TechSpot

Two nights ago my computer got the System Check Virus

By rcmeyer99
Jan 3, 2012
  1. I saw on here that a few others have gotten this virus also. The only things I have done is run Malwarebytes and SuperAntiSpyware

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.02.01

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Nicole :: NICOLE-PC [administrator]

    Protection: Enabled

    1/2/2012 3:38:55 PM
    mbam-log-2012-01-02 (15-38-55).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 28063
    Time elapsed: 8 minute(s), 25 second(s) [aborted]

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    --------

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/02/2012 at 05:27 PM

    Application Version : 5.0.1142

    Core Rules Database Version : 8091
    Trace Rules Database Version: 5903

    Scan type : Quick Scan
    Total Scan Time : 00:01:58

    Operating System Information
    Windows Vista Home Premium 64-bit, Service Pack 2 (Build 6.00.6002)
    UAC On - Limited User

    Memory items scanned : 507
    Memory threats detected : 0
    Registry items scanned : 29596
    Registry threats detected : 0
    File items scanned : 5031
    File threats detected : 46

    Adware.Tracking Cookie
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\295WHODL.txt [ /xml.happytofind.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\ZM1VK6JD.txt [ /doubleclick.net ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\TROE1G7G.txt [ /ru4.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\JNO37AX4.txt [ /247realmedia.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\GV1EV7HE.txt [ /sysufind.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\G385MUFC.txt [ /advertising.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\F3BZCYA1.txt [ /fastclick.net ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\BWF7LX0E.txt [ /adlegend.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\ICZ2T8BJ.txt [ /r1-ads.ace.advertising.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\DRQ9Y10Z.txt [ /stat.onestat.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\G17H4RMQ.txt [ /realmedia.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\PIUB24VB.txt [ /mediaplex.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\UOGVRCUF.txt [ /at.atwola.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\4T865CY6.txt [ /apmebf.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\28D35OXA.txt [ /ad.yieldmanager.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\UOUX987Y.txt [ /specificclick.net ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\DAC1EHWK.txt [ /tacoda.at.atwola.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\TX3GWO4U.txt [ /atdmt.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\LH0SBLVU.txt [ /findedclik.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\FJ47AW3Z.txt [ /adxpose.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\VZH8XOWE.txt [ /collective-media.net ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\VPAE1U43.txt [ /invitemedia.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\3YFM4XTR.txt [ /yieldmanager.net ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\ZI1S9APQ.txt [ /miva.cinomedia.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\A33N69D3.txt [ /media6degrees.com ]
    C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\3YM33DFR.txt [ /network.realmedia.com ]
    C:\USERS\NICOLE\Cookies\295WHODL.txt [ Cookie:nicole@xml.happytofind.com/ ]
    C:\USERS\NICOLE\Cookies\ZM1VK6JD.txt [ Cookie:nicole@doubleclick.net/ ]
    C:\USERS\NICOLE\Cookies\TROE1G7G.txt [ Cookie:nicole@ru4.com/ ]
    C:\USERS\NICOLE\Cookies\GV1EV7HE.txt [ Cookie:nicole@sysufind.com/ ]
    C:\USERS\NICOLE\Cookies\BWF7LX0E.txt [ Cookie:nicole@adlegend.com/ ]
    C:\USERS\NICOLE\Cookies\ICZ2T8BJ.txt [ Cookie:nicole@r1-ads.ace.advertising.com/ ]
    C:\USERS\NICOLE\Cookies\DRQ9Y10Z.txt [ Cookie:nicole@stat.onestat.com/ ]
    C:\USERS\NICOLE\Cookies\G17H4RMQ.txt [ Cookie:nicole@realmedia.com/ ]
    C:\USERS\NICOLE\Cookies\PIUB24VB.txt [ Cookie:nicole@mediaplex.com/ ]
    C:\USERS\NICOLE\Cookies\28D35OXA.txt [ Cookie:nicole@ad.yieldmanager.com/ ]
    C:\USERS\NICOLE\Cookies\DAC1EHWK.txt [ Cookie:nicole@tacoda.at.atwola.com/ ]
    C:\USERS\NICOLE\Cookies\TX3GWO4U.txt [ Cookie:nicole@atdmt.com/ ]
    C:\USERS\NICOLE\Cookies\LH0SBLVU.txt [ Cookie:nicole@findedclik.com/ ]
    C:\USERS\NICOLE\Cookies\FJ47AW3Z.txt [ Cookie:nicole@adxpose.com/ ]
    C:\USERS\NICOLE\Cookies\VZH8XOWE.txt [ Cookie:nicole@collective-media.net/ ]
    C:\USERS\NICOLE\Cookies\VPAE1U43.txt [ Cookie:nicole@invitemedia.com/ ]
    C:\USERS\NICOLE\Cookies\3YFM4XTR.txt [ Cookie:nicole@yieldmanager.net/ ]
    C:\USERS\NICOLE\Cookies\ZI1S9APQ.txt [ Cookie:nicole@miva.cinomedia.com/ ]
    C:\USERS\NICOLE\Cookies\A33N69D3.txt [ Cookie:nicole@media6degrees.com/ ]
    C:\USERS\NICOLE\Cookies\3YM33DFR.txt [ Cookie:nicole@network.realmedia.com/ ]

    ----------

    I also saw in a previous post to run unhide to try and get files back. I have run this in both normal and safe modes. Nothing happened when I ran it.
     
  2. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    realized I didn't send original Maleware log

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2011.12.24.05

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Nicole :: NICOLE-PC [administrator]

    Protection: Enabled

    1/2/2012 2:48:30 PM
    mbam-log-2012-01-02 (14-19-31).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 177851
    Time elapsed: 7 minute(s), 31 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 3
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|gyjAEPulVY.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\gyjAEPulVY.exe -> Quarantined and deleted successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  3. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Still need help

    I believe I was successful in removing the System Check virus partially, but I think some of it is still there. I still have hidden files, My desktop is black and when I try to use any search engine I get redirected to different sites all the time.
     
  4. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    aswMBR log

    aswMBR version 0.9.9.1156 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-03 19:12:39
    -----------------------------
    19:12:39.696 OS Version: Windows x64 6.0.6002 Service Pack 2
    19:12:39.697 Number of processors: 4 586 0x170A
    19:12:39.697 ComputerName: NICOLE-PC UserName: Nicole
    19:12:41.902 Initialize success
    19:12:42.008 AVAST engine defs: 12010301
    19:12:49.652 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    19:12:49.655 Disk 0 Vendor: ST375063 DE13 Size: 715404MB BusType: 3
    19:12:49.665 Disk 0 MBR read successfully
    19:12:49.668 Disk 0 MBR scan
    19:12:49.672 Disk 0 Windows VISTA default MBR code
    19:12:49.675 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
    19:12:49.688 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
    19:12:49.701 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 699980 MB offset 31586304
    19:12:49.706 Service scanning
    19:12:50.965 Modules scanning
    19:12:50.969 Disk 0 trace - called modules:
    19:12:51.005 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8007ed0334]<<
    19:12:51.010 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b67790]
    19:12:51.016 3 CLASSPNP.SYS[fffffa60009c0c33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800638d050]
    19:12:51.022 \Driver\iaStorV[0xfffffa8005841ae0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8007ed0334
    19:12:54.396 AVAST engine scan C:\Windows
    19:12:57.681 AVAST engine scan C:\Windows\system32
    19:15:00.187 AVAST engine scan C:\Windows\system32\drivers
    19:15:20.718 AVAST engine scan C:\Users\Nicole
    19:15:44.764 File: C:\Users\Nicole\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
    19:16:58.766 Disk 0 MBR has been saved successfully to "C:\Users\Nicole\Documents\MBR.dat"
    19:16:58.774 The log file has been saved successfully to "C:\Users\Nicole\Documents\aswMBR.txt"
     
  5. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-03 18:26:25
    Windows 6.0.6002 Service Pack 2
    Running: 4i9b70yh.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}@haikbfdjheonepap 0x6B 0x61 0x6E 0x70 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}@iacklbokghlgbnjplp 0x6A 0x61 0x6F 0x70 ...

