Stubborn infection

Inactive
By Michael King
Jul 23, 2012
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Actually, let's try this tool...as we can run FRST from it:

    • Download OTLPENet.exe to your desktop
    • Download Farbar Recovery Scan Tool and save it to a flash drive.
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
    • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads [​IMG]
    • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
    • Insert the flash drive with FRST on it
    • Locate the flash drive and run FSRT
    • The tool will start to run.
    [​IMG]
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  2. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Sorry for the delay, I've been working long hours and haven't had time to work on it.

    While running REAToGo, I was able to run aswMBR which I was not able to previously. Here is the log for that.

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-01 11:03:14
    -----------------------------
    11:03:14.265 OS Version: Windows 5.1.2600
    11:03:14.265 Number of processors: 1 586 0x402
    11:03:14.265 ComputerName: REATOGO UserName: SYSTEM
    11:03:15.671 Initialze error 0
    11:03:30.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-8
    11:03:30.453 Disk 0 Vendor: Hitachi_HDP725050GLA360 GM4OA5CA Size: 476938MB BusType: 3
    11:03:30.453 Disk 0 MBR read successfully
    11:03:30.468 Disk 0 MBR scan
    11:03:30.468 Disk 0 Windows VISTA default MBR code
    11:03:30.484 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 476936 MB offset 2048
    11:03:30.515 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 976766976
    11:03:30.531 Disk 0 Partition 2 **SUSPICIOUS**
    11:03:30.531 Disk 0 scanning sectors +976771039
    11:03:30.562 Disk 0 scanning X:\i386\system32\drivers
    11:03:30.562 Service scanning
    11:03:31.828 Modules scanning
    11:03:32.031 Disk 0 trace - called modules:
    11:03:32.046 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys halaacpi.dll atapi.sys amdide1.SY_ PCIIDEX.SYS
    11:03:33.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2696a0]
    11:03:33.890 3 CLASSPNP.SYS[f74e805b] -> nt!IofCallDriver -> \Device\0000004e[0x8b36b9e8]
    11:03:33.968 5 acpi.sys[f73b3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-8[0x8b2b3940]
    11:03:34.046 Scan finished successfully
    11:05:03.296 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
    11:05:03.359 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
  3. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 01-08-2012 13:42:23
    Running from E:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [6962208 2008-12-26] (Realtek Semiconductor)
    HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2008-12-26] (Realtek Semiconductor Corp.)
    HKU\Administrator\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2012-04-17] (Valve Corporation)
    HKU\Administrator\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Administrator\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\Administrator\Start Menu\Programs\Startup\aasswwmMbBrR.exe (AVAST Software)
    Startup: C:\Users\Administrator\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
    Startup: C:\Users\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

    ================================ Services (Whitelisted) ==================

    2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [63928 2012-01-03] (Adobe Systems Incorporated)
    3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [250056 2012-07-26] (Adobe Systems Incorporated)
    2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [361984 2012-07-04] (Advanced Micro Devices, Inc.)
    2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
    2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
    4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-03-30] (Microsoft Corporation)
    2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)
    2 DAZContentManagementService; "C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe" [22528 2011-05-05] ()
    2 ES lite Service; "C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE" [68136 2008-12-24] ()
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [27648 2008-01-20] (Microsoft Corporation)
    3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-02-18] (Microsoft Corporation)
    2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [136176 2012-05-25] (Google Inc.)
    3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [136176 2012-05-25] (Google Inc.)
    3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [217088 2007-11-06] (Hewlett-Packard Co.)
    2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [139264 2007-11-06] (Hewlett-Packard Co.)
    3 idsvc; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe" [857432 2009-02-18] (Microsoft Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [64856 2009-02-26] (Microsoft Corporation)
    2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [223088 2011-04-26] ()
    3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [113120 2012-07-19] (Mozilla Foundation)
    4 NetTcpPortSharing; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [117592 2009-02-18] (Microsoft Corporation)
    3 odserv; "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [440696 2011-07-20] (Microsoft Corporation)
    3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [145184 2006-10-26] (Microsoft Corporation)
    3 PerfHost; C:\Windows\SysWow64\perfhost.exe [19968 2008-01-20] (Microsoft Corporation)
    2 RalinkRegistryWriter; C:\Program Files (x86)\Rosewill\Common\RaRegistry.exe [185632 2009-10-20] (Ralink Technology, Corp.)
    2 RalinkRegistryWriter64; C:\Program Files (x86)\Rosewill\Common\RaRegistry64.exe [212256 2009-10-20] (Ralink Technology, Corp.)
    3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe /RunAsService [489256 2012-04-17] (Valve Corporation)
    3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [1020768 2010-03-18] (Microsoft Corporation)

