    2012-10-11 17:55 - 2012-10-11 17:55 - 00185585 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\ars.cache
    2012-10-11 17:55 - 2012-10-11 17:55 - 00177288 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\census.cache
    2012-10-11 17:49 - 2012-06-05 03:37 - 00256904 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
    2012-10-11 17:47 - 2012-10-11 17:47 - 00000036 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
    2012-10-11 17:37 - 2012-10-12 15:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2012-10-11 17:29 - 2012-10-15 16:57 - 00001324 ____A C:\Windows\System32\d3d9caps.dat
    2012-10-11 17:28 - 2012-10-11 17:28 - 00000000 ___SD C:\Documents and Settings\Administrator\PrivacIE
    2012-10-11 17:28 - 2012-10-11 17:28 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
    2012-10-11 16:44 - 2012-10-11 16:44 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\DriverCure
    2012-10-11 16:40 - 2012-10-13 14:24 - 00000000 __SHD C:\Windows\CSC
    2012-10-11 14:54 - 2012-10-11 14:54 - 00049904 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-10-11 14:25 - 2012-10-11 14:43 - 00000168 ____A C:\Documents and Settings\All Users\Application Data\-1Nwbqw25s1wUfe
    2012-10-11 13:01 - 2012-10-11 13:05 - 54918643 ____A C:\10112012105.TRS
    2012-10-11 03:04 - 2012-10-11 03:04 - 00000000 ___DC C:\Windows\$NtUninstallKB2724197$
    2012-10-11 03:02 - 2012-10-11 03:02 - 00005445 ____A C:\Windows\KB2756822.log
    2012-10-11 03:02 - 2012-10-11 03:02 - 00000000 ___DC C:\Windows\$NtUninstallKB2756822$
    2012-10-11 03:01 - 2012-10-11 03:01 - 00000000 ___DC C:\Windows\$NtUninstallKB2749655$
    2012-10-11 03:01 - 2012-10-11 03:01 - 00000000 ___DC C:\Windows\$NtUninstallKB2661254-v2$
    2012-10-10 11:33 - 2012-10-11 03:04 - 00015523 ____A C:\Windows\KB2724197.log
    2012-10-10 11:33 - 2012-10-11 03:02 - 00014114 ____A C:\Windows\KB2749655.log
    2012-10-10 11:33 - 2012-10-11 03:01 - 00014130 ____A C:\Windows\KB2661254-v2.log
    2012-10-09 17:57 - 2012-10-09 17:58 - 76255232 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 09, 2012 05 56 PM).QBB
    2012-10-09 12:02 - 2012-10-09 12:06 - 54891187 ____A C:\100920121206.TRS
    2012-10-06 15:49 - 2012-10-06 15:52 - 54877801 ____A C:\10062012352.TRS
    2012-10-06 13:35 - 2012-10-06 13:38 - 54875054 ____A C:\10062012138.TRS
    2012-10-05 17:12 - 2012-10-05 17:16 - 54866090 ____A C:\10052012516.TRS
    2012-10-05 12:05 - 2012-10-05 12:09 - 54859695 ____A C:\100520121209.TRS
    2012-10-04 15:15 - 2012-10-04 17:38 - 54851988 ____A C:\10042012538.TRS
    2012-10-04 15:15 - 2012-10-04 15:18 - 54849685 ____A C:\10042012318.TRS
    2012-10-04 13:54 - 2012-10-04 13:55 - 75943936 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 04, 2012 01 53 PM).QBB
    2012-10-04 12:03 - 2012-10-26 22:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-10-02 14:07 - 2012-10-02 14:12 - 54824472 ____A C:\10022012212.TRS
    2012-09-29 18:06 - 2012-09-29 18:09 - 54927763 ____A C:\09292012609.TRS
    2012-09-29 17:11 - 2012-09-29 17:15 - 54927041 ____A C:\09292012515.TRS
    2012-09-28 15:40 - 2012-09-28 15:44 - 54905727 ____A C:\09282012344.TRS
    2012-09-27 12:20 - 2012-09-27 12:24 - 54884899 ____A C:\092720121224.TRS


    ==================== 3 Months Modified Files ==================

    2012-10-26 22:58 - 2006-11-11 12:07 - 01090362 ____A C:\Windows\WindowsUpdate.log
    2012-10-26 22:58 - 2006-11-11 10:59 - 00032708 ____A C:\Windows\SchedLgU.Txt
    2012-10-26 22:58 - 2006-11-11 10:59 - 00000278 __ASH C:\Documents and Settings\admin\ntuser.ini
    2012-10-26 22:58 - 2006-11-11 10:56 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-10-26 22:58 - 2006-11-11 02:49 - 00000216 ____A C:\Windows\wiadebug.log
    2012-10-26 22:58 - 2006-11-11 02:49 - 00000050 ____A C:\Windows\wiaservc.log
    2012-10-26 22:20 - 2012-10-04 12:03 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-10-26 22:13 - 2010-03-05 20:05 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-10-26 20:48 - 2009-08-21 18:40 - 00000422 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{73F1D1BF-C82D-4515-A120-A29A8B0BB121}.job
    2012-10-26 20:13 - 2010-03-05 20:05 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-10-26 17:21 - 2012-10-16 17:12 - 00000402 ____A C:\Windows\Tasks\ReclaimerUpdateXML_admin.job
    2012-10-26 17:12 - 2005-03-19 13:05 - 00001634 ____A C:\Windows\TRS.INI
    2012-10-26 13:45 - 2012-10-26 13:45 - 76279808 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 26, 2012 01 43 PM).QBB
    2012-10-26 13:09 - 2012-10-26 13:06 - 55101172 ____A C:\FRI.TRS
    2012-10-26 12:40 - 2012-01-05 14:29 - 00042496 ____A C:\Documents and Settings\admin\My Documents\money notes 2012.xls