    ---- EOF - GMER 1.0.15 ----
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  7. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Hello

    I tried running the dds and all I get is notepad opening up. nothing else.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Combofix

    I ran Combofix, but before I could get a log Avast popped on and interrupted after restarting and before I was able to stop avast again.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Avast gives you an option to disable it permanently.
    Do so, re-run Combofix and re-enable Avast,
     
  11. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Finally got it

    ComboFix 12-01-03.08 - Nicole 01/04/2012 4:04.5.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4047 [GMT -6:00]
    Running from: c:\users\Nicole\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-04 10:40 . 2012-01-04 10:52 -------- d-----w- c:\users\Nicole\AppData\Local\temp
    2012-01-04 10:40 . 2012-01-04 10:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-04 09:05 . 2012-01-04 09:05 -------- d-----w- C:\f57976069260d26b1cae261f45ca
    2012-01-04 08:23 . 2012-01-04 08:23 -------- d-----w- C:\6c3d4801ac2b96a6b866387472
    2012-01-04 06:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-01-04 06:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-01-04 06:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-01-04 06:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-01-04 06:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-01-04 06:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-01-04 06:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-04 06:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-01-03 20:23 . 2012-01-03 20:23 -------- d-----w- c:\windows\system32\Macromed
    2012-01-03 18:10 . 2012-01-03 18:10 -------- d-----w- C:\eb99211563fb9e909585b8ec
    2012-01-02 22:32 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
    2012-01-02 22:30 . 2012-01-04 06:11 -------- d-----w- c:\programdata\AVAST Software
    2012-01-02 22:30 . 2012-01-02 22:30 -------- d-----w- c:\program files\AVAST Software
    2012-01-02 20:27 . 2012-01-02 20:27 -------- d-----w- C:\bd07de0ba843d8a2ccea7ad2771d
    2012-01-02 05:45 . 2012-01-02 23:55 -------- d-----w- c:\programdata\Lavasoft
    2012-01-02 05:45 . 2012-01-02 05:45 -------- d-----w- c:\users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-02 05:44 . 2012-01-02 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 05:44 . 2012-01-02 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-02 04:47 . 2012-01-02 04:47 -------- d-----w- C:\a8bdd53a4f3715258e
    2012-01-02 03:29 . 2012-01-02 03:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-01-02 03:29 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\users\Nicole\AppData\Roaming\Malwarebytes
    2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-15 21:48 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 21:48 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 21:48 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-15 21:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 21:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-15 21:48 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
    2011-12-14 04:13 . 2011-12-14 04:14 -------- d-----w- c:\users\Nicole\AppData\Roaming\Apple Computer
    2011-12-14 04:13 . 2011-12-14 04:13 -------- d-----w- c:\users\Nicole\AppData\Local\Apple Computer
    2011-12-14 04:12 . 2009-05-18 19:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-12-14 04:12 . 2008-04-17 18:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
    2011-12-14 04:12 . 2008-04-17 18:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2011-12-14 04:12 . 2012-01-02 23:55 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\program files\iPod
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files\iTunes
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files (x86)\iTunes
    2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\programdata\Apple Computer
    2011-12-14 04:10 . 2011-12-14 04:10 -------- d-----w- c:\users\Nicole\AppData\Local\Apple
    2011-12-14 04:09 . 2011-12-14 04:09 -------- d-----w- c:\program files (x86)\Apple Software Update
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Common Files\Apple
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Bonjour
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files (x86)\Bonjour
    2011-12-14 04:06 . 2011-12-14 04:11 -------- d-----w- c:\program files (x86)\Common Files\Apple
    2011-12-14 04:06 . 2011-12-14 04:09 -------- d-----w- c:\programdata\Apple
    2011-12-11 14:36 . 2011-12-11 14:36 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-04 10:49 . 2012-01-04 08:53 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\offreg.dll
    2012-01-04 08:15 . 2011-04-30 16:28 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
    2012-01-03 20:23 . 2011-07-14 15:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-30 08:21 . 2012-01-03 07:39 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\mpengine.dll
    2011-11-15 20:29 . 2011-01-17 07:35 270720 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-04_05.38.45 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 03:20 . 2012-01-04 10:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2012-01-04 04:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2012-01-04 04:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-04 10:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2012-01-04 04:22 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-04 10:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-01-04 08:55 45626 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-01-04 10:51 71170 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2012-01-04 08:19 . 2011-12-27 02:51 43280 c:\windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe
    + 2012-01-04 08:19 . 2011-12-27 02:51 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
    + 2012-01-04 08:22 . 2012-01-04 08:22 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
    - 2011-12-17 09:02 . 2011-12-17 09:02 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
    - 2011-12-17 09:02 . 2011-12-17 09:02 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2012-01-04 08:23 . 2012-01-04 08:23 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
    + 2010-09-23 10:47 . 2010-09-23 10:47 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe
    + 2010-09-23 09:03 . 2010-09-23 09:03 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe
    + 2010-09-21 05:07 . 2010-09-21 05:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll
    + 2010-09-23 08:52 . 2010-09-23 08:52 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe
    + 2010-09-23 00:12 . 2010-09-23 00:12 15800 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe
    + 2009-02-26 19:06 . 2009-02-26 19:06 16712 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6612\PXBPROXY.DLL
    + 2009-02-26 19:06 . 2009-02-26 19:06 68488 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6612\PXBCOM.EXE
    + 2009-02-26 19:06 . 2009-02-26 19:06 16712 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\PXBPROXY.DLL
    + 2009-02-26 19:06 . 2009-02-26 19:06 68488 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\PXBCOM.EXE
    + 2012-01-04 10:13 . 2012-01-04 10:13 54784 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\32988c989fec0b0a6ea7420b687847f0\System.Web.DynamicData.Design.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\45904e3cf3a3043ade103996f8a89a5b\System.Web.DynamicData.Design.ni.dll
    + 2011-01-17 04:22 . 2012-01-04 10:51 8828 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1475235829-1360834442-158596274-1000_UserData.bin
    - 2012-01-04 05:36 . 2012-01-04 05:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-01-04 05:36 . 2012-01-04 05:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 12:46 . 2012-01-04 07:52 640620 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-01-04 04:28 640620 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-01-04 04:28 118872 c:\windows\system32\perfc009.dat
    + 2006-11-02 12:46 . 2012-01-04 07:52 118872 c:\windows\system32\perfc009.dat
    + 2011-04-16 08:26 . 2012-01-04 08:52 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-04-16 08:26 . 2012-01-04 05:35 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-01-04 08:19 . 2011-12-27 02:51 744720 c:\windows\Microsoft.NET\Framework64\v2.0.50727\webengine.dll
    + 2012-01-04 08:19 . 2011-12-27 02:51 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
    + 2012-01-04 08:09 . 2012-01-04 08:09 488448 c:\windows\Installer\175833.msi
    + 2010-09-21 05:07 . 2010-09-21 05:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe
    + 2010-09-23 00:10 . 2010-09-23 00:10 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\nppdf32.dll
    + 2010-09-11 00:17 . 2010-09-11 00:17 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll
    + 2010-09-23 02:41 . 2010-09-23 02:41 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe
    + 2010-09-21 05:07 . 2010-09-21 05:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe
    + 2010-09-23 10:47 . 2010-09-23 10:47 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe
    + 2010-09-23 00:04 . 2010-09-23 00:04 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll
    + 2010-09-23 01:39 . 2010-09-23 01:39 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe
    + 2010-09-21 05:07 . 2010-09-21 05:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe
    + 2010-09-23 00:50 . 2010-09-23 00:50 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe
    + 2012-01-04 10:13 . 2012-01-04 10:13 187392 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\305bff6f5396544a7bfc56e84bfa1e87\System.Web.Routing.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 449536 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity\0e0a0efe9ab9642700a8f57a4edbe976\System.Web.Entity.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 398848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\d5d13f24e51a4fa41be09b8d2241f600\System.Web.Entity.Design.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 754176 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\86f7d8a68c51823d89921f55ff7e2603\System.Web.DynamicData.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 204800 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\40994da02056e19475c5958f64195807\System.Web.Abstractions.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 438784 c:\windows\assembly\NativeImages_v2.0.50727_64\ServiceModelReg\6ba06b090714e51e8a92499ade057045\ServiceModelReg.ni.exe
    + 2012-01-04 10:31 . 2012-01-04 10:31 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\1d3da9468a4b3eaf6e2ea9def503d888\System.Web.Routing.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\dba78af9f778d38117fe4ccf5f4c76f7\System.Web.Extensions.Design.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\fcd6fda81cab3ace8b9d77887a01e892\System.Web.Entity.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\337de84cce8fc2bcbbf7900132abbc2f\System.Web.Entity.Design.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d8313ac5d702f0ffc0e77ea9d945cfd2\System.Web.DynamicData.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\0de7bfc89e883f66f872c1158e06d5cb\System.Web.Abstractions.ni.dll
    + 2012-01-04 10:29 . 2012-01-04 10:29 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\311bc26c3ed83409589eb6bae0eeb86e\System.Runtime.Remoting.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\c60afe58108cefe6b558996f0d9a1c11\System.Data.Entity.Design.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\050c7465e7222cdab000294af3131403\ServiceModelReg.ni.exe