    ========================== Drivers (Whitelisted) =============

    0 amdide64; C:\Windows\System32\DRIVERS\amdide64.sys [10632 2007-10-11] (Advanced Micro Devices)
    3 amdiox64; C:\Windows\System32\DRIVERS\amdiox64.sys [46136 2010-02-18] (Advanced Micro Devices)
    2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
    2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-08] (Avira GmbH)
    1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-08] (Avira GmbH)
    1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-10-19] (Avira GmbH)
    3 E1G60; C:\Windows\System32\DRIVERS\E1G6032E.sys [146176 2008-01-20] (Intel Corporation)
    3 gcdbus; C:\Windows\System32\DRIVERS\gcdbus.sys [170496 2011-11-23] (Power Software Ltd)
    3 gdrv; \??\C:\Windows\gdrv.sys [23080 2012-08-01] (Windows (R) Server 2003 DDK provider)
    3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHD64.sys [1590048 2008-12-26] (Realtek Semiconductor Corp.)
    1 ISODrive; \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [105176 2007-04-13] (EZB Systems, Inc.)
    0 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [98144 2008-11-03] (JMicron Technology Corp.)
    3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20864 2008-01-20] (Microsoft Corporation)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
    3 netr28ux; C:\Windows\System32\DRIVERS\netr28ux.sys [1037664 2010-05-27] (Ralink Technology Corp.)
    3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIVX.sys [190496 2008-12-25] (Realtek Semiconductor Corp.)
    3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [184832 2008-11-10] (Realtek Corporation )
    3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [19456 2009-04-11] (Microsoft Corporation)
    3 xnacc; C:\Windows\System32\DRIVERS\xnacc.sys [903168 2008-01-20] (Microsoft Corporation)
    0 Cdr4vsd; [x]
    1 Cdralwnt; [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-01 13:41 - 2012-08-01 13:41 - 00000000 ____D C:\FRST
    2012-08-01 13:31 - 2012-08-01 13:31 - 00892822 ____A (Farbar) C:\Users\Administrator\Downloads\FRST.exe
    2012-08-01 11:05 - 2012-08-01 11:05 - 00001724 ____A C:\Users\Administrator\Desktop\aswMBR.txt
    2012-08-01 11:05 - 2012-08-01 11:05 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
    2012-07-30 19:06 - 2012-07-30 19:10 - 127231689 ____A (Igor Pavlov) C:\Users\Administrator\Desktop\OTLPENet.exe
    2012-07-29 18:57 - 2012-07-29 18:57 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_winusb_01009.Wdf
    2012-07-29 18:54 - 2009-07-14 08:19 - 00020480 ____A (Microsoft Corporation) C:\Windows\System32\winusb.dll
    2012-07-29 18:54 - 2009-07-14 08:12 - 00016896 ____A (Microsoft Corporation) C:\Windows\SysWOW64\winusb.dll
    2012-07-29 18:54 - 2009-07-13 20:06 - 00040448 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\winusb.sys
    2012-07-29 18:51 - 2012-07-29 18:51 - 00000000 ___AH C:\Windows\System32\Drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
    2012-07-29 18:50 - 2009-07-14 14:18 - 00654928 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
    2012-07-29 18:50 - 2009-07-14 14:18 - 00042064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
    2012-07-29 18:50 - 2009-07-14 14:18 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
    2012-07-29 18:39 - 2012-07-29 18:39 - 00000908 ____A C:\Users\Administrator\Desktop\Paper Jamz Pro.lnk
    2012-07-29 18:36 - 2012-07-29 18:37 - 00000000 ____D C:\Program Files (x86)\QuickTime
    2012-07-29 18:34 - 2012-07-29 18:34 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
    2012-07-29 18:33 - 2012-07-29 18:48 - 00000000 ____D C:\Users\Administrator\Documents\Paper Jamz
    2012-07-29 18:32 - 2012-07-29 18:47 - 00000000 ____D C:\Program Files (x86)\Paper Jamz Pro
    2012-07-29 18:26 - 2012-07-29 18:32 - 133924232 ____A C:\Users\Administrator\Downloads\PaperJamzPro.exe
    2012-07-28 18:50 - 2012-07-28 18:51 - 00013285 ____A C:\Users\Administrator\Desktop\MBRCheck_07.28.12_17.50.12.txt
    2012-07-28 10:50 - 2012-07-29 18:38 - 00013981 ____A C:\Users\Administrator\Documents\glyph_stockpiling.xlsx
    2012-07-27 06:35 - 2012-07-27 06:42 - 00013356 ____A C:\Users\Administrator\Desktop\MBRCheck_07.27.12_05.35.03.txt
    2012-07-26 20:00 - 2012-07-26 20:03 - 00001446 ____A C:\Users\Administrator\Desktop\RKreport[7].txt
    2012-07-26 20:00 - 2012-04-30 12:20 - 00001027 ____A C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
    2012-07-26 19:58 - 2012-07-26 19:58 - 00001928 ____A C:\Users\Administrator\Desktop\RKreport[6].txt
    2012-07-26 19:57 - 2012-07-26 19:57 - 00000709 ____A C:\Users\Administrator\Desktop\RKreport[5].txt
    2012-07-26 19:57 - 2012-07-26 19:57 - 00000672 ____A C:\Users\Administrator\Desktop\RKreport[4].txt
    2012-07-26 19:56 - 2012-07-26 19:56 - 00000570 ____A C:\Users\Administrator\Desktop\RKreport[3].txt
    2012-07-26 19:55 - 2012-07-26 19:55 - 00001358 ____A C:\Users\Administrator\Desktop\RKreport[2].txt
    2012-07-26 19:54 - 2012-07-26 19:54 - 00001869 ____A C:\Users\Administrator\Desktop\RKreport[1].txt
    2012-07-26 19:54 - 2012-07-26 19:54 - 00000000 ____D C:\Users\Administrator\Desktop\RK_Quarantine
    2012-07-26 19:53 - 2012-07-26 19:53 - 01552384 ____A C:\Users\Administrator\Desktop\RogueKiller.exe
    2012-07-25 19:16 - 2012-07-25 19:26 - 00013268 ____A C:\Users\Administrator\Desktop\MBRCheck_07.25.12_18.16.20.txt
    2012-07-24 18:05 - 2012-07-24 18:10 - 00013895 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_17.05.19.txt
    2012-07-24 17:56 - 2012-07-24 17:57 - 00013268 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_16.56.48.txt
    2012-07-24 17:44 - 2012-07-24 17:44 - 00000512 ____A C:\Users\Administrator\Desktop\MBRCheck_MBR_Backup_07-24-12_16-44-18.bak
    2012-07-24 17:43 - 2012-07-24 17:44 - 00014106 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_16.43.30.txt
    2012-07-24 17:41 - 2012-07-24 17:42 - 00014058 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_16.41.13.txt
    2012-07-24 10:43 - 2012-07-24 10:43 - 00000599 ____A C:\Users\Administrator\Desktop\dump.zip
    2012-07-24 10:33 - 2012-07-24 10:38 - 00014016 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_09.33.20.txt
    2012-07-24 10:25 - 2012-07-24 10:37 - 00000512 ____A C:\Users\Administrator\Desktop\dump.dat
    2012-07-24 10:23 - 2012-07-24 10:26 - 00013966 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_09.23.24.txt
    2012-07-23 15:33 - 2012-07-23 15:33 - 00010094 ____A C:\Users\Administrator\Desktop\Attach.txt
    2012-07-23 15:31 - 2012-07-23 15:31 - 00025456 ____A C:\Users\Administrator\Desktop\DDS.txt
    2012-07-23 14:23 - 2012-07-23 14:23 - 00607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
    2012-07-23 13:55 - 2012-07-23 13:55 - 00294216 ____A C:\Users\Administrator\Desktop\gmer.zip
    2012-07-23 13:55 - 2011-07-16 23:21 - 00302592 ____A C:\Users\Administrator\Desktop\gmer.exe
    2012-07-23 13:50 - 2012-07-23 13:55 - 00013288 ____A C:\Users\Administrator\Desktop\MBRCheck_07.23.12_12.50.50.txt
    2012-07-23 13:50 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-07-23 13:50 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-07-23 13:50 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-07-23 13:50 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-07-23 13:50 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-07-23 13:50 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
    2012-07-23 13:50 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
    2012-07-23 13:50 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
    2012-07-23 13:49 - 2012-07-23 13:51 - 00000000 ___SD C:\commy32243c
    2012-07-23 13:46 - 2012-07-23 13:47 - 00000000 ___SD C:\commy
    2012-07-23 13:45 - 2012-07-23 13:46 - 00000000 ____D C:\Qoobox
    2012-07-23 13:44 - 2012-07-23 13:49 - 00000000 ___SD C:\32788R22FWJFW
    2012-07-23 13:44 - 2012-07-23 13:44 - 00000000 ____D C:\Windows\erdnt
    2012-07-23 13:42 - 2012-07-23 13:42 - 04582474 ____R (Swearware) C:\Users\Administrator\Desktop\commy.exe
    2012-07-23 13:41 - 2012-07-24 10:32 - 00080384 ____A C:\Users\Administrator\Desktop\MBRCheck.exe
    2012-07-23 13:41 - 2012-07-23 13:43 - 00013505 ____A C:\Users\Administrator\Desktop\MBRCheck_07.23.12_12.41.07.txt
    2012-07-23 13:31 - 2012-07-23 13:31 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Desktop\aswMBR.exe
    2012-07-15 00:57 - 2012-07-15 01:31 - 261122008 ____A (Avira GmbH) C:\Users\Administrator\Downloads\rescue_system-common-en.exe
    2012-07-14 23:48 - 2012-07-14 23:48 - 00270816 ____A C:\Windows\Minidump\Mini071412-03.dmp
    2012-07-14 22:59 - 2012-07-14 22:59 - 00057344 ____A (Roxio) C:\Windows\uneng.exe
    2012-07-14 22:59 - 2012-07-14 22:59 - 00049152 ____A (Roxio) C:\Windows\SysWOW64\cdrtc.dll
    2012-07-14 22:59 - 2012-07-14 22:59 - 00045056 ____A (Roxio) C:\Windows\SysWOW64\cdral.dll
    2012-07-14 22:59 - 2012-07-14 22:59 - 00000000 ____D C:\Users\Administrator\Downloads\RoxioEasyCD0410
    2012-07-14 22:53 - 2012-07-14 22:58 - 94281863 ____A C:\Users\Administrator\Downloads\RoxioEasyCD0410.rar
    2012-07-14 22:52 - 2012-07-14 22:52 - 00821248 ____A C:\Users\Administrator\Downloads\FreeISOBurner.exe
    2012-07-14 22:44 - 2012-07-14 22:44 - 00000000 ____D C:\Program Files (x86)\Smart Projects
    2012-07-14 22:43 - 2012-07-14 22:43 - 04266768 ____A (Smart Projects ) C:\Users\Administrator\Downloads\isobuster_all_lang.exe
    2012-07-14 22:25 - 2012-07-14 22:26 - 00270816 ____A C:\Windows\Minidump\Mini071412-02.dmp
    2012-07-14 22:20 - 2012-07-14 22:20 - 00270816 ____A C:\Windows\Minidump\Mini071412-01.dmp
    2012-07-14 22:16 - 2012-07-14 22:16 - 259346432 ____A C:\rescue_system-common-en.iso
    2012-07-14 18:17 - 2012-07-14 18:16 - 00955888 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2012-07-14 18:17 - 2012-07-14 18:16 - 00839152 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2012-07-14 18:12 - 2012-07-14 18:13 - 21869552 ____A (Oracle Corporation) C:\Users\Administrator\Downloads\jre-7u5-windows-x64.exe
    2012-07-14 12:57 - 2012-07-14 12:57 - 00961371 ____A C:\Users\Administrator\Documents\Copy of Consortium_Shuffler v4.xlsx
    2012-07-14 10:26 - 2012-07-14 10:26 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.62.0.1300.exe
    2012-07-14 10:26 - 2012-07-14 10:26 - 00000948 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-14 10:26 - 2012-07-14 10:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-14 10:26 - 2012-07-03 14:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-14 09:08 - 2012-07-14 09:08 - 00009287 ____A C:\Users\Administrator\Documents\glyph bank.xlsx
    2012-07-13 21:33 - 2012-07-13 21:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\AMD
    2012-07-13 21:32 - 2012-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2012-07-13 21:30 - 2010-02-18 10:18 - 00046136 ____A (Advanced Micro Devices) C:\Windows\System32\Drivers\amdiox64.sys