    2012-10-26 12:38 - 2012-10-26 12:38 - 76292096 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 26, 2012 12 36 PM).QBB
    2012-10-26 12:38 - 2012-10-26 12:38 - 00042496 ____A C:\Documents and Settings\admin\My Documents\money notes 2012-1.xls
    2012-10-26 12:37 - 2012-10-26 12:37 - 00042496 ____A C:\Documents and Settings\admin\My Documents\money notes 2012 update.xls
    2012-10-26 12:22 - 2012-10-16 17:12 - 00000406 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_admin.job
    2012-10-26 12:16 - 2012-10-26 12:12 - 55100350 ____A C:\102620121216.TRS
    2012-10-25 23:54 - 2012-10-16 10:32 - 00000384 ___AH C:\Windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    2012-10-25 19:24 - 2010-03-05 19:58 - 00000286 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-1767777339-725345543-1003.job
    2012-10-25 19:24 - 2010-03-05 19:58 - 00000278 ____A C:\Windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-1767777339-725345543-1003.job
    2012-10-25 19:23 - 2003-03-31 08:00 - 00012598 ____A C:\Windows\System32\wpa.dbl
    2012-10-25 19:19 - 2011-08-29 14:19 - 00117140 ____A C:\Windows\setupapi.log
    2012-10-25 19:03 - 2006-11-11 02:48 - 00572980 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-10-25 18:59 - 2012-10-16 17:12 - 00000412 ____A C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_admin.job
    2012-10-25 18:59 - 2009-10-06 14:09 - 00000236 ____A C:\Windows\Tasks\OGALogon.job
    2012-10-25 18:59 - 2006-11-11 10:59 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
    2012-10-25 18:59 - 2006-11-11 10:59 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    2012-10-25 18:59 - 2006-11-11 10:59 - 00000062 __ASH C:\Documents and Settings\admin\Local Settings\desktop.ini
    2012-10-25 16:14 - 2012-10-25 16:10 - 55089896 ____A C:\10252012414.TRS
    2012-10-25 08:27 - 2010-07-23 13:00 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
    2012-10-23 19:38 - 2007-04-16 12:24 - 00533040 ____A C:\Documents and Settings\admin\My Documents\docs backup.nri
    2012-10-23 19:26 - 2011-12-06 21:23 - 00042487 ____A C:\Documents and Settings\admin\My Documents\ISO2_DVD.nri
    2012-10-23 14:56 - 2012-10-23 14:23 - 55063452 ____A C:\10232012256.TRS
    2012-10-23 14:27 - 2012-10-23 14:23 - 55063103 ____A C:\10232012227.TRS
    2012-10-23 12:38 - 2012-10-23 12:38 - 00041984 ____A C:\Documents and Settings\admin\My Documents\money notes 2012 2.xls
    2012-10-22 15:21 - 2012-10-22 12:26 - 55051886 ____A C:\10222012321.TRS
    2012-10-22 12:29 - 2012-10-22 12:26 - 55050287 ____A C:\102220121229.TRS
    2012-10-20 17:42 - 2012-10-20 14:35 - 55037694 ____A C:\10202012442.TRS
    2012-10-20 17:41 - 2012-10-20 17:41 - 76288000 ____N C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 20, 2012 05 39 PM).QBB
    2012-10-20 14:39 - 2012-10-20 14:35 - 55034721 ____A C:\10202012139.TRS
    2012-10-20 14:33 - 2012-10-20 14:22 - 55034054 ____A C:\10202012133.TRS
    2012-10-19 14:45 - 2012-10-19 14:42 - 55015306 ____A C:\10192012245.TRS
    2012-10-19 13:00 - 2003-03-31 08:00 - 00000668 ____A C:\Windows\win.ini
    2012-10-19 13:00 - 2003-03-31 08:00 - 00000227 ____A C:\Windows\system.ini
    2012-10-19 12:52 - 2012-10-19 12:52 - 76304384 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 19, 2012 12 50 PM).QBB
    2012-10-18 19:53 - 2009-11-06 18:40 - 00043375 ____A C:\Documents and Settings\admin\My Documents\ISO4_DVD.nri
    2012-10-18 19:50 - 2012-10-18 19:50 - 76292096 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 18, 2012 07 48 PM).QBB
    2012-10-18 18:15 - 2007-05-12 11:54 - 00048048 ____A C:\Documents and Settings\admin\Application Data\GDIPFONTCACHEV1.DAT
    2012-10-18 17:09 - 2012-10-18 17:04 - 55001990 ____A C:\10182012509.TRS
    2012-10-18 11:02 - 2006-11-11 02:47 - 00207894 ____A C:\Windows\setupact.log
    2012-10-18 10:10 - 2012-10-18 10:10 - 00002830 ____A C:\Documents and Settings\admin\Desktop\RKreport[1].txt
    2012-10-18 10:08 - 2012-10-18 10:08 - 01425920 ____A C:\Documents and Settings\admin\Desktop\RogueKiller.exe
    2012-10-18 03:03 - 2012-09-22 03:00 - 00029964 ____A C:\Windows\KB2744842-IE8.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 02710881 ____A C:\Windows\FaxSetup.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 01344004 ____A C:\Windows\ocgen.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 01253580 ____A C:\Windows\tsoc.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 01066284 ____A C:\Windows\iis6.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00890799 ____A C:\Windows\comsetup.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00543767 ____A C:\Windows\ntdtcsetup.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00475136 ____A C:\Windows\netfxocm.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00189380 ____A C:\Windows\MedCtrOC.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00148556 ____A C:\Windows\ocmsn.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00136895 ____A C:\Windows\msgsocm.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00136021 ____A C:\Windows\tabletoc.log