    + 2012-01-04 08:19 . 2011-12-27 02:51 5259264 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Web.dll
    + 2012-01-04 08:19 . 2011-12-27 02:51 5251072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
    + 2011-09-07 23:36 . 2011-09-07 23:36 6069248 c:\windows\Installer\1ffe6.msp
    + 2011-12-13 07:10 . 2011-12-13 07:10 4703232 c:\windows\Installer\1ffe5.msp
    + 2011-12-25 11:48 . 2011-12-25 11:48 1505792 c:\windows\Installer\17583b.msp
    + 2010-09-23 00:05 . 2010-09-23 00:05 2405784 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll
    + 2010-09-16 09:08 . 2010-09-16 09:08 6210560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\authplay.dll
    + 2010-06-19 23:51 . 2010-06-19 23:51 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll
    + 2011-07-07 08:58 . 2011-07-07 08:58 1616240 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\OGL.DLL
    + 2011-08-03 06:14 . 2011-08-03 06:14 8579448 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\OARTCONV.DLL
    + 2012-01-04 10:13 . 2012-01-04 10:13 1754112 c:\windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\4223600dc6133441b1898abaf12031ca\System.WorkflowServices.ni.dll
    + 2012-01-04 08:27 . 2012-01-04 08:27 2702848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\afbeeaf9c41f39886704cbf181b1feb2\System.Workflow.Runtime.ni.dll
    + 2012-01-04 08:27 . 2012-01-04 08:27 5956608 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Com#\ac5a3688b743358aa5b24b9efd971d9d\System.Workflow.ComponentModel.ni.dll
    + 2012-01-04 08:26 . 2012-01-04 08:26 3893248 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Act#\007c8c2f4141fd472da7d3558efba598\System.Workflow.Activities.ni.dll
    + 2012-01-04 10:11 . 2012-01-04 10:11 2291712 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Services\f3222dbcdeebd53ee1c3f88c9ebf6c94\System.Web.Services.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 3335680 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\525e8846136415d472c2e7ba482ccd54\System.Web.Mobile.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 1154560 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\cedfd9b90274b017d11ed50abe8634e8\System.Web.Extensions.Design.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 3046912 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\c0d2bc2e2357ed023b85d18b96e21d60\System.Web.Extensions.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 2239488 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel#\cb5200c2d67ebf37333bdd57a06e7a11\System.ServiceModel.Web.ni.dll
    + 2012-01-04 10:10 . 2012-01-04 10:10 1022464 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\a0a442c47ac0b846bb886aa405a10138\System.Runtime.Remoting.ni.dll
    + 2012-01-04 10:11 . 2012-01-04 10:11 1428992 c:\windows\assembly\NativeImages_v2.0.50727_64\System.IdentityModel\74f5ddf803f50c428293fe6115d6eea7\System.IdentityModel.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 1845248 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\3a35cfdccde13bc82cad2d185cbf499b\System.Data.Services.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 1078272 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity.#\31ea0ae493a84f5f9fdb53ac2ea0ef5e\System.Data.Entity.Design.ni.dll
    + 2012-01-04 10:12 . 2012-01-04 10:12 7836672 c:\windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\6029a4ca1be3d971d470eb2c1ff627e0\MIGUIControls.ni.dll
    + 2012-01-04 10:13 . 2012-01-04 10:13 2173952 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\7fe40682a4f2f30ddb25da3a8796d282\Microsoft.VisualBasic.ni.dll
    + 2012-01-04 10:12 . 2012-01-04 10:12 2101248 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\23408f67b7fddc32d03fa6d8deeafcd7\Microsoft.PowerShell.Commands.Utility.ni.dll
    + 2012-01-04 10:12 . 2012-01-04 10:12 7721472 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\3894a5164ae656639bed7f6270f97182\Microsoft.MediaCenter.UI.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 1316864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\32a67054a82cf24c011e116e94d11864\System.WorkflowServices.ni.dll
    + 2012-01-04 08:25 . 2012-01-04 08:25 1911296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\8bfc3619e3848592a4924cba58a00459\System.Workflow.Runtime.ni.dll
    + 2012-01-04 08:25 . 2012-01-04 08:25 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\3721ccdfdca60443a32ca9f8a937f315\System.Workflow.ComponentModel.ni.dll
    + 2012-01-04 08:24 . 2012-01-04 08:24 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\79e0fe6c014999d64e7cf9717624013f\System.Workflow.Activities.ni.dll
    + 2012-01-04 10:29 . 2012-01-04 10:29 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2cf510e07b605923c496b1ae3c31335f\System.Web.Services.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\800af0d5c4bcd9b600a229050b22d6bd\System.Web.Mobile.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c759aa20f1f012c1dc5dd7076d0816f7\System.Web.Extensions.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 1651200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\3c93a9b25482a56053eb509a58860dbf\System.ServiceModel.Web.ni.dll
    + 2012-01-04 10:30 . 2012-01-04 10:30 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\6a1e2938633d08d9d97c6940a537b1ff\System.IdentityModel.ni.dll
    + 2012-01-04 10:31 . 2012-01-04 10:31 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\d75b561b3c22f68af985785352660022\System.Data.Services.ni.dll
    + 2012-01-04 10:30 . 2012-01-04 10:30 6340096 c:\windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\6e0b0d4d67c760e1e2f6cfd7cd6a8492\MIGUIControls.ni.dll
    + 2012-01-04 10:30 . 2012-01-04 10:30 1711616 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\902ba03598b46f478f3d7561ece592e6\Microsoft.VisualBasic.ni.dll
    + 2012-01-04 10:30 . 2012-01-04 10:30 1609728 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3732b9e409000beda05e878d02da1813\Microsoft.PowerShell.Commands.Utility.ni.dll
    + 2012-01-04 10:30 . 2012-01-04 10:30 5486080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\bb28192d6fcdca44077406c2bf1ad37c\Microsoft.MediaCenter.UI.ni.dll
    - 2011-01-20 09:04 . 2011-01-20 09:04 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
    + 2012-01-04 08:11 . 2012-01-04 08:11 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
    + 2012-01-04 08:19 . 2011-12-27 02:51 5259264 c:\windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
    + 2012-01-04 08:19 . 2011-12-27 02:51 5251072 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
    + 2006-11-02 12:33 . 2012-01-04 08:10 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    - 2006-11-02 12:33 . 2012-01-02 06:28 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2006-11-02 12:35 . 2012-01-04 08:12 54867776 c:\windows\system32\mrt.exe
    + 2011-04-16 08:26 . 2012-01-04 08:52 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
    - 2011-04-16 08:26 . 2012-01-04 05:35 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
    + 2011-03-04 19:28 . 2011-03-04 19:28 23081472 c:\windows\Installer\bb6e7.msp
    + 2011-03-04 19:28 . 2011-03-04 19:28 23081472 c:\windows\Installer\bb6e0.msp
    + 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\windows\Installer\1ffe8.msp
    + 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\1ffe7.msp
    + 2011-03-04 19:28 . 2011-03-04 19:28 23081472 c:\windows\Installer\175875.msp
    + 2011-09-16 00:37 . 2011-09-16 00:37 38176256 c:\windows\Installer\175873.msp
    + 2011-09-16 00:37 . 2011-09-16 00:37 37148160 c:\windows\Installer\175857.msp
    + 2010-09-23 09:03 . 2010-09-23 09:03 20460984 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll
    + 2011-08-04 01:53 . 2011-08-04 01:53 17324928 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\MSO.DLL
    - 2012-01-02 21:25 . 2012-01-02 21:25 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
    + 2012-01-04 10:47 . 2012-01-04 10:47 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
    + 2012-01-04 10:10 . 2012-01-04 10:11 15245824 c:\windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFB8E.tmp\System.Web.dll
    + 2012-01-04 10:11 . 2012-01-04 10:12 15245824 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web\0a2ea7a9a9d9fd9ae47468adbdee2e05\System.Web.ni.dll
    + 2012-01-04 10:11 . 2012-01-04 10:11 23813632 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel\efc60b11b649ed506c64172b3373f936\System.ServiceModel.ni.dll
    + 2012-01-04 08:26 . 2012-01-04 08:26 13718528 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Design\c41b930b44ddfaef2faf314f690bb35e\System.Design.ni.dll
    + 2012-01-04 10:12 . 2012-01-04 10:12 15825920 c:\windows\assembly\NativeImages_v2.0.50727_64\ehshell\b8a06c151452395f513aaa5d730fb5a4\ehshell.ni.dll
    + 2012-01-04 10:29 . 2012-01-04 10:29 11820032 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\fecd1103dd16dc1192402770caf56575\System.Web.ni.dll
    + 2012-01-04 10:30 . 2012-01-04 10:30 17404416 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\a2046fbb45b00425d083cc8706b75479\System.ServiceModel.ni.dll
    + 2012-01-04 08:23 . 2012-01-04 08:23 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\30a87086e78b69d17416bfb74aab355f\System.Design.ni.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}]
    c:\program files (x86)\simppulltoolbar\auxi\simppulltoolbAu.dll [BU]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-27 39408]
    "ChromeFrameHelper"="c:\users\Nicole\AppData\Local\Google\Chrome\Application\17.0.963.12\chrome_frame_helper.exe" [2011-12-15 97336]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-02 5486464]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctMTE1MjE5NzEwOC1GTDEwKzEtVFVHKzMtU1VQKzQtRERUKzMzMjEtU1AxUzQrMS1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQU4rMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GMTBNMTJCKzEtRjEwVEIrMi1TVDEwVEJGKzE&prod=55&ver=10.0.1416" [?]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-23 113664]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
    - c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
    - c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
    .
    2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\3x9vtm12.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - ALOT Search
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30305&client_id=1868eed49cc815d83f5c97b8&camp_id=3534&install_time=2012-01-02T06:15Z&pr=auto&tb_version=1.0.14000(G)&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.autoDisableScopes - 14
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368} - (no file)
    BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{9565115D-C7D6-46D3-BD63-B67B481A4368} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1475235829-1360834442-158596274-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}*]
    "haikbfdjheonepap"=hex:6b,61,6e,70,62,63,6a,6b,61,6d,63,6b,6a,67,6a,69,68,6c,
    6d,63,61,6e,00,00
    "iacklbokghlgbnjplp"=hex:6a,61,6f,70,63,63,61,65,66,69,68,6e,6c,61,6c,6d,6a,61,
    68,64,00,00
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-04 05:29:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-04 11:29
    .
    Pre-Run: 408,256,532,480 bytes free
    Post-Run: 410,406,588,416 bytes free
    .
    - - End Of File - - 41A99943E5636D3F5895242BE29055C5
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RegNull::
    [HKEY_USERS\S-1-5-21-1475235829-1360834442-158596274-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}*]
    