    2012-07-13 21:29 - 2012-07-13 21:29 - 00018325 ____A C:\Windows\SysWOW64\CCCInstall_201207132029492105.log
    2012-07-13 21:24 - 2012-07-13 21:24 - 00000000 ____D C:\AMD
    2012-07-13 21:20 - 2012-07-13 21:24 - 162514192 ____A (Advanced Micro Devices, Inc.) C:\Users\Administrator\Downloads\12-6-legacy_vista_win7_64_dd_ccc.exe
    2012-07-11 19:06 - 2012-07-26 20:06 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-07-11 05:38 - 2012-07-11 05:38 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Administrator\Downloads\unhide.exe
    2012-07-11 05:17 - 2012-07-12 16:36 - 00002025 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-07-11 05:17 - 2012-06-16 03:08 - 00001951 ____A C:\Users\Public\Desktop\DivX Plus Converter.lnk
    2012-07-11 05:17 - 2012-06-16 03:08 - 00000947 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
    2012-07-11 05:17 - 2012-05-24 23:36 - 00000930 ____A C:\Users\Public\Desktop\gBurner Virtual Drive.lnk
    2012-07-11 05:17 - 2012-04-17 17:58 - 00001810 ____A C:\Users\Public\Desktop\GoldenEye Souce v4.1.lnk
    2012-07-11 05:17 - 2012-04-17 09:48 - 00000828 ____A C:\Users\Public\Desktop\Steam.lnk
    2012-07-11 05:17 - 2012-01-22 15:18 - 00001922 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
    2012-07-11 05:17 - 2012-01-22 14:57 - 00000961 ____A C:\Users\Public\Desktop\Foxit Reader 5.0.lnk
    2012-07-11 05:17 - 2011-11-27 15:53 - 00000888 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2012-07-11 05:15 - 2012-07-11 05:06 - 01558016 ____A C:\RogueKiller.exe
    2012-07-11 05:07 - 2012-07-11 05:07 - 00003694 ____A C:\Users\Michael\Desktop\RKreport[2].txt
    2012-07-11 05:07 - 2012-07-11 05:07 - 00003539 ____A C:\Users\Michael\Desktop\RKreport[1].txt
    2012-07-11 05:06 - 2012-07-14 12:10 - 00000000 ____D C:\Users\Michael\Desktop\RK_Quarantine
    2012-07-11 05:06 - 2012-07-11 05:06 - 01558016 ____A C:\Users\Michael\Downloads\RogueKiller.exe
    2012-07-11 04:45 - 2012-07-11 04:45 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Adobe
    2012-07-11 04:13 - 2012-06-02 08:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-11 04:13 - 2012-06-02 08:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-11 04:13 - 2012-06-02 08:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-11 04:13 - 2012-06-02 08:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-11 04:13 - 2012-06-02 08:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-11 04:13 - 2012-06-02 08:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-11 04:13 - 2012-06-02 08:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-11 04:13 - 2012-06-02 08:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-11 04:13 - 2012-06-02 08:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-11 04:13 - 2012-06-02 08:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-11 04:13 - 2012-06-02 07:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-11 04:13 - 2012-06-02 07:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-11 04:13 - 2012-06-02 07:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-11 04:13 - 2012-06-02 07:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-11 04:13 - 2012-06-02 05:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-11 04:13 - 2012-06-02 04:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-11 04:13 - 2012-06-02 04:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-11 04:13 - 2012-06-02 04:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-11 04:13 - 2012-06-02 04:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-11 04:13 - 2012-06-02 04:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-11 04:13 - 2012-06-02 04:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-11 04:13 - 2012-06-02 04:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-11 04:13 - 2012-06-02 04:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-11 04:13 - 2012-06-02 04:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-11 04:13 - 2012-06-02 04:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-11 04:13 - 2012-06-02 04:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-11 04:13 - 2012-06-02 04:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-11 04:13 - 2012-06-02 04:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-11 04:11 - 2012-06-13 09:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 03:49 - 2012-07-11 03:49 - 00000000 ____D C:\Users\Michael\AppData\Roaming\WinRAR
    2012-07-11 03:43 - 2012-07-11 03:43 - 00106584 ____A C:\Users\Michael\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-11 03:43 - 2012-07-11 03:43 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Avira
    2012-07-11 03:43 - 2012-07-11 03:43 - 00000000 ____D C:\Users\Michael\AppData\Roaming\ATI
    2012-07-11 03:43 - 2012-07-11 03:43 - 00000000 ____D C:\Users\Michael\AppData\Local\ATI
    2012-07-11 03:41 - 2012-07-11 03:42 - 00000000 ____D C:\users\Michael
    2012-07-11 03:41 - 2012-07-11 03:41 - 00000020 ___SH C:\Users\Michael\ntuser.ini
    2012-07-11 03:41 - 2012-07-11 03:41 - 00000000 ____D C:\Users\Michael\AppData\Local\VirtualStore
    2012-07-11 03:41 - 2012-05-25 04:00 - 00000000 ____D C:\Users\Michael\AppData\Local\Microsoft Help
    2012-07-11 03:41 - 2012-01-22 15:20 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Macromedia
    2012-07-10 20:15 - 2012-07-10 20:15 - 00000752 ____A C:\Users\Administrator\Desktop\Ventrilo.lnk
    2012-07-10 20:15 - 2012-07-10 20:15 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
    2012-07-10 20:15 - 2012-07-10 20:15 - 00000000 ____D C:\Program Files\Ventrilo
    2012-07-10 20:13 - 2012-07-10 20:13 - 04135696 ____A C:\Users\Administrator\Downloads\ventrilo-3.0.8-Windows-x64.exe
    2012-07-10 20:08 - 2012-07-10 20:08 - 01132799 ____A C:\Users\Administrator\Downloads\TheUndermineJournal(4).zip
    2012-07-10 15:18 - 2012-06-08 13:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-10 15:18 - 2012-06-08 13:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-10 15:18 - 2012-06-05 12:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-10 15:18 - 2012-06-05 12:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-10 15:18 - 2012-06-05 12:22 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-10 15:18 - 2012-06-05 12:22 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-10 15:18 - 2012-06-04 11:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-10 15:18 - 2012-06-01 20:22 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-10 15:18 - 2012-06-01 20:22 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-10 15:18 - 2012-06-01 20:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-10 15:18 - 2012-06-01 20:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-10 15:18 - 2012-06-01 20:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-07-04 03:32 - 2012-07-04 03:32 - 00187392 ____A C:\Windows\System32\clinfo.exe
    2012-07-04 03:32 - 2012-07-04 03:32 - 00075264 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo64.dll
    2012-07-04 03:32 - 2012-07-04 03:32 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OpenVideo.dll
    2012-07-04 03:31 - 2012-07-04 03:31 - 16457216 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl64.dll
    2012-07-04 03:31 - 2012-07-04 03:31 - 00063488 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode64.dll
    2012-07-04 03:31 - 2012-07-04 03:31 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OVDecode.dll
    2012-07-04 03:30 - 2012-07-04 03:30 - 13008384 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
    2012-07-04 03:30 - 2012-07-04 03:30 - 00054784 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
    2012-07-04 03:30 - 2012-07-04 03:30 - 00050176 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
    2012-07-04 02:59 - 2012-07-04 02:59 - 11922944 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
    2012-07-04 02:52 - 2012-07-04 02:52 - 26016256 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atio6axx.dll
    2012-07-04 02:35 - 2012-07-04 02:35 - 19586048 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
    2012-07-04 02:28 - 2012-07-04 02:28 - 00246000 ____A C:\Windows\SysWOW64\atiapfxx.blb
    2012-07-04 02:28 - 2012-07-04 02:28 - 00246000 ____A C:\Windows\System32\atiapfxx.blb
    2012-07-04 02:27 - 2012-07-04 02:27 - 00159744 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
    2012-07-04 02:21 - 2012-07-04 02:21 - 00514048 ____A (AMD) C:\Windows\System32\atieclxx.exe
    2012-07-04 02:20 - 2012-07-04 02:20 - 00238080 ____A (AMD) C:\Windows\System32\atiesrxx.exe
    2012-07-04 02:19 - 2012-07-04 02:19 - 00120320 ____A (AMD) C:\Windows\System32\atitmm64.dll
    2012-07-04 02:19 - 2012-07-04 02:19 - 00059392 ____A (ATI Technologies, Inc.) C:\Windows\System32\atiedu64.dll
    2012-07-04 02:19 - 2012-07-04 02:19 - 00043520 ____A (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
    2012-07-04 02:19 - 2012-07-04 02:19 - 00021504 ____A (AMD) C:\Windows\System32\atimuixx.dll
    2012-07-04 01:57 - 2012-07-04 01:57 - 07510528 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx64.dll
    2012-07-04 01:36 - 2012-07-04 01:36 - 01960960 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
    2012-07-04 01:36 - 2012-07-04 01:36 - 01053696 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6v.dll
    2012-07-04 01:36 - 2012-07-04 01:36 - 00069632 ____A (AMD) C:\Windows\System32\coinst_8.97.100.3.dll
    2012-07-04 01:34 - 2012-07-04 01:34 - 02818784 ____A C:\Windows\System32\atiumd6a.cap
    2012-07-04 01:27 - 2012-07-04 01:27 - 02852480 ____A C:\Windows\SysWOW64\atiumdva.cap
    2012-07-04 01:11 - 2012-07-04 01:11 - 00364544 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc64.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom64.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6txx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00017920 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6pxx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
    2012-07-04 01:10 - 2012-07-04 01:10 - 00359936 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
    2012-07-04 01:10 - 2012-07-04 01:10 - 00055296 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxp64.dll
    2012-07-04 01:09 - 2012-07-04 01:09 - 00053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 15827456 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd64.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00051200 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt64.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00046080 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl64.dll
    2012-07-04 00:59 - 2012-07-04 00:59 - 13402112 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
  4. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    ============ 3 Months Modified Files ========================