    2012-10-18 03:03 - 2006-11-11 02:48 - 00001393 ____A C:\Windows\imsins.log
    2012-10-18 03:02 - 2011-06-18 03:00 - 00015677 ____A C:\Windows\KB2544521-IE8.log
    2012-10-18 03:02 - 2011-04-15 03:00 - 00015960 ____A C:\Windows\KB2510531-IE8.log
    2012-10-18 03:02 - 2006-11-12 03:24 - 00606914 ____A C:\Windows\updspapi.log
    2012-10-18 03:02 - 2006-11-11 02:48 - 00851646 ____A C:\Windows\msmqinst.log
    2012-10-18 03:02 - 2006-11-11 02:48 - 00001393 ____A C:\Windows\imsins.BAK
    2012-10-17 19:59 - 2006-11-11 11:20 - 00048048 ____A C:\Documents and Settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-10-17 19:56 - 2006-11-11 02:47 - 00195368 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-10-17 19:55 - 2006-11-11 11:18 - 00005778 ___AC C:\Windows\COM+.log
    2012-10-17 19:54 - 2012-10-17 17:06 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
    2012-10-17 19:48 - 2012-10-17 19:32 - 00005404 ____A C:\Windows\bitssetup.log
    2012-10-17 19:42 - 2012-10-17 19:42 - 00008844 ____A C:\Windows\System32\reset.log
    2012-10-17 19:38 - 2006-11-11 10:56 - 00023392 ____A C:\Windows\System32\nscompat.tlb
    2012-10-17 19:38 - 2006-11-11 10:56 - 00016832 ____A C:\Windows\System32\amcompat.tlb
    2012-10-17 19:32 - 2006-11-11 10:56 - 00000558 ___AC C:\Windows\Windows Update.log
    2012-10-17 16:54 - 2012-10-16 08:46 - 00000796 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-10-16 19:19 - 2012-10-16 19:19 - 00043062 ____A C:\Documents and Settings\admin\My Documents\UserImages.bmp
    2012-10-16 19:19 - 2012-10-16 19:18 - 55378076 ____A C:\Documents and Settings\admin\My Documents\Tuesdays Backups.nrg
    2012-10-16 18:40 - 2012-10-16 18:40 - 76283904 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 16, 2012 06 38 PM).QBB
    2012-10-16 17:15 - 2012-10-16 17:13 - 00034816 ____A C:\Documents and Settings\admin\My Documents\Erikson's Adjusted Statement Oct 10 2012.xls
    2012-10-16 13:54 - 2007-02-23 22:06 - 00016815 ____A C:\Windows\cdplayer.ini
    2012-10-16 13:50 - 2010-11-23 13:08 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
    2012-10-16 13:50 - 2010-11-23 13:08 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
    2012-10-16 13:50 - 2007-02-19 20:43 - 00278528 ____A (Real Networks, Inc) C:\Windows\System32\pncrt.dll
    2012-10-16 13:47 - 2012-10-16 13:36 - 54980182 ____A C:\10162012147.TRS
    2012-10-16 10:22 - 2011-01-28 15:47 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-10-16 08:05 - 2009-11-06 13:51 - 00047500 ____A C:\Documents and Settings\admin\My Documents\ISO1_DVD.nri
    2012-10-15 19:38 - 2012-10-15 19:34 - 54978149 ____A C:\10152012738.TRS
    2012-10-15 19:09 - 2012-10-15 19:09 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-10-15 19:09 - 2012-10-15 19:09 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-10-15 19:09 - 2012-10-15 19:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-10-15 19:09 - 2012-10-15 19:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-10-15 19:09 - 2010-11-01 16:52 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-10-15 19:09 - 2007-06-18 08:59 - 00073728 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javacpl.cpl
    2012-10-15 17:24 - 2006-11-12 03:21 - 00142871 ___AC C:\Windows\spupdsvc.log
    2012-10-15 17:22 - 2009-05-29 18:45 - 00309698 ____A C:\Windows\ie8_main.log
    2012-10-15 17:19 - 2009-05-29 18:47 - 00301581 ____A C:\Windows\ie8.log
    2012-10-15 16:57 - 2012-10-11 17:29 - 00001324 ____A C:\Windows\System32\d3d9caps.dat
    2012-10-15 16:56 - 2009-08-21 18:22 - 00130385 ____A C:\Windows\ie8Uninst.log
    2012-10-15 14:46 - 2012-10-15 14:43 - 54970023 ____A C:\10152012246.TRS
    2012-10-15 13:22 - 2012-10-15 13:22 - 00304128 ____A () C:\Windows\msisear.exe
    2012-10-15 12:22 - 2012-10-15 12:22 - 76288000 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 15, 2012 12 21 PM).QBB
    2012-10-13 18:22 - 2003-03-31 08:00 - 00000019 ____A C:\Windows\System32\Drivers\etc\hosts_bak_127
    2012-10-13 14:24 - 2010-04-29 12:43 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
    2012-10-13 09:13 - 2010-03-05 19:55 - 00001825 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
    2012-10-12 21:39 - 2010-04-29 12:43 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
    2012-10-12 16:26 - 2012-10-12 16:26 - 00308224 ____A () C:\Windows\msisear.ex