    Folder::
    c:\program files (x86)\Common Files\AVG Secure Search
    
    Driver::
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  13. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    latest combofix

    Did as you said, but would it matter if the combofix updated?



    ComboFix 12-01-04.02 - Nicole 01/04/2012 11:56:01.6.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4127 [GMT -6:00]
    Running from: c:\users\Nicole\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nicole\Desktop\CFScript.lnk
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-04 18:34 . 2012-01-04 18:34 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\offreg.dll
    2012-01-04 18:31 . 2012-01-04 18:40 -------- d-----w- c:\users\Nicole\AppData\Local\temp
    2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-04 09:05 . 2012-01-04 09:05 -------- d-----w- C:\f57976069260d26b1cae261f45ca
    2012-01-04 08:23 . 2012-01-04 08:23 -------- d-----w- C:\6c3d4801ac2b96a6b866387472
    2012-01-04 06:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-01-04 06:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-01-04 06:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-01-04 06:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-01-04 06:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-01-04 06:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-01-04 06:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-04 06:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-01-03 20:23 . 2012-01-03 20:23 -------- d-----w- c:\windows\system32\Macromed
    2012-01-03 18:10 . 2012-01-03 18:10 -------- d-----w- C:\eb99211563fb9e909585b8ec
    2012-01-03 07:39 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\mpengine.dll
    2012-01-02 22:32 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
    2012-01-02 22:30 . 2012-01-04 06:11 -------- d-----w- c:\programdata\AVAST Software
    2012-01-02 22:30 . 2012-01-02 22:30 -------- d-----w- c:\program files\AVAST Software
    2012-01-02 20:27 . 2012-01-02 20:27 -------- d-----w- C:\bd07de0ba843d8a2ccea7ad2771d
    2012-01-02 05:45 . 2012-01-02 23:55 -------- d-----w- c:\programdata\Lavasoft
    2012-01-02 05:45 . 2012-01-02 05:45 -------- d-----w- c:\users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-02 05:44 . 2012-01-02 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 05:44 . 2012-01-02 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-02 04:47 . 2012-01-02 04:47 -------- d-----w- C:\a8bdd53a4f3715258e
    2012-01-02 03:29 . 2012-01-02 03:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-01-02 03:29 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\users\Nicole\AppData\Roaming\Malwarebytes
    2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-15 21:48 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 21:48 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 21:48 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-15 21:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 21:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-15 21:48 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
    2011-12-14 04:13 . 2011-12-14 04:14 -------- d-----w- c:\users\Nicole\AppData\Roaming\Apple Computer
    2011-12-14 04:13 . 2011-12-14 04:13 -------- d-----w- c:\users\Nicole\AppData\Local\Apple Computer
    2011-12-14 04:12 . 2009-05-18 19:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-12-14 04:12 . 2008-04-17 18:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
    2011-12-14 04:12 . 2008-04-17 18:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2011-12-14 04:12 . 2012-01-02 23:55 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\program files\iPod
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files\iTunes
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files (x86)\iTunes
    2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\programdata\Apple Computer
    2011-12-14 04:10 . 2011-12-14 04:10 -------- d-----w- c:\users\Nicole\AppData\Local\Apple
    2011-12-14 04:09 . 2011-12-14 04:09 -------- d-----w- c:\program files (x86)\Apple Software Update
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Common Files\Apple
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Bonjour
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files (x86)\Bonjour
    2011-12-14 04:06 . 2011-12-14 04:11 -------- d-----w- c:\program files (x86)\Common Files\Apple
    2011-12-14 04:06 . 2011-12-14 04:09 -------- d-----w- c:\programdata\Apple
    2011-12-11 14:36 . 2011-12-11 14:36 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-04 08:15 . 2011-04-30 16:28 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
    2012-01-03 20:23 . 2011-07-14 15:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-15 20:29 . 2011-01-17 07:35 270720 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-01-04_10.53.41 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2012-01-04 10:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-01-04 18:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-01-04 18:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2012-01-04 10:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-04 18:35 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-01-04 10:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-01-04 18:38 45970 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-01-04 18:38 71392 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-17 04:22 . 2012-01-04 18:38 8892 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1475235829-1360834442-158596274-1000_UserData.bin
    - 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-01-04 18:34 . 2012-01-04 18:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-01-04 18:34 . 2012-01-04 18:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-04-16 08:26 . 2012-01-04 18:33 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-04-16 08:26 . 2012-01-04 08:52 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-04-16 08:26 . 2012-01-04 18:33 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
    - 2011-04-16 08:26 . 2012-01-04 08:52 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
    - 2012-01-04 10:47 . 2012-01-04 10:47 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
    + 2012-01-04 18:33 . 2012-01-04 18:33 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}]
    c:\program files (x86)\simppulltoolbar\auxi\simppulltoolbAu.dll [BU]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-27 39408]
    "ChromeFrameHelper"="c:\users\Nicole\AppData\Local\Google\Chrome\Application\17.0.963.12\chrome_frame_helper.exe" [2011-12-15 97336]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-02 5486464]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctMTE1MjE5NzEwOC1GTDEwKzEtVFVHKzMtU1VQKzQtRERUKzMzMjEtU1AxUzQrMS1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQU4rMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GMTBNMTJCKzEtRjEwVEIrMi1TVDEwVEJGKzE&prod=55&ver=10.0.1416" [?]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-23 113664]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
    - c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
    - c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
    .
    2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\3x9vtm12.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - ALOT Search
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30305&client_id=1868eed49cc815d83f5c97b8&camp_id=3534&install_time=2012-01-02T06:15Z&pr=auto&tb_version=1.0.14000(G)&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.autoDisableScopes - 14
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1475235829-1360834442-158596274-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}*]
    "haikbfdjheonepap"=hex:6b,61,6e,70,62,63,6a,6b,61,6d,63,6b,6a,67,6a,69,68,6c,
    6d,63,61,6e,00,00
    "iacklbokghlgbnjplp"=hex:6a,61,6f,70,63,63,61,65,66,69,68,6e,6c,61,6c,6d,6a,61,
    68,64,00,00
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-04 13:12:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-04 19:12
    ComboFix2.txt 2012-01-04 11:29
    .
    Pre-Run: 410,243,457,024 bytes free
    Post-Run: 410,218,098,688 bytes free
    .
    - - End Of File - - 9D73229ACBE45AB391A31B44F4A4472F
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Yes.

    You didn't run my script.
    Please redo.
     
  15. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Here is what you asked for