    2012-08-01 13:33 - 2009-06-05 17:46 - 00000207 ____A C:\service.log
    2012-08-01 13:33 - 2008-01-20 21:53 - 01173132 ____A C:\Windows\WindowsUpdate.log
    2012-08-01 13:33 - 2006-11-02 11:42 - 00032652 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-01 13:33 - 2006-11-02 11:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-01 13:33 - 2006-11-02 11:22 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-01 13:33 - 2006-11-02 11:22 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-01 13:31 - 2012-08-01 13:31 - 00892822 ____A (Farbar) C:\Users\Administrator\Downloads\FRST.exe
    2012-08-01 13:26 - 2012-05-25 18:19 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-01 13:26 - 2011-11-27 17:08 - 00023080 ____A (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
    2012-08-01 11:05 - 2012-08-01 11:05 - 00001724 ____A C:\Users\Administrator\Desktop\aswMBR.txt
    2012-08-01 11:05 - 2012-08-01 11:05 - 00000512 ____A C:\Users\Administrator\Desktop\MBR.dat
    2012-08-01 10:34 - 2012-05-25 18:19 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-01 10:06 - 2012-04-07 21:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-01 09:24 - 2011-11-27 17:33 - 00000735 ____A C:\Users\Administrator\Desktop\World of Warcraft.lnk
    2012-07-31 20:27 - 2006-11-02 08:46 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-30 19:10 - 2012-07-30 19:06 - 127231689 ____A (Igor Pavlov) C:\Users\Administrator\Desktop\OTLPENet.exe
    2012-07-29 19:09 - 2006-11-02 11:27 - 00071261 ____A C:\Windows\setupact.log
    2012-07-29 18:57 - 2012-07-29 18:57 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_winusb_01009.Wdf
    2012-07-29 18:51 - 2012-07-29 18:51 - 00000000 ___AH C:\Windows\System32\Drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
    2012-07-29 18:39 - 2012-07-29 18:39 - 00000908 ____A C:\Users\Administrator\Desktop\Paper Jamz Pro.lnk
    2012-07-29 18:38 - 2012-07-28 10:50 - 00013981 ____A C:\Users\Administrator\Documents\glyph_stockpiling.xlsx
    2012-07-29 18:32 - 2012-07-29 18:26 - 133924232 ____A C:\Users\Administrator\Downloads\PaperJamzPro.exe
    2012-07-28 18:51 - 2012-07-28 18:50 - 00013285 ____A C:\Users\Administrator\Desktop\MBRCheck_07.28.12_17.50.12.txt
    2012-07-28 10:50 - 2012-05-17 22:05 - 00005643 ____A C:\Users\Administrator\Documents\glyph_stockpiling.xls_0.ods
    2012-07-27 06:42 - 2012-07-27 06:35 - 00013356 ____A C:\Users\Administrator\Desktop\MBRCheck_07.27.12_05.35.03.txt
    2012-07-26 20:06 - 2012-07-11 19:06 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-07-26 20:06 - 2012-04-07 21:50 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-26 20:06 - 2011-11-27 17:30 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-26 20:03 - 2012-07-26 20:00 - 00001446 ____A C:\Users\Administrator\Desktop\RKreport[7].txt
    2012-07-26 19:58 - 2012-07-26 19:58 - 00001928 ____A C:\Users\Administrator\Desktop\RKreport[6].txt
    2012-07-26 19:57 - 2012-07-26 19:57 - 00000709 ____A C:\Users\Administrator\Desktop\RKreport[5].txt
    2012-07-26 19:57 - 2012-07-26 19:57 - 00000672 ____A C:\Users\Administrator\Desktop\RKreport[4].txt
    2012-07-26 19:56 - 2012-07-26 19:56 - 00000570 ____A C:\Users\Administrator\Desktop\RKreport[3].txt
    2012-07-26 19:55 - 2012-07-26 19:55 - 00001358 ____A C:\Users\Administrator\Desktop\RKreport[2].txt
    2012-07-26 19:54 - 2012-07-26 19:54 - 00001869 ____A C:\Users\Administrator\Desktop\RKreport[1].txt
    2012-07-26 19:53 - 2012-07-26 19:53 - 01552384 ____A C:\Users\Administrator\Desktop\RogueKiller.exe
    2012-07-25 19:26 - 2012-07-25 19:16 - 00013268 ____A C:\Users\Administrator\Desktop\MBRCheck_07.25.12_18.16.20.txt
    2012-07-24 18:10 - 2012-07-24 18:05 - 00013895 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_17.05.19.txt
    2012-07-24 17:57 - 2012-07-24 17:56 - 00013268 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_16.56.48.txt
    2012-07-24 17:44 - 2012-07-24 17:44 - 00000512 ____A C:\Users\Administrator\Desktop\MBRCheck_MBR_Backup_07-24-12_16-44-18.bak
    2012-07-24 17:44 - 2012-07-24 17:43 - 00014106 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_16.43.30.txt
    2012-07-24 17:42 - 2012-07-24 17:41 - 00014058 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_16.41.13.txt
    2012-07-24 10:43 - 2012-07-24 10:43 - 00000599 ____A C:\Users\Administrator\Desktop\dump.zip
    2012-07-24 10:38 - 2012-07-24 10:33 - 00014016 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_09.33.20.txt
    2012-07-24 10:37 - 2012-07-24 10:25 - 00000512 ____A C:\Users\Administrator\Desktop\dump.dat
    2012-07-24 10:32 - 2012-07-23 13:41 - 00080384 ____A C:\Users\Administrator\Desktop\MBRCheck.exe
    2012-07-24 10:26 - 2012-07-24 10:23 - 00013966 ____A C:\Users\Administrator\Desktop\MBRCheck_07.24.12_09.23.24.txt
    2012-07-23 18:51 - 2011-11-27 16:11 - 00000732 ____A C:\Users\Administrator\AppData\Local\d3d9caps64.dat
    2012-07-23 15:33 - 2012-07-23 15:33 - 00010094 ____A C:\Users\Administrator\Desktop\Attach.txt
    2012-07-23 15:31 - 2012-07-23 15:31 - 00025456 ____A C:\Users\Administrator\Desktop\DDS.txt
    2012-07-23 14:23 - 2012-07-23 14:23 - 00607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
    2012-07-23 13:55 - 2012-07-23 13:55 - 00294216 ____A C:\Users\Administrator\Desktop\gmer.zip
    2012-07-23 13:55 - 2012-07-23 13:50 - 00013288 ____A C:\Users\Administrator\Desktop\MBRCheck_07.23.12_12.50.50.txt
    2012-07-23 13:43 - 2012-07-23 13:41 - 00013505 ____A C:\Users\Administrator\Desktop\MBRCheck_07.23.12_12.41.07.txt
    2012-07-23 13:42 - 2012-07-23 13:42 - 04582474 ____R (Swearware) C:\Users\Administrator\Desktop\commy.exe
    2012-07-23 13:31 - 2012-07-23 13:31 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Desktop\aswMBR.exe
    2012-07-15 20:35 - 2011-11-27 16:38 - 00001356 ____A C:\Users\Administrator\AppData\Local\d3d9caps.dat
    2012-07-15 13:06 - 2006-11-02 11:21 - 00399736 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-15 01:31 - 2012-07-15 00:57 - 261122008 ____A (Avira GmbH) C:\Users\Administrator\Downloads\rescue_system-common-en.exe
    2012-07-14 23:48 - 2012-07-14 23:48 - 00270816 ____A C:\Windows\Minidump\Mini071412-03.dmp
    2012-07-14 23:48 - 2011-11-27 15:41 - 701416025 ____A C:\Windows\MEMORY.DMP
    2012-07-14 22:59 - 2012-07-14 22:59 - 00057344 ____A (Roxio) C:\Windows\uneng.exe
    2012-07-14 22:59 - 2012-07-14 22:59 - 00049152 ____A (Roxio) C:\Windows\SysWOW64\cdrtc.dll
    2012-07-14 22:59 - 2012-07-14 22:59 - 00045056 ____A (Roxio) C:\Windows\SysWOW64\cdral.dll
    2012-07-14 22:58 - 2012-07-14 22:53 - 94281863 ____A C:\Users\Administrator\Downloads\RoxioEasyCD0410.rar
    2012-07-14 22:52 - 2012-07-14 22:52 - 00821248 ____A C:\Users\Administrator\Downloads\FreeISOBurner.exe
    2012-07-14 22:43 - 2012-07-14 22:43 - 04266768 ____A (Smart Projects ) C:\Users\Administrator\Downloads\isobuster_all_lang.exe
    2012-07-14 22:26 - 2012-07-14 22:25 - 00270816 ____A C:\Windows\Minidump\Mini071412-02.dmp
    2012-07-14 22:20 - 2012-07-14 22:20 - 00270816 ____A C:\Windows\Minidump\Mini071412-01.dmp
    2012-07-14 22:16 - 2012-07-14 22:16 - 259346432 ____A C:\rescue_system-common-en.iso
    2012-07-14 18:16 - 2012-07-14 18:17 - 00955888 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2012-07-14 18:16 - 2012-07-14 18:17 - 00839152 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2012-07-14 18:13 - 2012-07-14 18:12 - 21869552 ____A (Oracle Corporation) C:\Users\Administrator\Downloads\jre-7u5-windows-x64.exe
    2012-07-14 12:57 - 2012-07-14 12:57 - 00961371 ____A C:\Users\Administrator\Documents\Copy of Consortium_Shuffler v4.xlsx
    2012-07-14 10:26 - 2012-07-14 10:26 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.62.0.1300.exe
    2012-07-14 10:26 - 2012-07-14 10:26 - 00000948 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-14 09:12 - 2012-06-20 08:37 - 00875466 ____A C:\Users\Administrator\Documents\tuj datasheet.xlsx