    2012-10-12 14:44 - 2012-10-12 14:44 - 00098304 ____A C:\Windows\Minidump\Mini101212-01.dmp
    2012-10-12 14:08 - 2012-10-12 14:05 - 54932826 ____A C:\10122012208.TRS
    2012-10-12 13:29 - 2012-10-12 13:29 - 00011419 ____A C:\Documents and Settings\admin\hs_err_pid4048.log
    2012-10-11 18:12 - 2006-11-11 02:46 - 00000327 _RASH C:\boot.ini
    2012-10-11 17:55 - 2012-10-11 17:55 - 00185585 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\ars.cache
    2012-10-11 17:55 - 2012-10-11 17:55 - 00177288 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\census.cache
    2012-10-11 17:47 - 2012-10-11 17:47 - 00000036 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
    2012-10-11 16:48 - 2012-03-20 17:07 - 00001188 ____A C:\Documents and Settings\admin\Desktop\Shortcut to LEFT-HANDED AM STD STRAT.jpg.lnk
    2012-10-11 16:48 - 2009-02-07 13:18 - 00001558 ____A C:\Documents and Settings\admin\Desktop\Price Lists.lnk
    2012-10-11 14:54 - 2012-10-11 14:54 - 00049904 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-10-11 14:43 - 2012-10-11 14:25 - 00000168 ____A C:\Documents and Settings\All Users\Application Data\-1Nwbqw25s1wUfe
    2012-10-11 14:33 - 2006-11-11 12:03 - 00524288 ____A C:\Windows\System32\config\ACEEvent.evt
    2012-10-11 13:05 - 2012-10-11 13:01 - 54918643 ____A C:\10112012105.TRS
    2012-10-11 03:04 - 2012-10-10 11:33 - 00015523 ____A C:\Windows\KB2724197.log
    2012-10-11 03:02 - 2012-10-11 03:02 - 00005445 ____A C:\Windows\KB2756822.log
    2012-10-11 03:02 - 2012-10-10 11:33 - 00014114 ____A C:\Windows\KB2749655.log
    2012-10-11 03:02 - 2007-02-18 04:02 - 00875290 ____A C:\Windows\System32\TZLog.log
    2012-10-11 03:01 - 2012-10-10 11:33 - 00014130 ____A C:\Windows\KB2661254-v2.log
    2012-10-09 17:58 - 2012-10-09 17:57 - 76255232 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 09, 2012 05 56 PM).QBB
    2012-10-09 12:06 - 2012-10-09 12:02 - 54891187 ____A C:\100920121206.TRS
    2012-10-08 18:20 - 2012-04-12 12:13 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-10-08 18:20 - 2011-05-17 17:41 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-10-06 15:52 - 2012-10-06 15:49 - 54877801 ____A C:\10062012352.TRS
    2012-10-06 13:38 - 2012-10-06 13:35 - 54875054 ____A C:\10062012138.TRS
    2012-10-05 17:16 - 2012-10-05 17:12 - 54866090 ____A C:\10052012516.TRS
    2012-10-05 12:09 - 2012-10-05 12:05 - 54859695 ____A C:\100520121209.TRS
    2012-10-04 17:38 - 2012-10-04 15:15 - 54851988 ____A C:\10042012538.TRS
    2012-10-04 15:18 - 2012-10-04 15:15 - 54849685 ____A C:\10042012318.TRS
    2012-10-04 13:55 - 2012-10-04 13:54 - 75943936 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Oct 04, 2012 01 53 PM).QBB
    2012-10-02 14:12 - 2012-10-02 14:07 - 54824472 ____A C:\10022012212.TRS
    2012-09-29 19:01 - 2011-12-31 19:13 - 00029021 ____A C:\Documents and Settings\admin\My Documents\ISOmonth_DVD.nri
    2012-09-29 18:36 - 2011-12-03 19:20 - 00023683 ____A C:\Documents and Settings\admin\My Documents\ISO6_DVD.nri
    2012-09-29 18:17 - 2006-11-12 03:12 - 00076284 ____A C:\Windows\wmsetup.log
    2012-09-29 18:09 - 2012-09-29 18:06 - 54927763 ____A C:\09292012609.TRS
    2012-09-29 17:15 - 2012-09-29 17:11 - 54927041 ____A C:\09292012515.TRS
    2012-09-28 15:44 - 2012-09-28 15:40 - 54905727 ____A C:\09282012344.TRS
    2012-09-28 00:32 - 2006-11-12 03:25 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-09-27 12:24 - 2012-09-27 12:20 - 54884899 ____A C:\092720121224.TRS
    2012-09-26 19:29 - 2011-12-22 11:20 - 00041934 ____A C:\Documents and Settings\admin\My Documents\ISO3_DVD.nri
    2012-09-26 13:00 - 2012-09-26 13:00 - 00164411 ____A C:\Documents and Settings\admin\My Documents\Gretsch August 2012 Electromatic Order form v2.xlsx
    2012-09-26 12:23 - 2012-09-26 12:19 - 54872478 ____A C:\092620121223.TRS
    2012-09-25 17:18 - 2012-09-25 17:18 - 75550720 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Sep 25, 2012 05 16 PM).QBB
    2012-09-25 16:33 - 2012-09-25 16:30 - 54863876 ____A C:\09252012433.TRS
    2012-09-22 16:05 - 2012-09-22 14:00 - 54834395 ____A C:\09222012405.TRS
    2012-09-22 14:04 - 2012-09-22 14:00 - 52617968 ____A C:\09222012204.TRS
    2012-09-21 13:47 - 2012-09-21 13:43 - 54818045 ____A C:\09212012147.TRS
    2012-09-21 12:31 - 2012-09-21 12:31 - 75550720 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Sep 21, 2012 12 29 PM).QBB
    2012-09-20 16:52 - 2012-09-20 16:47 - 54808027 ____A C:\09202012452.TRS
    2012-09-19 16:29 - 2012-09-19 16:25 - 54793391 ____A C:\09192012429.TRS
    2012-09-19 16:21 - 2012-06-22 14:23 - 00032477 ____A C:\Documents and Settings\admin\My Documents\Fender Sonic Boom Order Form 2012.xlsx
    2012-09-18 11:35 - 2012-09-18 11:31 - 54776915 ____A C:\091820121135.TRS