    ComboFix 12-01-04.02 - Nicole 01/04/2012 15:12:18.7.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4211 [GMT -6:00]
    Running from: c:\users\Nicole\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nicole\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Common Files\AVG Secure Search
    c:\program files (x86)\Common Files\AVG Secure Search\CommonInstaller\9.0.1\CommonInstaller.exe
    c:\program files (x86)\Common Files\AVG Secure Search\InstalledProducts.ini
    c:\program files (x86)\Common Files\AVG Secure Search\ScriptHelperInstaller\9.0.1\ScriptHelper.exe
    c:\program files (x86)\Common Files\AVG Secure Search\ToolBandTlb\9.0.1\toolband
    c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
    c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
    c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\UpdaterConfig.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-04 21:51 . 2012-01-04 21:51 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\offreg.dll
    2012-01-04 21:49 . 2012-01-04 21:53 -------- d-----w- c:\users\Nicole\AppData\Local\temp
    2012-01-04 21:49 . 2012-01-04 21:49 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-01-04 21:49 . 2012-01-04 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-04 09:05 . 2012-01-04 09:05 -------- d-----w- C:\f57976069260d26b1cae261f45ca
    2012-01-04 08:23 . 2012-01-04 08:23 -------- d-----w- C:\6c3d4801ac2b96a6b866387472
    2012-01-04 06:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-01-04 06:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-01-04 06:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-01-04 06:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-01-04 06:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-01-04 06:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-01-04 06:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-01-04 06:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-01-03 20:23 . 2012-01-03 20:23 -------- d-----w- c:\windows\system32\Macromed
    2012-01-03 18:10 . 2012-01-03 18:10 -------- d-----w- C:\eb99211563fb9e909585b8ec
    2012-01-03 07:39 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\mpengine.dll
    2012-01-02 22:32 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
    2012-01-02 22:30 . 2012-01-04 06:11 -------- d-----w- c:\programdata\AVAST Software
    2012-01-02 22:30 . 2012-01-02 22:30 -------- d-----w- c:\program files\AVAST Software
    2012-01-02 20:27 . 2012-01-02 20:27 -------- d-----w- C:\bd07de0ba843d8a2ccea7ad2771d
    2012-01-02 05:45 . 2012-01-02 23:55 -------- d-----w- c:\programdata\Lavasoft
    2012-01-02 05:45 . 2012-01-02 05:45 -------- d-----w- c:\users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-02 05:44 . 2012-01-02 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 05:44 . 2012-01-02 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-02 04:47 . 2012-01-02 04:47 -------- d-----w- C:\a8bdd53a4f3715258e
    2012-01-02 03:29 . 2012-01-02 03:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-01-02 03:29 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\users\Nicole\AppData\Roaming\Malwarebytes
    2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-15 21:48 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 21:48 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 21:48 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-15 21:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 21:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-15 21:48 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
    2011-12-14 04:13 . 2011-12-14 04:14 -------- d-----w- c:\users\Nicole\AppData\Roaming\Apple Computer
    2011-12-14 04:13 . 2011-12-14 04:13 -------- d-----w- c:\users\Nicole\AppData\Local\Apple Computer
    2011-12-14 04:12 . 2009-05-18 19:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-12-14 04:12 . 2008-04-17 18:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
    2011-12-14 04:12 . 2008-04-17 18:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2011-12-14 04:12 . 2012-01-02 23:55 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\program files\iPod
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files\iTunes
    2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files (x86)\iTunes
    2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\programdata\Apple Computer
    2011-12-14 04:10 . 2011-12-14 04:10 -------- d-----w- c:\users\Nicole\AppData\Local\Apple
    2011-12-14 04:09 . 2011-12-14 04:09 -------- d-----w- c:\program files (x86)\Apple Software Update
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Common Files\Apple
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Bonjour
    2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files (x86)\Bonjour
    2011-12-14 04:06 . 2011-12-14 04:11 -------- d-----w- c:\program files (x86)\Common Files\Apple
    2011-12-14 04:06 . 2011-12-14 04:09 -------- d-----w- c:\programdata\Apple
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-04 08:15 . 2011-04-30 16:28 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
    2012-01-03 20:23 . 2011-07-14 15:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-15 20:29 . 2011-01-17 07:35 270720 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-01-04_10.53.41 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2012-01-04 10:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-01-04 21:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2012-01-04 10:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-04 21:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2012-01-04 10:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:20 . 2012-01-04 21:54 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-01-04 21:53 46050 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-01-04 21:53 71480 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-17 04:22 . 2012-01-04 21:53 8916 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1475235829-1360834442-158596274-1000_UserData.bin
    + 2012-01-04 21:51 . 2012-01-04 21:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-01-04 21:51 . 2012-01-04 21:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-04-16 08:26 . 2012-01-04 21:50 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-04-16 08:26 . 2012-01-04 08:52 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-04-16 08:26 . 2012-01-04 21:50 50211476 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
    + 2012-01-04 20:37 . 2012-01-04 20:37 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
    - 2012-01-04 10:47 . 2012-01-04 10:47 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}]
    c:\program files (x86)\simppulltoolbar\auxi\simppulltoolbAu.dll [BU]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-27 39408]
    "ChromeFrameHelper"="c:\users\Nicole\AppData\Local\Google\Chrome\Application\17.0.963.12\chrome_frame_helper.exe" [2011-12-15 97336]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-02 5486464]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-23 113664]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
    - c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
    - c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
    .
    2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\3x9vtm12.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - ALOT Search
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30305&client_id=1868eed49cc815d83f5c97b8&camp_id=3534&install_time=2012-01-02T06:15Z&pr=auto&tb_version=1.0.14000(G)&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.autoDisableScopes - 14
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-04 16:27:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-04 22:27
    ComboFix2.txt 2012-01-04 19:12
    ComboFix3.txt 2012-01-04 11:29
    .
    Pre-Run: 410,313,568,256 bytes free
    Post-Run: 410,559,840,256 bytes free
    .
    - - End Of File - - 751B9E030DDAEE2087756377CD7A34D6
     
  16. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Finally have hidden files back

    I finally have my hidden files back, but I am still getting the redirect if I try to use any search engines.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Which browser is getting redirected?
     
  18. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Redirects

    I tried Google Chrome, Internet Explorer and Fire Fox. All three were redirected when I typed in techspot then clicked on your site.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  20. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    This is the output

    [Combofix log removed by Broni]
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please pay attention.
    This is not what I asked for.
     
  22. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    Sorry

    Didn't work the first couple times



    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`c3f00000

    Size Device Name MBR Status
    --------------------------------------------
    698 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

    • Double click on downloaded file to run it.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will produce a log (FRST.txt) on your desktop.
    • Please copy and paste it to your reply.
     
  24. rcmeyer99

    rcmeyer99 TS Rookie Topic Starter Posts: 68

    FRST.txt log

    Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
    Ran by Nicole at 2012-01-04 21:41:23
    Running from C:\Users\Nicole\Desktop
    Service Pack 2 (X64) OS Language: English(US)
    Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

    ========================== Registry (Whitelisted) =============

    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-11] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-11] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
    HKLM\...\Winlogon: [Userinit]
    HKLM-x32\...\Winlogon: [Userinit]
    HKLM\...\Winlogon: [Shell]
    HKLM-x32\...\Winlogon: [Shell] [x x] ()