    2012-07-14 09:08 - 2012-07-14 09:08 - 00009287 ____A C:\Users\Administrator\Documents\glyph bank.xlsx
    2012-07-13 21:29 - 2012-07-13 21:29 - 00018325 ____A C:\Windows\SysWOW64\CCCInstall_201207132029492105.log
    2012-07-13 21:24 - 2012-07-13 21:20 - 162514192 ____A (Advanced Micro Devices, Inc.) C:\Users\Administrator\Downloads\12-6-legacy_vista_win7_64_dd_ccc.exe
    2012-07-12 16:36 - 2012-07-11 05:17 - 00002025 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-07-11 05:38 - 2012-07-11 05:38 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Administrator\Downloads\unhide.exe
    2012-07-11 05:07 - 2012-07-11 05:07 - 00003694 ____A C:\Users\Michael\Desktop\RKreport[2].txt
    2012-07-11 05:07 - 2012-07-11 05:07 - 00003539 ____A C:\Users\Michael\Desktop\RKreport[1].txt
    2012-07-11 05:06 - 2012-07-11 05:15 - 01558016 ____A C:\RogueKiller.exe
    2012-07-11 05:06 - 2012-07-11 05:06 - 01558016 ____A C:\Users\Michael\Downloads\RogueKiller.exe
    2012-07-11 04:26 - 2006-11-02 08:34 - 00000254 ____A C:\Windows\win.ini
    2012-07-11 04:20 - 2006-11-02 08:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-11 03:43 - 2012-07-11 03:43 - 00106584 ____A C:\Users\Michael\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-11 03:41 - 2012-07-11 03:41 - 00000020 ___SH C:\Users\Michael\ntuser.ini
    2012-07-11 03:35 - 2008-01-20 23:26 - 00114562 ____A C:\Windows\PFRO.log
    2012-07-10 20:15 - 2012-07-10 20:15 - 00000752 ____A C:\Users\Administrator\Desktop\Ventrilo.lnk
    2012-07-10 20:15 - 2012-07-10 20:15 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
    2012-07-10 20:13 - 2012-07-10 20:13 - 04135696 ____A C:\Users\Administrator\Downloads\ventrilo-3.0.8-Windows-x64.exe
    2012-07-10 20:08 - 2012-07-10 20:08 - 01132799 ____A C:\Users\Administrator\Downloads\TheUndermineJournal(4).zip
    2012-07-05 03:36 - 2012-05-25 00:10 - 01078513 ____A C:\Users\Administrator\Documents\Copy of Consortium_Shuffler v4.52.xlsx
    2012-07-04 03:32 - 2012-07-04 03:32 - 00187392 ____A C:\Windows\System32\clinfo.exe
    2012-07-04 03:32 - 2012-07-04 03:32 - 00075264 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo64.dll
    2012-07-04 03:32 - 2012-07-04 03:32 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OpenVideo.dll
    2012-07-04 03:31 - 2012-07-04 03:31 - 16457216 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl64.dll
    2012-07-04 03:31 - 2012-07-04 03:31 - 00063488 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode64.dll
    2012-07-04 03:31 - 2012-07-04 03:31 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OVDecode.dll
    2012-07-04 03:30 - 2012-07-04 03:30 - 13008384 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
    2012-07-04 03:30 - 2012-07-04 03:30 - 00054784 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
    2012-07-04 03:30 - 2012-07-04 03:30 - 00050176 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
    2012-07-04 02:59 - 2012-07-04 02:59 - 11922944 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
    2012-07-04 02:52 - 2012-07-04 02:52 - 26016256 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atio6axx.dll
    2012-07-04 02:35 - 2012-07-04 02:35 - 19586048 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
    2012-07-04 02:28 - 2012-07-04 02:28 - 00246000 ____A C:\Windows\SysWOW64\atiapfxx.blb
    2012-07-04 02:28 - 2012-07-04 02:28 - 00246000 ____A C:\Windows\System32\atiapfxx.blb
    2012-07-04 02:27 - 2012-07-04 02:27 - 00159744 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
    2012-07-04 02:27 - 2011-04-20 03:09 - 00918528 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
    2012-07-04 02:25 - 2011-04-20 03:07 - 01081856 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\aticfx64.dll
    2012-07-04 02:21 - 2012-07-04 02:21 - 00514048 ____A (AMD) C:\Windows\System32\atieclxx.exe
    2012-07-04 02:21 - 2011-11-27 15:34 - 00442368 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\ATIDEMGX.dll
    2012-07-04 02:20 - 2012-07-04 02:20 - 00238080 ____A (AMD) C:\Windows\System32\atiesrxx.exe
    2012-07-04 02:19 - 2012-07-04 02:19 - 00120320 ____A (AMD) C:\Windows\System32\atitmm64.dll
    2012-07-04 02:19 - 2012-07-04 02:19 - 00059392 ____A (ATI Technologies, Inc.) C:\Windows\System32\atiedu64.dll
    2012-07-04 02:19 - 2012-07-04 02:19 - 00043520 ____A (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
    2012-07-04 02:19 - 2012-07-04 02:19 - 00021504 ____A (AMD) C:\Windows\System32\atimuixx.dll
    2012-07-04 02:18 - 2011-04-20 02:59 - 06811648 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
    2012-07-04 01:57 - 2012-07-04 01:57 - 07510528 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx64.dll
    2012-07-04 01:36 - 2012-07-04 01:36 - 01960960 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
    2012-07-04 01:36 - 2012-07-04 01:36 - 01053696 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6v.dll
    2012-07-04 01:36 - 2012-07-04 01:36 - 00069632 ____A (AMD) C:\Windows\System32\coinst_8.97.100.3.dll
    2012-07-04 01:35 - 2011-04-20 02:38 - 06245888 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
    2012-07-04 01:35 - 2009-02-04 00:29 - 04261376 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6a.dll
    2012-07-04 01:34 - 2012-07-04 01:34 - 02818784 ____A C:\Windows\System32\atiumd6a.cap
    2012-07-04 01:28 - 2011-04-20 02:30 - 04749312 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
    2012-07-04 01:27 - 2012-07-04 01:27 - 02852480 ____A C:\Windows\SysWOW64\atiumdva.cap
    2012-07-04 01:24 - 2009-02-04 00:36 - 07477760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd64.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00364544 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc64.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00056320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom64.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6txx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00017920 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6pxx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
    2012-07-04 01:11 - 2012-07-04 01:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
    2012-07-04 01:11 - 2009-02-04 00:07 - 00535552 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiadlxx.dll
    2012-07-04 01:10 - 2012-07-04 01:10 - 00359936 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
    2012-07-04 01:10 - 2012-07-04 01:10 - 00055296 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxp64.dll
    2012-07-04 01:09 - 2012-07-04 01:09 - 00053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
    2012-07-04 01:09 - 2011-04-20 02:21 - 00045056 ____A C:\Windows\System32\atitmp64.dll
    2012-07-04 01:09 - 2011-04-20 02:21 - 00045056 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiu9p64.dll
    2012-07-04 01:09 - 2011-04-20 02:21 - 00042496 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
    2012-07-04 01:09 - 2011-04-20 02:21 - 00032768 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 15827456 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd64.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00051200 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt64.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00046080 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
    2012-07-04 01:04 - 2012-07-04 01:04 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl64.dll
    2012-07-04 00:59 - 2012-07-04 00:59 - 13402112 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
    2012-07-03 14:46 - 2012-07-14 10:26 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-01 19:16 - 2012-07-01 19:16 - 13085120 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\Silverlight_x64.exe
    2012-06-23 06:48 - 2012-06-23 06:48 - 00245305 ____A C:\Users\Administrator\Downloads\TheUndermineJournal(3).zip