    2012-09-18 10:38 - 2012-09-18 10:38 - 00759960 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2012-09-15 15:26 - 2012-09-15 15:23 - 54748413 ____A C:\09152012326.TRS
    2012-09-14 17:05 - 2012-09-14 17:01 - 54727697 ____A C:\09142012505.TRS
    2012-09-13 16:59 - 2012-09-13 12:44 - 54714282 ____A C:\09132012459.TRS
    2012-09-13 14:18 - 2006-11-28 17:26 - 00055296 ____A C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-09-13 13:40 - 2012-09-13 13:40 - 75534336 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Sep 13, 2012 01 38 PM).QBB
    2012-09-13 12:48 - 2012-09-13 12:44 - 54712438 ____A C:\091320121248.TRS
    2012-09-13 03:03 - 2012-09-13 03:02 - 00010268 ____A C:\Windows\KB2736233.log
    2012-09-11 15:09 - 2012-06-22 14:21 - 00037290 ____A C:\Documents and Settings\admin\My Documents\Fender Sonic Boom Rebate Tracker 2012.xlsx
    2012-09-11 13:26 - 2012-09-11 13:19 - 54687113 ____A C:\09112012126.TRS
    2012-09-11 08:34 - 2007-01-29 04:58 - 00046080 ____A (Microsoft Corporation) C:\Windows\System32\tzchange.exe
    2012-09-10 18:52 - 2012-09-10 18:49 - 54674914 ____A C:\09102012652.TRS
    2012-09-10 15:24 - 2012-09-10 15:24 - 00054784 ____A C:\Documents and Settings\admin\My Documents\Erikson's Adjusted Statement Sep 5 2012.xls
    2012-09-10 14:11 - 2012-09-10 14:07 - 54672926 ____A C:\09102012211.TRS
    2012-09-07 14:23 - 2012-09-07 14:22 - 75538432 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Sep 07, 2012 02 21 PM).QBB
    2012-09-07 10:40 - 2012-09-07 10:36 - 54635092 ____A C:\090720121040.TRS
    2012-09-07 10:19 - 2010-03-08 20:14 - 00000426 ____A C:\Windows\BRWMARK.INI
    2012-09-05 06:32 - 2012-09-05 06:18 - 00000077 ____A C:\Documents and Settings\admin\Application Data\Rim.Transcoder.Exception.log
    2012-09-05 06:32 - 2012-05-22 18:23 - 00005625 ____A C:\Documents and Settings\admin\Application Data\Rim.Desktop.Exception.log
    2012-09-05 06:32 - 2012-05-22 18:23 - 00000462 ____A C:\Documents and Settings\admin\Application Data\Rim.DesktopHelper.Exception.log
    2012-09-05 06:14 - 2012-05-22 18:22 - 00002161 ____A C:\Documents and Settings\admin\Application Data\Rim.Desktop.HttpServerSetup.log
    2012-09-03 11:31 - 2012-09-03 11:27 - 54591893 ____A C:\090320121131.TRS
    2012-08-31 15:00 - 2012-08-31 15:00 - 74977280 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Aug 31, 2012 02 58 PM).QBB
    2012-08-31 12:54 - 2012-08-31 12:48 - 54788670 ____A C:\083120121254.TRS
    2012-08-30 22:03 - 2012-08-30 22:03 - 00193552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 12:32 - 2012-08-30 12:28 - 54774517 ____A C:\083020121232.TRS
    2012-08-28 20:44 - 2007-05-09 05:08 - 11111424 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ieframe.dll
    2012-08-28 20:44 - 2006-11-07 22:03 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-08-28 11:49 - 2012-08-28 11:45 - 54746309 ____A C:\082820121149.TRS
    2012-08-28 11:14 - 2012-06-12 22:40 - 00521728 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\jsdbgui.dll
    2012-08-28 11:14 - 2010-06-10 18:48 - 00743424 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\iedvtool.dll
    2012-08-28 11:14 - 2009-06-10 15:32 - 00247808 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ieproxy.dll
    2012-08-28 11:14 - 2009-06-10 15:32 - 00012800 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\xpshims.dll
    2012-08-28 11:14 - 2007-05-09 05:08 - 02000384 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\iertutil.dll
    2012-08-28 11:14 - 2007-05-09 05:08 - 00630272 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msfeeds.dll
    2012-08-28 11:14 - 2007-05-09 05:08 - 00055296 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msfeedsbs.dll
    2012-08-28 11:14 - 2006-11-07 22:03 - 00630272 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-08-28 11:14 - 2006-11-07 22:03 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-08-28 11:14 - 2006-10-17 12:57 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 06008832 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 06008832 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 01469440 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\inetcpl.cpl