    ==================== Services (Whitelisted) ======


    ========================== Drivers (Whitelisted) =============


    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============

    2012-01-04 21:40 - 2012-01-04 21:40 - 1378579 ____A C:\Users\Nicole\Desktop\FRST64.exe
    2012-01-04 18:17 - 2012-01-04 18:17 - 0000727 ____A C:\Users\Nicole\Desktop\bootkittext.txt
    2012-01-04 18:06 - 2012-01-04 18:06 - 0044607 ____A C:\Users\Nicole\Desktop\bootkit_remover (1).zip
    2012-01-04 18:03 - 2012-01-04 18:03 - 0000000 __SHD C:\$RECYCLE.BIN
    2012-01-04 17:53 - 2012-01-04 18:17 - 0061420 ____A C:\Users\Nicole\Desktop\bootkit_remover_debug_log.txt
    2012-01-04 17:53 - 2011-09-20 03:02 - 0083968 ____A (Esage Lab) C:\Users\Nicole\Desktop\boot_cleaner.exe
    2012-01-04 16:28 - 2012-01-04 16:28 - 0020800 ____A C:\ComboFix.txt
    2012-01-04 14:58 - 2012-01-04 16:28 - 0000000 ____D C:\ComboFix
    2012-01-04 03:05 - 2012-01-04 03:05 - 0000000 ____D C:\f57976069260d26b1cae261f45ca
    2012-01-04 02:47 - 2012-01-04 02:48 - 0001919 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
    2012-01-04 02:23 - 2012-01-04 02:23 - 0000000 ____D C:\6c3d4801ac2b96a6b866387472
    2012-01-04 00:12 - 2012-01-04 00:12 - 0361210 ____A C:\Users\Nicole\AppData\Local\dd_vcredistMSI6778.txt
    2012-01-04 00:12 - 2012-01-04 00:12 - 0011378 ____A C:\Users\Nicole\AppData\Local\dd_vcredistUI6778.txt
    2012-01-04 00:12 - 2012-01-04 00:12 - 0001787 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    2012-01-04 00:12 - 2011-11-28 11:54 - 0591192 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2012-01-04 00:12 - 2011-11-28 11:53 - 0304472 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2012-01-04 00:12 - 2011-11-28 11:52 - 0066904 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2012-01-04 00:12 - 2011-11-28 11:52 - 0058712 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2012-01-04 00:12 - 2011-11-28 11:52 - 0042328 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
    2012-01-04 00:12 - 2011-11-28 11:51 - 0024408 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2012-01-04 00:11 - 2011-11-28 12:01 - 0199816 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2012-01-04 00:11 - 2011-11-28 12:01 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
    2012-01-04 00:01 - 2012-01-04 00:01 - 0684297 ____A C:\Users\Nicole\Desktop\unhide(5).exe
    2012-01-03 20:00 - 2011-06-26 00:45 - 0256000 ____A C:\Windows\PEV.exe
    2012-01-03 20:00 - 2010-11-07 11:20 - 0208896 ____A C:\Windows\MBR.exe
    2012-01-03 20:00 - 2009-04-19 22:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-01-03 20:00 - 2000-08-30 18:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-01-03 20:00 - 2000-08-30 18:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-01-03 20:00 - 2000-08-30 18:00 - 0098816 ____A C:\Windows\sed.exe
    2012-01-03 20:00 - 2000-08-30 18:00 - 0080412 ____A C:\Windows\grep.exe
    2012-01-03 20:00 - 2000-08-30 18:00 - 0068096 ____A C:\Windows\zip.exe
    2012-01-03 19:59 - 2012-01-03 23:47 - 0000000 ____D C:\Windows\ERDNT
    2012-01-03 19:57 - 2012-01-04 16:28 - 0000000 ____D C:\Qoobox
    2012-01-03 19:51 - 2012-01-04 11:40 - 4369970 ____R (Swearware) C:\Users\Nicole\Desktop\ComboFix.exe
    2012-01-03 19:16 - 2012-01-03 19:16 - 0002012 ____A C:\Users\Nicole\Documents\aswMBR.txt
    2012-01-03 19:16 - 2012-01-03 19:16 - 0000512 ____A C:\Users\Nicole\Documents\MBR.dat
    2012-01-03 19:11 - 2012-01-03 19:11 - 4704768 ____A (AVAST Software) C:\Users\Nicole\Desktop\aswMBR.exe
    2012-01-03 16:59 - 2012-01-03 19:25 - 0607260 ____A (Swearware) C:\Users\Nicole\Desktop\dds.scr
    2012-01-03 16:26 - 2012-01-03 19:22 - 0000666 ____A C:\Users\Nicole\Documents\GMER.log
    2012-01-03 14:23 - 2012-01-03 14:23 - 0000000 ____D C:\Windows\System32\Macromed
    2012-01-03 14:14 - 2012-01-03 14:14 - 0302592 ____A C:\Users\Nicole\Desktop\4i9b70yh.exe
    2012-01-03 13:42 - 2012-01-03 13:42 - 0000296 ____A C:\Windows\System32\spsys.log
    2012-01-03 12:10 - 2012-01-03 12:10 - 0000000 ____D C:\eb99211563fb9e909585b8ec
    2012-01-02 17:22 - 2012-01-02 17:22 - 0009216 ____A C:\Users\Nicole\Documents\techspot.wps
    2012-01-02 16:32 - 2012-01-04 00:12 - 0000000 ____A C:\Windows\SysWOW64\config.nt
    2012-01-02 16:32 - 2011-11-28 12:01 - 0256960 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2012-01-02 16:31 - 2012-01-02 16:32 - 10319556 ____A C:\Users\Nicole\AppData\Local\dd_vcredistMSI388D.txt
    2012-01-02 16:31 - 2012-01-02 16:32 - 0011410 ____A C:\Users\Nicole\AppData\Local\dd_vcredistUI388D.txt
    2012-01-02 16:30 - 2012-01-04 00:11 - 0000000 ____D C:\Users\All Users\AVAST Software
    2012-01-02 16:30 - 2012-01-04 00:11 - 0000000 ____D C:\ProgramData\AVAST Software
    2012-01-02 16:30 - 2012-01-02 16:30 - 0000000 ____D C:\Program Files\AVAST Software
    2012-01-02 14:27 - 2012-01-02 14:27 - 0000000 ____D C:\bd07de0ba843d8a2ccea7ad2771d
    2012-01-01 23:45 - 2012-01-04 15:45 - 0000512 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
    2012-01-01 23:45 - 2012-01-04 02:00 - 0000512 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
    2012-01-01 23:45 - 2012-01-02 17:55 - 0000000 ____D C:\Users\All Users\Lavasoft
    2012-01-01 23:45 - 2012-01-02 17:55 - 0000000 ____D C:\ProgramData\Lavasoft
    2012-01-01 23:45 - 2012-01-01 23:45 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-01 23:44 - 2012-01-02 14:15 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
    2012-01-01 23:44 - 2012-01-01 23:44 - 0001758 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Professional.lnk
    2012-01-01 23:44 - 2012-01-01 23:44 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
    2012-01-01 23:44 - 2012-01-01 23:44 - 0000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2012-01-01 23:30 - 2012-01-01 23:30 - 0000000 ____D C:\Users\Nicole\Documents\WinUnhide-1
    2012-01-01 22:47 - 2012-01-01 22:47 - 0000000 ____D C:\a8bdd53a4f3715258e
    2012-01-01 21:29 - 2012-01-01 21:30 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-01-01 21:29 - 2012-01-01 21:29 - 0000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-01-01 21:29 - 2011-12-10 15:24 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-01-01 21:24 - 2012-01-01 21:24 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\Malwarebytes
    2012-01-01 21:24 - 2012-01-01 21:24 - 0000000 ____D C:\Users\All Users\Malwarebytes
    2012-01-01 21:24 - 2012-01-01 21:24 - 0000000 ____D C:\ProgramData\Malwarebytes
    2011-12-30 17:42 - 2012-01-01 21:00 - 0000680 ____A C:\Users\Nicole\AppData\Local\d3d9caps.dat
    2011-12-30 17:33 - 2012-01-03 13:41 - 0488716 ____A C:\Windows\ntbtlog.txt
    2011-12-28 19:55 - 2011-12-28 20:04 - 0000000 ____D C:\Users\Nicole\Desktop\Christmas 2011
    2011-12-28 18:04 - 2011-12-28 18:04 - 0002553 ____A C:\Users\Nicole\Desktop\AutoCAD 2012 - English.lnk
    2011-12-26 02:06 - 2011-12-28 00:44 - 0028160 ____A C:\Users\Nicole\Documents\appetizers.wps
    2011-12-22 14:08 - 2011-12-22 15:12 - 0068258 ____A C:\Users\Nicole\Documents\belt buckle.dwg
    2011-12-22 13:56 - 2011-12-22 13:56 - 0002087 ____A C:\Users\Nicole\Desktop\Revit Architecture 2012.lnk
    2011-12-22 13:56 - 2011-12-22 13:56 - 0002066 ____A C:\Users\Nicole\Desktop\Revit Structure 2012.lnk
    2011-12-16 03:01 - 2011-11-03 20:38 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2011-12-16 03:01 - 2011-11-03 19:59 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2011-12-16 03:01 - 2011-11-03 19:53 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2011-12-16 03:01 - 2011-11-03 19:46 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2011-12-16 03:01 - 2011-11-03 19:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2011-12-16 03:01 - 2011-11-03 19:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2011-12-16 03:01 - 2011-11-03 19:43 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2011-12-16 03:01 - 2011-11-03 19:41 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2011-12-16 03:01 - 2011-11-03 19:39 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2011-12-16 03:01 - 2011-11-03 19:36 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2011-12-16 03:01 - 2011-11-03 19:35 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2011-12-16 03:01 - 2011-11-03 19:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2011-12-16 03:01 - 2011-11-03 19:30 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2011-12-16 03:01 - 2011-11-03 17:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2011-12-16 03:01 - 2011-11-03 16:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2011-12-16 03:01 - 2011-11-03 16:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2011-12-16 03:01 - 2011-11-03 16:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2011-12-16 03:01 - 2011-11-03 16:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2011-12-16 03:01 - 2011-11-03 16:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2011-12-16 03:01 - 2011-11-03 16:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2011-12-16 03:01 - 2011-11-03 16:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2011-12-16 03:01 - 2011-11-03 16:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2011-12-16 03:01 - 2011-11-03 16:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2011-12-16 03:01 - 2011-11-03 16:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2011-12-16 03:01 - 2011-11-03 16:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2011-12-16 03:01 - 2011-11-03 16:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2011-12-15 15:48 - 2011-11-23 07:57 - 2764800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2011-12-15 15:48 - 2011-11-08 08:58 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2011-12-15 15:48 - 2011-11-08 08:42 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
    2011-12-15 15:48 - 2011-10-25 10:09 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
    2011-12-15 15:48 - 2011-10-14 11:30 - 0559616 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
    2011-12-15 15:48 - 2011-10-14 10:02 - 0429056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
    2011-12-13 22:13 - 2012-01-01 22:27 - 0000000 ____D C:\Users\Nicole\Desktop\iTunes
    2011-12-13 22:13 - 2011-12-13 22:14 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\Apple Computer
    2011-12-13 22:13 - 2011-12-13 22:13 - 0001714 ____A C:\Users\Nicole\Desktop\iTunes.lnk
    2011-12-13 22:13 - 2011-12-13 22:13 - 0000000 ____D C:\Users\Nicole\AppData\Local\Apple Computer
    2011-12-13 22:12 - 2009-05-18 13:17 - 0034152 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
    2011-12-13 22:12 - 2008-04-17 12:12 - 0126312 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
    2011-12-13 22:12 - 2008-04-17 12:12 - 0107368 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
    2011-12-13 22:11 - 2011-12-13 22:12 - 0000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-13 22:11 - 2011-12-13 22:12 - 0000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-13 22:11 - 2011-12-13 22:12 - 0000000 ____D C:\Program Files\iTunes
    2011-12-13 22:11 - 2011-12-13 22:12 - 0000000 ____D C:\Program Files (x86)\iTunes
    2011-12-13 22:11 - 2011-12-13 22:11 - 0000000 ____D C:\Users\All Users\Apple Computer
    2011-12-13 22:11 - 2011-12-13 22:11 - 0000000 ____D C:\ProgramData\Apple Computer
    2011-12-13 22:11 - 2011-12-13 22:11 - 0000000 ____D C:\Program Files\iPod
    2011-12-13 22:10 - 2011-12-13 22:10 - 0000000 ____D C:\Users\Nicole\AppData\Local\Apple
    2011-12-13 22:09 - 2011-12-13 22:09 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
    2011-12-13 22:07 - 2011-12-13 22:07 - 0000000 ____D C:\Program Files\Common Files\Apple
    2011-12-13 22:07 - 2011-12-13 22:07 - 0000000 ____D C:\Program Files\Bonjour
    2011-12-13 22:07 - 2011-12-13 22:07 - 0000000 ____D C:\Program Files (x86)\Bonjour
    2011-12-13 22:06 - 2011-12-13 22:09 - 0000000 ____D C:\Users\All Users\Apple
    2011-12-13 22:06 - 2011-12-13 22:09 - 0000000 ____D C:\ProgramData\Apple
    2011-12-12 00:35 - 2011-12-12 00:36 - 0145969 ____A C:\Users\Nicole\Desktop\attitude.jpg