    2012-06-22 04:10 - 2012-06-22 04:10 - 00698278 ____A C:\Users\Administrator\Downloads\easy_uninstaller.zip
    2012-06-22 04:09 - 2012-06-22 04:08 - 00463080 ____A (CNET Download.com) C:\Users\Administrator\Downloads\cnet2_easy_uninstaller_zip.exe
    2012-06-21 18:07 - 2012-06-21 18:07 - 00242459 ____A C:\Users\Administrator\Downloads\TheUndermineJournal(2).zip
    2012-06-21 18:05 - 2012-06-21 18:05 - 00000318 ____A C:\Users\Administrator\Desktop\Curse Client - 1 .appref-ms
    2012-06-16 03:08 - 2012-07-11 05:17 - 00001951 ____A C:\Users\Public\Desktop\DivX Plus Converter.lnk
    2012-06-16 03:08 - 2012-07-11 05:17 - 00000947 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
    2012-06-16 03:08 - 2012-06-16 03:08 - 00001426 ____A C:\Users\Administrator\Desktop\DivX Movies.lnk
    2012-06-16 03:05 - 2012-06-16 03:05 - 00933256 ____A (DivX, LLC) C:\Users\Administrator\Downloads\DivXInstaller.exe
    2012-06-13 09:58 - 2012-07-11 04:11 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 13:59 - 2012-07-10 15:18 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 13:47 - 2012-07-10 15:18 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-05 12:47 - 2012-07-10 15:18 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 12:47 - 2012-07-10 15:18 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 12:22 - 2012-07-10 15:18 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 12:22 - 2012-07-10 15:18 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-04 11:29 - 2012-07-10 15:18 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-03 23:48 - 2012-06-03 23:48 - 00000165 ____A C:\Users\Administrator\Documents\~$glyph_stockpiling.xls_0.ods
    2012-06-03 22:51 - 2012-06-03 22:51 - 00000165 ____A C:\Users\Administrator\Documents\~$Copy of Consortium_Shuffler v4.52.xlsx
    2012-06-02 23:07 - 2012-06-02 23:07 - 00059768 ____A (MurGee.com) C:\Users\Administrator\Downloads\AutoMouseMover.exe
    2012-06-02 18:19 - 2012-06-22 22:14 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 18:19 - 2012-06-22 22:14 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 18:19 - 2012-06-22 22:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 18:19 - 2012-06-22 22:14 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 18:19 - 2012-06-22 22:14 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 18:19 - 2012-06-22 22:14 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 18:19 - 2012-06-22 22:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 18:15 - 2012-06-22 22:14 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 18:15 - 2012-06-22 22:14 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 18:12 - 2012-06-22 22:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 16:19 - 2012-06-22 22:13 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 16:19 - 2012-06-22 22:13 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 16:15 - 2012-06-22 22:13 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 16:12 - 2012-06-22 22:13 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-06-02 08:49 - 2012-07-11 04:13 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 08:17 - 2012-07-11 04:13 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 08:12 - 2012-07-11 04:13 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 08:05 - 2012-07-11 04:13 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 08:05 - 2012-07-11 04:13 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 08:04 - 2012-07-11 04:13 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 08:04 - 2012-07-11 04:13 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 08:03 - 2012-07-11 04:13 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 08:01 - 2012-07-11 04:13 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 08:00 - 2012-07-11 04:13 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 07:59 - 2012-07-11 04:13 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 07:57 - 2012-07-11 04:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 07:57 - 2012-07-11 04:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 07:54 - 2012-07-11 04:13 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 05:07 - 2012-07-11 04:13 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 04:43 - 2012-07-11 04:13 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 04:33 - 2012-07-11 04:13 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 04:26 - 2012-07-11 04:13 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 04:25 - 2012-07-11 04:13 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 04:25 - 2012-07-11 04:13 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 04:23 - 2012-07-11 04:13 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 04:21 - 2012-07-11 04:13 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 04:20 - 2012-07-11 04:13 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 04:19 - 2012-07-11 04:13 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 04:19 - 2012-07-11 04:13 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 04:17 - 2012-07-11 04:13 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 04:16 - 2012-07-11 04:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 04:14 - 2012-07-11 04:13 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-02 01:20 - 2012-05-01 21:17 - 00000321 ____A C:\Users\Administrator\Documents\A-Alexstrasza.iqy
    2012-06-02 01:15 - 2012-06-02 01:15 - 00244140 ____A C:\Users\Administrator\Downloads\TheUndermineJournal(1).zip
    2012-06-02 00:42 - 2011-11-27 16:13 - 00182272 ____A C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-06-01 20:22 - 2012-07-10 15:18 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:22 - 2012-07-10 15:18 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 20:05 - 2012-07-10 15:18 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 20:04 - 2012-07-10 15:18 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 20:03 - 2012-07-10 15:18 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-05-31 13:25 - 2011-11-27 17:43 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-25 04:32 - 2011-11-27 16:12 - 00106584 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-25 04:13 - 2012-05-25 04:13 - 00467812 ____A C:\Windows\dd_vcredistMSI1AEC.txt
    2012-05-25 04:13 - 2012-05-25 04:13 - 00017106 ____A C:\Windows\dd_vcredistUI1AEC.txt
    2012-05-25 04:13 - 2012-05-25 04:12 - 00463468 ____A C:\Windows\dd_vcredistMSI1A46.txt
    2012-05-25 04:13 - 2012-05-25 04:12 - 00017058 ____A C:\Windows\dd_vcredistUI1A46.txt
    2012-05-25 03:32 - 2012-05-25 03:32 - 00017053 ____A C:\Users\Administrator\Downloads\Auc-Util-BigPicture-4.3.zip
    2012-05-25 01:31 - 2012-05-25 01:31 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
    2012-05-25 01:31 - 2012-04-30 12:19 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
    2012-05-24 23:36 - 2012-07-11 05:17 - 00000930 ____A C:\Users\Public\Desktop\gBurner Virtual Drive.lnk
    2012-05-24 23:08 - 2012-05-24 23:08 - 00000846 ____A C:\Users\Administrator\Desktop\UltraISO.lnk
    2012-05-24 08:38 - 2012-05-10 09:05 - 00017408 ____A C:\Users\Administrator\Downloads\glyph_stockpiling.xls
    2012-05-23 09:30 - 2012-05-24 08:38 - 00017331 ____A C:\Users\Administrator\Documents\glyph_stockpiling.xls_0_1.ods
    2012-05-19 08:28 - 2012-07-26 20:00 - 00000782 ____A C:\Users\Public\Desktop\ĀµTorrent.lnk
    2012-05-10 15:13 - 2012-05-10 15:13 - 00000097 ____A C:\Users\Administrator\Documents\doctor appointments.txt
    2012-05-09 11:40 - 2012-05-09 11:40 - 00010438 ____A C:\Users\Administrator\Downloads\food stamp note.odt
    2012-05-08 21:46 - 2011-11-27 17:24 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
    2012-05-08 21:46 - 2011-11-27 17:24 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe
    [2011-12-01 01:18] - [2009-04-11 03:10] - 3079168 ____A (Microsoft Corporation) 6B08E54A451B3F95E4109DBA7E594270