    2012-08-28 11:14 - 2003-03-31 08:00 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-08-28 11:14 - 2003-03-31 08:00 - 01212416 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\urlmon.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00916992 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wininet.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00611840 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mstime.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00387584 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\iedkcs32.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00206848 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\occache.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00184320 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\iepeers.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00105984 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\url.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00067072 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\mshtmled.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00043520 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\licmgr10.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00025600 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\jsproxy.dll
    2012-08-28 11:14 - 2003-03-31 08:00 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-08-28 08:07 - 2006-11-12 03:11 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-08-28 08:07 - 2003-03-31 08:00 - 00174080 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ie4uinit.exe
    2012-08-28 08:07 - 2003-03-31 08:00 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2012-08-27 14:44 - 2012-08-27 14:44 - 74895360 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Aug 27, 2012 02 42 PM).QBB
    2012-08-27 12:21 - 2012-08-27 12:17 - 54732212 ____A C:\082720121221.TRS
    2012-08-25 15:44 - 2012-08-25 15:41 - 54721803 ____A C:\08252012344.TRS
    2012-08-25 14:03 - 2006-11-28 17:26 - 00000116 ____A C:\Windows\NeroDigital.ini
    2012-08-25 13:52 - 2010-03-26 21:52 - 00018111 ____A C:\Documents and Settings\admin\My Documents\ISO5_DVD.nri
    2012-08-24 14:22 - 2012-08-24 14:19 - 54701243 ____A C:\08242012222.TRS
    2012-08-24 13:51 - 2012-08-24 13:51 - 00080384 ____A C:\Documents and Settings\admin\My Documents\JCM900106947.xls
    2012-08-24 12:16 - 2012-08-24 12:12 - 54698085 ____A C:\082420121216.TRS
    2012-08-24 09:53 - 2003-03-31 08:00 - 00177664 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wintrust.dll
    2012-08-24 09:53 - 2003-03-31 08:00 - 00177664 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
    2012-08-23 13:59 - 2012-08-23 13:58 - 75010048 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Aug 23, 2012 01 56 PM).QBB
    2012-08-23 13:46 - 2012-08-23 13:43 - 54688615 ____A C:\08232012146.TRS
    2012-08-22 11:38 - 2012-08-22 11:35 - 54676331 ____A C:\082220121139.TRS
    2012-08-21 13:01 - 2012-10-16 13:39 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
    2012-08-21 13:01 - 2012-08-21 13:01 - 00106928 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
    2012-08-21 12:42 - 2012-08-21 12:39 - 54659536 ____A C:\082120121242.TRS
    2012-08-21 09:33 - 2003-03-31 08:00 - 02148864 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlmp.exe
    2012-08-21 09:33 - 2003-03-31 08:00 - 02148864 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-08-21 09:29 - 2008-10-15 07:52 - 02192896 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntoskrnl.exe
    2012-08-21 08:58 - 2008-10-15 07:51 - 02069632 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrnlpa.exe
    2012-08-21 08:58 - 2002-08-28 21:04 - 02027520 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\ntkrpamp.exe
    2012-08-21 08:58 - 2002-08-28 21:04 - 02027520 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
    2012-08-20 15:52 - 2012-08-20 11:47 - 54648145 ____A C:\08202012352.TRS
    2012-08-20 11:51 - 2012-08-20 11:47 - 54646045 ____A C:\082020121151.TRS
    2012-08-18 17:09 - 2012-08-18 17:05 - 54632715 ____A C:\08182012509.TRS
    2012-08-18 11:04 - 2012-08-18 11:04 - 74858496 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Aug 18, 2012 11 02 AM).QBB
    2012-08-18 10:59 - 2012-08-18 10:55 - 54625955 ____A C:\081820121059.TRS
    2012-08-17 15:24 - 2012-08-17 15:21 - 54607444 ____A C:\08172012324.TRS
    2012-08-17 14:26 - 2012-08-17 13:22 - 54606297 ____A C:\08172012226.TRS
    2012-08-17 13:26 - 2012-08-17 13:22 - 54604156 ____A C:\08172012126.TRS
    2012-08-16 17:12 - 2012-08-16 17:08 - 54590519 ____A C:\08162012512.TRS
    2012-08-16 12:49 - 2012-08-16 12:48 - 74719232 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Aug 16, 2012 12 46 PM).QBB
    2012-08-16 12:09 - 2012-08-16 12:05 - 54586287 ____A C:\081620121209.TRS
    2012-08-15 03:04 - 2012-08-15 03:04 - 00012726 ____A C:\Windows\KB2731847.log
    2012-08-15 03:04 - 2012-08-14 20:46 - 00017637 ____A C:\Windows\KB2712808.log
    2012-08-15 03:02 - 2012-08-15 03:02 - 00011346 ____A C:\Windows\KB2723135.log
    2012-08-15 03:02 - 2012-08-15 03:00 - 00015783 ____A C:\Windows\KB2722913-IE8.log
    2012-08-15 03:02 - 2012-08-14 20:45 - 00017242 ____A C:\Windows\KB2705219.log