    ============ 3 Months Modified Files and Folders =============

    2012-01-04 21:41 - 2012-01-04 21:41 - 0000000 ____D C:\FRST
    2012-01-04 21:40 - 2012-01-04 21:40 - 1378579 ____A C:\Users\Nicole\Desktop\FRST64.exe
    2012-01-04 21:09 - 2011-04-27 14:39 - 0000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-01-04 21:09 - 2011-04-27 14:39 - 0000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-01-04 21:08 - 2011-07-16 09:48 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
    2012-01-04 21:08 - 2011-07-16 09:48 - 0000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
    2012-01-04 19:51 - 2006-11-02 09:22 - 0003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-01-04 19:51 - 2006-11-02 09:22 - 0003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-01-04 18:45 - 2011-01-28 19:09 - 0000000 ____D C:\Users\Nicole\AppData\Local\Microsoft Games
    2012-01-04 18:17 - 2012-01-04 18:17 - 0000727 ____A C:\Users\Nicole\Desktop\bootkittext.txt
    2012-01-04 18:17 - 2012-01-04 17:53 - 0061420 ____A C:\Users\Nicole\Desktop\bootkit_remover_debug_log.txt
    2012-01-04 18:06 - 2012-01-04 18:06 - 0044607 ____A C:\Users\Nicole\Desktop\bootkit_remover (1).zip
    2012-01-04 18:03 - 2012-01-04 18:03 - 0000000 __SHD C:\$RECYCLE.BIN
    2012-01-04 16:28 - 2012-01-04 16:28 - 0020800 ____A C:\ComboFix.txt
    2012-01-04 16:28 - 2012-01-04 14:58 - 0000000 ____D C:\ComboFix
    2012-01-04 16:28 - 2012-01-03 19:57 - 0000000 ____D C:\Qoobox
    2012-01-04 16:21 - 2008-01-20 19:53 - 1431319 ____A C:\Windows\WindowsUpdate.log
    2012-01-04 15:54 - 2006-11-02 06:34 - 0000215 ____A C:\Windows\system.ini
    2012-01-04 15:53 - 2006-11-02 06:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
    2012-01-04 15:51 - 2008-01-20 21:26 - 0022468 ____A C:\Windows\PFRO.log
    2012-01-04 15:51 - 2006-11-02 09:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-01-04 15:50 - 2006-11-02 09:42 - 0029684 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-01-04 15:45 - 2012-01-01 23:45 - 0000512 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
    2012-01-04 11:40 - 2012-01-03 19:51 - 4369970 ____R (Swearware) C:\Users\Nicole\Desktop\ComboFix.exe
    2012-01-04 11:26 - 2011-09-22 18:22 - 0002027 ____A C:\Users\Nicole\Desktop\Google Chrome.lnk
    2012-01-04 05:30 - 2006-11-02 07:33 - 0000000 ___RD C:\users\Public
    2012-01-04 05:30 - 2006-11-02 07:33 - 0000000 ___RD C:\users\Default
    2012-01-04 04:50 - 2011-01-16 18:55 - 0001460 ____A C:\Users\Nicole\AppData\Local\d3d9caps64.dat
    2012-01-04 03:05 - 2012-01-04 03:05 - 0000000 ____D C:\f57976069260d26b1cae261f45ca
    2012-01-04 02:49 - 2011-03-11 23:03 - 0000000 ____D C:\Users\Nicole\Desktop\I myself and me
    2012-01-04 02:48 - 2012-01-04 02:47 - 0001919 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
    2012-01-04 02:23 - 2012-01-04 02:23 - 0000000 ____D C:\6c3d4801ac2b96a6b866387472
    2012-01-04 02:15 - 2011-04-30 10:26 - 0000000 ____D C:\Users\All Users\Microsoft Help
    2012-01-04 02:15 - 2011-04-30 10:26 - 0000000 ____D C:\ProgramData\Microsoft Help
    2012-01-04 02:12 - 2006-11-02 06:35 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-01-04 02:00 - 2012-01-01 23:45 - 0000512 ____A C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
    2012-01-04 01:52 - 2006-11-02 06:46 - 0756338 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-01-04 00:12 - 2012-01-04 00:12 - 0361210 ____A C:\Users\Nicole\AppData\Local\dd_vcredistMSI6778.txt
    2012-01-04 00:12 - 2012-01-04 00:12 - 0011378 ____A C:\Users\Nicole\AppData\Local\dd_vcredistUI6778.txt
    2012-01-04 00:12 - 2012-01-04 00:12 - 0001787 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    2012-01-04 00:12 - 2012-01-02 16:32 - 0000000 ____A C:\Windows\SysWOW64\config.nt
    2012-01-04 00:11 - 2012-01-02 16:30 - 0000000 ____D C:\Users\All Users\AVAST Software
    2012-01-04 00:11 - 2012-01-02 16:30 - 0000000 ____D C:\ProgramData\AVAST Software
    2012-01-04 00:01 - 2012-01-04 00:01 - 0684297 ____A C:\Users\Nicole\Desktop\unhide(5).exe
    2012-01-03 23:47 - 2012-01-03 19:59 - 0000000 ____D C:\Windows\ERDNT
    2012-01-03 19:25 - 2012-01-03 16:59 - 0607260 ____A (Swearware) C:\Users\Nicole\Desktop\dds.scr
    2012-01-03 19:22 - 2012-01-03 16:26 - 0000666 ____A C:\Users\Nicole\Documents\GMER.log
    2012-01-03 19:16 - 2012-01-03 19:16 - 0002012 ____A C:\Users\Nicole\Documents\aswMBR.txt
    2012-01-03 19:16 - 2012-01-03 19:16 - 0000512 ____A C:\Users\Nicole\Documents\MBR.dat
    2012-01-03 19:11 - 2012-01-03 19:11 - 4704768 ____A (AVAST Software) C:\Users\Nicole\Desktop\aswMBR.exe
    2012-01-03 16:53 - 2011-01-22 22:56 - 0019266 ____A C:\Users\Nicole\AppData\Roaming\wklnhst.dat
    2012-01-03 14:23 - 2012-01-03 14:23 - 0000000 ____D C:\Windows\System32\Macromed
    2012-01-03 14:23 - 2011-07-14 09:45 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-01-03 14:14 - 2012-01-03 14:14 - 0302592 ____A C:\Users\Nicole\Desktop\4i9b70yh.exe
    2012-01-03 13:42 - 2012-01-03 13:42 - 0000296 ____A C:\Windows\System32\spsys.log
    2012-01-03 13:41 - 2011-12-30 17:33 - 0488716 ____A C:\Windows\ntbtlog.txt
    2012-01-03 12:10 - 2012-01-03 12:10 - 0000000 ____D C:\eb99211563fb9e909585b8ec
    2012-01-02 17:55 - 2012-01-01 23:45 - 0000000 ____D C:\Users\All Users\Lavasoft
    2012-01-02 17:55 - 2012-01-01 23:45 - 0000000 ____D C:\ProgramData\Lavasoft
    2012-01-02 17:22 - 2012-01-02 17:22 - 0009216 ____A C:\Users\Nicole\Documents\techspot.wps
    2012-01-02 16:32 - 2012-01-02 16:31 - 10319556 ____A C:\Users\Nicole\AppData\Local\dd_vcredistMSI388D.txt
    2012-01-02 16:32 - 2012-01-02 16:31 - 0011410 ____A C:\Users\Nicole\AppData\Local\dd_vcredistUI388D.txt
    2012-01-02 16:30 - 2012-01-02 16:30 - 0000000 ____D C:\Program Files\AVAST Software
    2012-01-02 15:36 - 2011-01-16 18:56 - 0000000 ____D C:\Users\Nicole\AppData\LocalLow
    2012-01-02 14:27 - 2012-01-02 14:27 - 0000000 ____D C:\bd07de0ba843d8a2ccea7ad2771d
    2012-01-02 14:19 - 2011-10-03 15:26 - 0000000 ____D C:\Users\Nicole\AppData\Local\Conduit
    2012-01-02 14:15 - 2012-01-01 23:44 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
    2012-01-02 00:13 - 2011-01-22 22:55 - 0000000 ____D C:\Program Files (x86)\Free Offers from Freeze.com
    2012-01-02 00:07 - 2006-11-02 07:33 - 0000000 ____D C:\Windows\Resources
    2012-01-01 23:45 - 2012-01-01 23:45 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-01 23:44 - 2012-01-01 23:44 - 0001758 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Professional.lnk
    2012-01-01 23:44 - 2012-01-01 23:44 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
    2012-01-01 23:44 - 2012-01-01 23:44 - 0000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2012-01-01 23:30 - 2012-01-01 23:30 - 0000000 ____D C:\Users\Nicole\Documents\WinUnhide-1
    2012-01-01 22:47 - 2012-01-01 22:47 - 0000000 ____D C:\a8bdd53a4f3715258e
    2012-01-01 22:27 - 2011-12-13 22:13 - 0000000 ____D C:\Users\Nicole\Desktop\iTunes
    2012-01-01 22:17 - 2011-01-17 03:35 - 0000000 ____D C:\Users\All Users\AVG10
    2012-01-01 22:17 - 2011-01-17 03:35 - 0000000 ____D C:\ProgramData\AVG10
    2012-01-01 22:12 - 2011-01-16 19:01 - 0000000 ____D C:\Users\All Users\MFAData
    2012-01-01 22:12 - 2011-01-16 19:01 - 0000000 ____D C:\ProgramData\MFAData
    2012-01-01 22:07 - 2011-04-29 15:03 - 0000000 ____D C:\Program Files\Common Files\Autodesk Shared
    2012-01-01 22:07 - 2011-04-29 14:55 - 0000000 ____D C:\Users\All Users\Autodesk
    2012-01-01 22:07 - 2011-04-29 14:55 - 0000000 ____D C:\ProgramData\Autodesk
    2012-01-01 22:05 - 2011-04-29 14:57 - 0751252 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-01-01 21:47 - 2011-01-17 03:35 - 0000000 ____D C:\Windows\System32\Drivers\AVG
    2012-01-01 21:30 - 2012-01-01 21:29 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-01-01 21:29 - 2012-01-01 21:29 - 0000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-01-01 21:24 - 2012-01-01 21:24 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\Malwarebytes
    2012-01-01 21:24 - 2012-01-01 21:24 - 0000000 ____D C:\Users\All Users\Malwarebytes
    2012-01-01 21:24 - 2012-01-01 21:24 - 0000000 ____D C:\ProgramData\Malwarebytes
    2012-01-01 21:00 - 2011-12-30 17:42 - 0000680 ____A C:\Users\Nicole\AppData\Local\d3d9caps.dat