    C:\Windows\System32\winlogon.exe
    [2011-12-01 01:17] - [2009-04-11 03:11] - 0405504 ____A (Microsoft Corporation) 6D0773A3A65D28B663F334C90441D01A

    C:\Windows\System32\wininit.exe
    [2008-01-20 22:50] - [2008-01-20 22:50] - 0123904 ____A (Microsoft Corporation) 117EA87DF785CA1B9D821F6F213DCE07

    C:\Windows\System32\svchost.exe
    [2008-01-20 22:50] - [2008-01-20 22:50] - 0027648 ____A (Microsoft Corporation) CDA9F1373805AF88F6FA4F2064BBA24D

    C:\Windows\System32\services.exe
    [2011-12-01 01:17] - [2009-04-11 03:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\System32\User32.dll
    [2011-12-01 01:18] - [2009-04-11 03:11] - 0820224 ____A (Microsoft Corporation) F3F5549E69AE8509342E67E4F972CA1C

    C:\Windows\System32\userinit.exe
    [2008-01-20 22:49] - [2008-01-20 22:49] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

    C:\Windows\System32\Drivers\volsnap.sys
    [2011-12-01 01:17] - [2009-04-11 03:15] - 0269288 ____A (Microsoft Corporation) 5280AADA24AB36B01A84A6424C475C8D


    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points (XP) =====================


    ========================= Memory info ======================

    Percentage of memory in use: 9%
    Total physical RAM: 3326.42 MB
    Available physical RAM: 2998.36 MB
    Total Pagefile: 3149.59 MB
    Available Pagefile: 3079.99 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2001.38 MB

    ======================= Partitions =========================

    1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    2 Drive c: () (Fixed) (Total:465.76 GB) (Free:175.77 GB) NTFS
    4 Drive e: () (Removable) (Total:7.45 GB) (Free:7.41 GB) FAT32
    8 Drive I: (Rosewill) (CDROM) (Total:0.09 GB) (Free:0 GB) CDFS
    9 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 466 GB 1024 KB
    Partition 2 Unknown 2032 KB 466 GB
    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 466 GB Healthy
    ==================================================================================

    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 Partition 2048 KB Healthy
    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-01 08:38

    ======================= End Of Log ==========================
  5. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Is there some other program I could/should run from that shell which may facilitate cleaning my drive?
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  7. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 08:47:46 Run:1
    Running from E:\

    ==============================================


    ========= bootrec /fixmbr =========

    'bootrec' is not recognized as an internal or external command,
    operable program or batch file.

    ========= End of CMD: =========


    ==== End of Fixlog ====
  8. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    There is a "fixMBR.exe" that comes with REAToGo, should I try that?
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Yes, please.
  10. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    X:\Programs\MBRFix>mbrfix /drive 0 driveinfo
    Drive 0
    Cylinders = 60801
    Tracks (heads) per cylinder = 255
    Sectors per track = 63
    Bytes per sector = 512
    Disk size = 500105249280 (Bytes) = 465 (GB)

    X:\Programs\MBRFix>mbrfix /drive 0 listpartitions
    # Boot Size (MB) Type
    1 476936 7 NTFS or HPFS
    2 Yes 1 23 Hidden IFS (e.g., HPFS)
    3 0 0 None
    4 0 0 None
  11. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Ok, so I have a hidden partition that is being used as the boot partition.

    Should I modify my partition 1 to boot or delete the second partition, or what are the next steps?

    I did use MBRFix to save my current MBR to a file and did a rewrite of the current MBR to a default vista partition, but it didn't seem to change anything.
  12. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 64-bit
    Base Board Manufacturer: Gigabyte Technology Co., Ltd.
    BIOS Manufacturer: Award Software International, Inc.
    System Manufacturer: Gigabyte Technology Co., Ltd.
    System Product Name: GA-MA790X-UD4P
    Logical Drives Mask: 0x00000ffc

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit: n


    Done!
    Press ENTER to exit...
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You mean you don't recognize the hidden partition?
     
  14. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    I bought the PC from CyberPower PC, so I didn't do the OS Installation. But since the partition is only 2 megabytes, is listed as the boot partition, and apparently is not a rescue partition since I was not offered the rescue partition options when booting up Advanced Boot Options, I would say it is suspicious. Is there a way to peek inside it or to do a scan of it?
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sure, let's check it out...

    Please download Listparts64
    Run the tool,
    check the "list BCD" box
    click "Scan" and post the log (Result.txt) it makes.
  16. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    ========================= Memory info ======================

    Percentage of memory in use: 29%
    Total physical RAM: 8189.57 MB
    Available physical RAM: 5804.47 MB
    Total Pagefile: 16433.67 MB
    Available Pagefile: 13820.96 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:465.76 GB) (Free:168.12 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (Rosewill) (CDROM) (Total:0.09 GB) (Free:0 GB) CDFS
    4 Drive f: () (Removable) (Total:7.45 GB) (Free:7.41 GB) FAT32

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 Online 7634 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 466 GB 1024 KB
    Partition 2 Primary 2032 KB 466 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C NTFS Partition 466 GB Healthy System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7633 MB 16 KB

    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F FAT32 Removable 7633 MB Healthy

    ======================================================================================================
    The boot configuration data store could not be opened.
    The system cannot find the file specified.


    ****** End Of Log ******
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please do the following, then re-run List parts

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it in the same directory ListParts is located as fix.txt
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    • Run ListParts.
    • Press Fix button.
    • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.
  18. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    ListParts by Farbar Version: 25-07-2012
    Ran by Administrator (administrator) on 05-08-2012 at 19:58:55
    Windows Vista (X64)
    Running From: C:\Users\Administrator\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 37%
    Total physical RAM: 8189.57 MB
    Available physical RAM: 5127.09 MB
    Total Pagefile: 16433.67 MB
    Available Pagefile: 12772.88 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:465.76 GB) (Free:168.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (Rosewill) (CDROM) (Total:0.09 GB) (Free:0 GB) CDFS
    4 Drive f: () (Removable) (Total:7.45 GB) (Free:7.41 GB) FAT32

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 Online 7634 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 466 GB 1024 KB
    Partition 2 Primary 2032 KB 466 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C NTFS Partition 466 GB Healthy System (partition with boot components)

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7633 MB 16 KB

    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F FAT32 Removable 7633 MB Healthy

    ======================================================================================================

    ****** End Of Log ******
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Now, how's the computer?
  20. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Better, but not 100% yet. My google searches are still being hijacked, but my browsing no longer feels like it is being filtered. I still can't load aswMBR (I tried just to see if it was still being blocked).
  21. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Here is a log of MBAM

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.06.05

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Administrator :: MICHAEL-PC [administrator]

    Protection: Enabled

    8/6/2012 8:33:12 AM
    mbam-log-2012-08-06 (08-33-12).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 221015
    Time elapsed: 8 minute(s), 33 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  22. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Avira Free Antivirus
    Report file date: Monday, August 06, 2012 08:45

    Scanning for 4061297 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available.