    2012-08-14 17:37 - 2012-08-14 10:32 - 54558930 ____A C:\08142012537.TRS
    2012-08-14 10:37 - 2012-08-14 10:32 - 54553200 ____A C:\081420121037.TRS
    2012-08-13 15:39 - 2012-08-13 15:12 - 54542059 ____A C:\08132012339.TRS
    2012-08-13 15:16 - 2012-08-13 15:12 - 54541863 ____A C:\08132012316.TRS
    2012-08-11 12:19 - 2012-08-11 12:17 - 54529171 ____A C:\081120121219.TRS
    2012-08-10 17:15 - 2012-08-10 17:12 - 54517194 ____A C:\08102012515.TRS
    2012-08-10 13:12 - 2012-08-10 13:08 - 54513450 ____A C:\08102012112.TRS
    2012-08-09 14:14 - 2012-08-09 14:10 - 54497530 ____A C:\08092012214.TRS
    2012-08-07 18:46 - 2012-08-07 18:46 - 74694656 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Aug 07, 2012 06 44 PM).QBB
    2012-08-07 17:44 - 2012-08-07 17:41 - 54470606 ____A C:\08072012544.TRS
    2012-08-07 14:18 - 2012-08-07 14:14 - 54467857 ____A C:\08072012218.TRS
    2012-08-04 13:23 - 2012-08-04 12:12 - 54454234 ____A C:\08042012123.TRS
    2012-08-04 12:16 - 2012-08-04 12:12 - 54453870 ____A C:\080420121216.TRS
    2012-08-03 13:23 - 2012-08-03 13:14 - 54437462 ____A C:\08032012123.TRS
    2012-08-02 18:57 - 2012-08-02 18:54 - 54434428 ____A C:\08022012657.TRS
    2012-07-31 18:36 - 2012-07-31 18:36 - 74694656 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Jul 31, 2012 06 34 PM).QBB
    2012-07-31 13:24 - 2012-07-31 13:21 - 54556757 ____A C:\07312012124.TRS
    2012-07-30 18:34 - 2012-07-30 18:34 - 74690560 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Jul 30, 2012 06 32 PM).QBB
    2012-07-30 18:32 - 2012-07-30 18:32 - 00080896 ____A C:\Documents and Settings\admin\My Documents\Trial Balance HST Apr 1 - Jun 30 2012.xls
    2012-07-30 17:30 - 2012-07-30 17:30 - 00072704 ____A C:\Documents and Settings\admin\My Documents\Preliminary Trial Balance.xls
    2012-07-30 13:15 - 2012-07-30 11:36 - 54544849 ____A C:\07302012115.TRS
    2012-07-30 11:45 - 2012-07-30 11:44 - 74649600 ____A C:\Documents and Settings\admin\My Documents\Picker's Alley (Backup Jul 30, 2012 11 43 AM).QBB

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
  16. itLEAKED

    itLEAKED TS Rookie Topic Starter

    ==================== Restore Points (XP) =====================
    RP: -> 2012-10-16 10:07 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP9
    RP: -> 2012-10-16 10:06 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP8
    RP: -> 2012-10-15 19:10 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP7
    RP: -> 2012-10-15 19:09 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP6
    RP: -> 2012-10-15 19:08 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP5
    RP: -> 2012-10-15 17:18 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP4
    RP: -> 2012-10-26 19:10 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP35
    RP: -> 2012-10-25 23:54 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP34
    RP: -> 2012-10-25 19:24 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP33
    RP: -> 2012-10-25 17:27 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP32
    RP: -> 2012-10-25 00:21 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP31
    RP: -> 2012-10-24 17:27 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP30
    RP: -> 2012-10-15 14:57 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP3
    RP: -> 2012-10-24 00:21 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP29
    RP: -> 2012-10-23 17:32 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP28
    RP: -> 2012-10-23 00:02 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP27
    RP: -> 2012-10-22 22:06 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP26
    RP: -> 2012-10-22 00:01 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP25
    RP: -> 2012-10-21 22:06 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP24
    RP: -> 2012-10-21 00:01 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP23
    RP: -> 2012-10-20 00:02 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP22
    RP: -> 2012-10-18 23:41 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP21
    RP: -> 2012-10-18 13:23 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP20
    RP: -> 2012-10-15 13:55 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP2
    RP: -> 2012-10-18 10:27 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP19
    RP: -> 2012-10-18 03:00 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP18
    RP: -> 2012-10-18 00:21 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP17
    RP: -> 2012-10-17 20:08 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP16
    RP: -> 2012-10-17 19:11 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP15
    RP: -> 2012-10-17 14:49 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP14
    RP: -> 2012-10-16 13:37 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP13
    RP: -> 2012-10-16 13:31 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP12
    RP: -> 2012-10-16 10:11 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP11
    RP: -> 2012-10-16 10:10 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP10
    RP: -> 2012-10-15 12:41 - 028672 _restore{3544E2E3-4771-484B-9645-401B1CCB7178}\RP1
    ==================== Memory info ===========================
    Percentage of memory in use: 13%
    Total physical RAM: 2047.11 MB
    Available physical RAM: 1763.38 MB
    Total Pagefile: 1877.75 MB
    Available Pagefile: 1810.53 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2002.54 MB
    ==================== Partitions =============================
    2 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    3 Drive c: (Your C Drive) (Fixed) (Total:232.88 GB) (Free:142.81 GB) NTFS ==>[Drive with boot components (Windows XP)]
    4 Drive d: (FreeAgent Drive) (Fixed) (Total:931.51 GB) (Free:665.42 GB) NTFS
    5 Drive e: (WP) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
    8 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 932 GB 0 B
    Disk 4 Online 233 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 932 GB 32 KB
    =========================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D FreeAgent D NTFS Partition 932 GB Healthy
    =========================================================
    Partitions of Disk 4:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 233 GB 32 KB
    Partition 2 Unknown 10 MB 233 GB
    =========================================================
    Disk: 4
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 C Your C Driv NTFS Partition 233 GB Healthy
    =========================================================
    Disk: 4
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 Partition 10 MB Healthy
    =========================================================
    ==================== End Of Log ============================
  17. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Farbar Recovery Scan Tool (x86) Version: 15-10-2012
    Ran by SYSTEM at 2012-10-27 00:11:58
    Running from E:\
    ================== Search: "services.exe" ===================
    C:\WINDOWS\system32\services.exe
    [2003-03-31 08:00] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315
    C:\WINDOWS\system32\dllcache\services.exe
    [2003-03-31 08:00] - [2009-02-06 07:11] - 0110592 ___AC (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315
    C:\WINDOWS\ServicePackFiles\i386\services.exe
    [2006-11-12 03:10] - [2008-04-13 20:12] - 0108544 ___AC (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185
    C:\WINDOWS\erdnt\cache\services.exe
    [2012-10-11 18:55] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315
    C:\WINDOWS\$NtUninstallKB956572$\services.exe
    [2009-04-17 03:03] - [2008-04-13 20:12] - 0108544 ___AC (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185
    C:\WINDOWS\$NtServicePackUninstall$\services.exe
    [2008-07-11 21:28] - [2004-08-04 04:56] - 0108032 ___AC (Microsoft Corporation) c6ce6eec82f187615d1002bb3bb50ed4
    C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
    [2009-04-16 19:11] - [2009-02-06 07:06] - 0110592 ____A (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6
    === End Of Search ===
  18. itLEAKED

    itLEAKED TS Rookie Topic Starter

    That is all the info that was in those 2 logs.
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
    itLEAKED likes this.
  20. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Just to clarify. System Recovery Options will be available with or without the XP disc?
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You have to be in OTLPE in order to start FRST and run the disc. ;)
    itLEAKED likes this.
  22. itLEAKED

    itLEAKED TS Rookie Topic Starter

    So boot up like I did to do the FRST scan the first time?
    Or am I doing something different this time?
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Same as before. :)
    itLEAKED likes this.
  24. itLEAKED

    itLEAKED TS Rookie Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-10-2012
    Ran by SYSTEM at 2012-10-31 22:29:59 Run:1
    Running from E:\

    ==============================================

    cqgbqjuu service deleted successfully.
    cqhzefuw service deleted successfully.
    MFE_RR service deleted successfully.

    ==== End of Fixlog ====
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good. Is it able to operate stably in Normal Mode or Safe Mode?
    itLEAKED likes this.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.