    Licensee : Avira AntiVir Personal - Free Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows (TM) Vista Home Premium
    Windows version : (Service Pack 2) [6.0.6002]
    Boot mode : Normally booted
    Username : Administrator
    Computer name : MICHAEL-PC

    Version information:
    BUILD.DAT : 12.0.0.1125 41829 Bytes 5/2/2012 17:40:00
    AVSCAN.EXE : 12.3.0.15 466896 Bytes 5/9/2012 01:46:56
    AVSCAN.DLL : 12.3.0.15 54736 Bytes 5/9/2012 01:46:56
    LUKE.DLL : 12.3.0.15 68304 Bytes 5/9/2012 01:46:57
    AVSCPLR.DLL : 12.3.0.14 97032 Bytes 5/9/2012 01:46:57
    AVREG.DLL : 12.3.0.17 232200 Bytes 5/11/2012 01:46:02
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 04:18:34
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 19:07:39
    VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 19:32:37
    VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 14:23:27
    VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 22:08:19
    VBASE005.VDF : 7.11.34.116 4034048 Bytes 6/29/2012 11:10:28
    VBASE006.VDF : 7.11.34.117 2048 Bytes 6/29/2012 11:10:29
    VBASE007.VDF : 7.11.34.118 2048 Bytes 6/29/2012 11:10:29
    VBASE008.VDF : 7.11.34.119 2048 Bytes 6/29/2012 11:10:29
    VBASE009.VDF : 7.11.34.120 2048 Bytes 6/29/2012 11:10:30
    VBASE010.VDF : 7.11.34.121 2048 Bytes 6/29/2012 11:10:30
    VBASE011.VDF : 7.11.34.122 2048 Bytes 6/29/2012 11:10:31
    VBASE012.VDF : 7.11.34.123 2048 Bytes 6/29/2012 11:10:32
    VBASE013.VDF : 7.11.34.124 2048 Bytes 6/29/2012 11:10:32
    VBASE014.VDF : 7.11.38.18 2554880 Bytes 7/30/2012 00:27:19
    VBASE015.VDF : 7.11.38.70 556032 Bytes 7/31/2012 00:27:21
    VBASE016.VDF : 7.11.38.143 171008 Bytes 8/2/2012 20:27:06
    VBASE017.VDF : 7.11.38.144 2048 Bytes 8/2/2012 20:27:06
    VBASE018.VDF : 7.11.38.145 2048 Bytes 8/2/2012 20:27:06
    VBASE019.VDF : 7.11.38.146 2048 Bytes 8/2/2012 20:27:07
    VBASE020.VDF : 7.11.38.147 2048 Bytes 8/2/2012 20:27:07
    VBASE021.VDF : 7.11.38.148 2048 Bytes 8/2/2012 20:27:07
    VBASE022.VDF : 7.11.38.149 2048 Bytes 8/2/2012 20:27:07
    VBASE023.VDF : 7.11.38.150 2048 Bytes 8/2/2012 20:27:07
    VBASE024.VDF : 7.11.38.151 2048 Bytes 8/2/2012 20:27:08
    VBASE025.VDF : 7.11.38.152 2048 Bytes 8/2/2012 20:27:08
    VBASE026.VDF : 7.11.38.153 2048 Bytes 8/2/2012 20:27:08
    VBASE027.VDF : 7.11.38.154 2048 Bytes 8/2/2012 20:27:08
    VBASE028.VDF : 7.11.38.155 2048 Bytes 8/2/2012 20:27:09
    VBASE029.VDF : 7.11.38.156 2048 Bytes 8/2/2012 20:27:09
    VBASE030.VDF : 7.11.38.157 2048 Bytes 8/2/2012 20:27:09
    VBASE031.VDF : 7.11.38.210 148992 Bytes 8/5/2012 18:26:53
    Engine version : 8.2.10.126
    AEVDF.DLL : 8.1.2.10 102772 Bytes 7/10/2012 11:09:30
    AESCRIPT.DLL : 8.1.4.38 455033 Bytes 8/3/2012 18:27:24
    AESCN.DLL : 8.1.8.2 131444 Bytes 1/27/2012 14:22:27
    AESBX.DLL : 8.2.5.12 606578 Bytes 6/15/2012 02:36:59
    AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 07:16:06
    AEPACK.DLL : 8.3.0.18 807287 Bytes 7/27/2012 13:53:12
    AEOFFICE.DLL : 8.1.2.42 201083 Bytes 7/19/2012 13:51:16
    AEHEUR.DLL : 8.1.4.84 5112182 Bytes 8/3/2012 18:27:21
    AEHELP.DLL : 8.1.23.2 258422 Bytes 6/29/2012 11:09:48
    AEGEN.DLL : 8.1.5.34 434548 Bytes 7/19/2012 13:51:12
    AEEXP.DLL : 8.1.0.74 86387 Bytes 8/3/2012 18:27:24
    AEEMU.DLL : 8.1.3.2 393587 Bytes 7/10/2012 11:09:26
    AECORE.DLL : 8.1.27.2 201078 Bytes 7/10/2012 11:09:25
    AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 07:46:01
    AVWINLL.DLL : 12.3.0.15 27344 Bytes 5/9/2012 01:46:56
    AVPREF.DLL : 12.3.0.15 51920 Bytes 5/9/2012 01:46:56
    AVREP.DLL : 12.3.0.15 179208 Bytes 5/9/2012 01:46:57
    AVARKT.DLL : 12.3.0.15 211408 Bytes 5/9/2012 01:46:56
    AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 5/9/2012 01:46:56
    SQLITE3.DLL : 3.7.0.1 398288 Bytes 5/9/2012 01:46:57
    AVSMTP.DLL : 12.3.0.15 63440 Bytes 5/9/2012 01:46:56
    NETNT.DLL : 12.3.0.15 17104 Bytes 5/9/2012 01:46:57
    RCIMAGE.DLL : 12.3.0.15 4450000 Bytes 5/9/2012 01:46:56
    RCTEXT.DLL : 12.3.0.15 96720 Bytes 5/9/2012 01:46:56

    Configuration settings for the scan:
    Jobname.............................: Scan for Rootkits and active malware
    Configuration file..................: C:\ProgramData\Avira\AntiVir Desktop\PROFILES\rootkit.avp
    Logging.............................: default
    Primary action......................: Interactive
    Secondary action....................: Ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: Complete

    Start of the scan: Monday, August 06, 2012 08:45

    Starting search for hidden objects.
    Hidden thread
    [NOTE] A system thread is not visible.
    Hidden driver
    [NOTE] A memory modification has been detected, which could potentially be used to hide file access attempts.
    Hidden driver
    [NOTE] A memory modification has been detected, which could potentially be used to hide file access attempts.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '73' Module(s) have been scanned
    Scan process 'avcenter.exe' - '101' Module(s) have been scanned
    Scan process 'AutoMouseMover.exe' - '30' Module(s) have been scanned
    Scan process 'FlashPlayerPlugin_11_3_300_270.exe' - '62' Module(s) have been scanned
    Scan process 'FlashPlayerPlugin_11_3_300_270.exe' - '43' Module(s) have been scanned
    Scan process 'plugin-container.exe' - '69' Module(s) have been scanned
    Scan process 'mbamservice.exe' - '43' Module(s) have been scanned
    Scan process 'firefox.exe' - '160' Module(s) have been scanned
    Scan process 'hpqbam08.exe' - '26' Module(s) have been scanned
    Scan process 'hpqSTE08.exe' - '60' Module(s) have been scanned
    Scan process 'mbamgui.exe' - '38' Module(s) have been scanned
    Scan process 'DivXUpdate.exe' - '63' Module(s) have been scanned
    Scan process 'hpwuschd2.exe' - '17' Module(s) have been scanned
    Scan process 'avgnt.exe' - '68' Module(s) have been scanned
    Scan process 'ONENOTEM.EXE' - '19' Module(s) have been scanned
    Scan process 'RaUI.exe' - '59' Module(s) have been scanned
    Scan process 'hpqtra08.exe' - '59' Module(s) have been scanned
    Scan process 'MotoHelperAgent.exe' - '29' Module(s) have been scanned
    Scan process 'RaRegistry.exe' - '36' Module(s) have been scanned
    Scan process 'Steam.exe' - '102' Module(s) have been scanned
    Scan process 'MotoHelperService.exe' - '52' Module(s) have been scanned
    Scan process 'svchost.exe' - '41' Module(s) have been scanned
    Scan process 'ESSVR.EXE' - '23' Module(s) have been scanned
    Scan process 'avguard.exe' - '66' Module(s) have been scanned
    Scan process 'armsvc.exe' - '24' Module(s) have been scanned
    Scan process 'sched.exe' - '49' Module(s) have been scanned

    Starting to scan executable files (registry).
    The registry was scanned ( '2977' files ).



    End of the scan: Monday, August 06, 2012 09:29
    Used time: 43:33 Minute(s)

    The scan has been done completely.

    0 Scanned directories
    4389 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 Files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    4389 Files not concerned
    13 Archives were scanned
    0 Warnings
    3 Notes
    891484 Objects were scanned with rootkit scan
    3 Hidden objects were found
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure to download the 64-bit version.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
  24. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Argh. It seems like it's no different. I'll post the screen caps I got from my attempts at your instructions. I apologize for the poor quality of the images, I took them with my cell phone. I don't have the fix option available to me, even with the OEM Windows disk.

    [​IMG]

    [​IMG]
  25. Michael King

    Michael King Newcomer, in training Topic Starter Posts: 48

    Could I run the tool from the REAToGo boot disk?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.