    2011-12-28 20:04 - 2011-12-28 19:55 - 0000000 ____D C:\Users\Nicole\Desktop\Christmas 2011
    2011-12-28 18:04 - 2011-12-28 18:04 - 0002553 ____A C:\Users\Nicole\Desktop\AutoCAD 2012 - English.lnk
    2011-12-28 00:44 - 2011-12-26 02:06 - 0028160 ____A C:\Users\Nicole\Documents\appetizers.wps
    2011-12-24 02:43 - 2011-09-05 21:09 - 0000000 ____D C:\Users\Nicole\Desktop\Elissa and Dave' B Party
    2011-12-24 02:43 - 2011-08-29 21:36 - 0000000 ____D C:\Users\Nicole\Desktop\Christine D A
    2011-12-22 15:22 - 2011-08-18 15:47 - 0000503 ____A C:\Users\Nicole\Documents\plot.log
    2011-12-22 15:21 - 2011-04-29 15:32 - 0000000 ____D C:\Users\Nicole\AppData\Local\cache
    2011-12-22 15:12 - 2011-12-22 14:08 - 0068258 ____A C:\Users\Nicole\Documents\belt buckle.dwg
    2011-12-22 13:56 - 2011-12-22 13:56 - 0002087 ____A C:\Users\Nicole\Desktop\Revit Architecture 2012.lnk
    2011-12-22 13:56 - 2011-12-22 13:56 - 0002066 ____A C:\Users\Nicole\Desktop\Revit Structure 2012.lnk
    2011-12-21 19:46 - 2011-12-03 16:26 - 0000000 ____D C:\Users\Nicole\Desktop\Makayla, Christine, Josh, Randy and Christmas
    2011-12-21 02:48 - 2011-04-24 15:04 - 0000000 ___RD C:\Users\Nicole\Desktop\Misc..Outside, makayla, Trenton, Garden and various
    2011-12-18 14:51 - 2011-12-03 16:25 - 0010752 ____A C:\Users\Nicole\Documents\Randy's Medical.wps
    2011-12-16 19:41 - 2006-11-02 07:33 - 0000000 ____D C:\Windows\rescache
    2011-12-16 19:24 - 2006-11-02 09:21 - 0356672 ____A C:\Windows\System32\FNTCACHE.DAT
    2011-12-14 18:53 - 2011-01-17 12:47 - 0037376 ____A C:\Users\Nicole\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2011-12-14 11:53 - 2006-11-02 09:27 - 0043358 ____A C:\Windows\setupact.log
    2011-12-13 22:14 - 2011-12-13 22:13 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\Apple Computer
    2011-12-13 22:13 - 2011-12-13 22:13 - 0001714 ____A C:\Users\Nicole\Desktop\iTunes.lnk
    2011-12-13 22:13 - 2011-12-13 22:13 - 0000000 ____D C:\Users\Nicole\AppData\Local\Apple Computer
    2011-12-13 22:12 - 2011-12-13 22:11 - 0000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-13 22:12 - 2011-12-13 22:11 - 0000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-12-13 22:12 - 2011-12-13 22:11 - 0000000 ____D C:\Program Files\iTunes
    2011-12-13 22:12 - 2011-12-13 22:11 - 0000000 ____D C:\Program Files (x86)\iTunes
    2011-12-13 22:11 - 2011-12-13 22:11 - 0000000 ____D C:\Users\All Users\Apple Computer
    2011-12-13 22:11 - 2011-12-13 22:11 - 0000000 ____D C:\ProgramData\Apple Computer
    2011-12-13 22:11 - 2011-12-13 22:11 - 0000000 ____D C:\Program Files\iPod
    2011-12-13 22:10 - 2011-12-13 22:10 - 0000000 ____D C:\Users\Nicole\AppData\Local\Apple
    2011-12-13 22:09 - 2011-12-13 22:09 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
    2011-12-13 22:09 - 2011-12-13 22:06 - 0000000 ____D C:\Users\All Users\Apple
    2011-12-13 22:09 - 2011-12-13 22:06 - 0000000 ____D C:\ProgramData\Apple
    2011-12-13 22:09 - 2011-01-16 18:55 - 0000000 ____D C:\users\Nicole
    2011-12-13 22:07 - 2011-12-13 22:07 - 0000000 ____D C:\Program Files\Common Files\Apple
    2011-12-13 22:07 - 2011-12-13 22:07 - 0000000 ____D C:\Program Files\Bonjour
    2011-12-13 22:07 - 2011-12-13 22:07 - 0000000 ____D C:\Program Files (x86)\Bonjour
    2011-12-12 00:36 - 2011-12-12 00:35 - 0145969 ____A C:\Users\Nicole\Desktop\attitude.jpg
    2011-12-10 15:24 - 2012-01-01 21:29 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2011-12-01 22:09 - 2011-12-01 01:25 - 0000000 ____D C:\Users\Nicole\Desktop\OCT NOV 2011
    2011-11-28 12:01 - 2012-01-04 00:11 - 0199816 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2011-11-28 12:01 - 2012-01-04 00:11 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
    2011-11-28 12:01 - 2012-01-02 16:32 - 0256960 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2011-11-28 11:54 - 2012-01-04 00:12 - 0591192 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2011-11-28 11:53 - 2012-01-04 00:12 - 0304472 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2011-11-28 11:52 - 2012-01-04 00:12 - 0066904 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2011-11-28 11:52 - 2012-01-04 00:12 - 0058712 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2011-11-28 11:52 - 2012-01-04 00:12 - 0042328 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
    2011-11-28 11:51 - 2012-01-04 00:12 - 0024408 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2011-11-23 07:57 - 2011-12-15 15:48 - 2764800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2011-11-20 02:41 - 2011-11-20 01:08 - 0000000 ____D C:\Users\Nicole\AppData\Roaming\mIRC
    2011-11-20 01:08 - 2011-11-20 01:08 - 0000000 ____D C:\Program Files (x86)\mIRC
    2011-11-19 15:57 - 2011-11-19 15:57 - 0000000 ____D C:\Users\Nicole\AppData\Local\DigiPara
    2011-11-19 15:57 - 2011-11-19 15:53 - 0000000 ____D C:\Users\All Users\DigiPara
    2011-11-19 15:57 - 2011-11-19 15:53 - 0000000 ____D C:\ProgramData\DigiPara
    2011-11-19 15:53 - 2011-11-19 15:53 - 0000000 ____D C:\Program Files (x86)\DigiPara
    2011-11-17 20:28 - 2011-11-17 20:28 - 0000000 ____D C:\Users\Nicole\AppData\Local\Downloaded Installations
    2011-11-15 14:29 - 2011-01-17 01:35 - 0270720 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2011-11-10 03:02 - 2006-11-02 07:33 - 0000000 ____D C:\Program Files\Common Files\System
    2011-11-08 08:58 - 2011-12-15 15:48 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2011-11-08 08:42 - 2011-12-15 15:48 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
    2011-11-03 20:38 - 2011-12-16 03:01 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2011-11-03 19:59 - 2011-12-16 03:01 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2011-11-03 19:53 - 2011-12-16 03:01 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2011-11-03 19:46 - 2011-12-16 03:01 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2011-11-03 19:44 - 2011-12-16 03:01 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2011-11-03 19:44 - 2011-12-16 03:01 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2011-11-03 19:43 - 2011-12-16 03:01 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2011-11-03 19:41 - 2011-12-16 03:01 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2011-11-03 19:39 - 2011-12-16 03:01 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2011-11-03 19:36 - 2011-12-16 03:01 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2011-11-03 19:35 - 2011-12-16 03:01 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2011-11-03 19:34 - 2011-12-16 03:01 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2011-11-03 19:30 - 2011-12-16 03:01 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2011-11-03 17:02 - 2011-12-16 03:01 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2011-11-03 16:47 - 2011-12-16 03:01 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2011-11-03 16:46 - 2011-12-16 03:01 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2011-11-03 16:40 - 2011-12-16 03:01 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2011-11-03 16:40 - 2011-12-16 03:01 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2011-11-03 16:39 - 2011-12-16 03:01 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2011-11-03 16:38 - 2011-12-16 03:01 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2011-11-03 16:37 - 2011-12-16 03:01 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2011-11-03 16:34 - 2011-12-16 03:01 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2011-11-03 16:32 - 2011-12-16 03:01 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2011-11-03 16:32 - 2011-12-16 03:01 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2011-11-03 16:31 - 2011-12-16 03:01 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2011-11-03 16:28 - 2011-12-16 03:01 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2011-10-29 11:25 - 2011-03-30 20:49 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2011-10-25 10:09 - 2011-12-15 15:48 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
    2011-10-19 13:42 - 2011-10-19 13:42 - 0000000 ____D C:\Program Files\Interplay Sports
    2011-10-16 15:53 - 2011-10-16 15:53 - 0000000 ____D C:\Program Files (x86)\LG Electronics
    2011-10-16 15:53 - 2011-10-16 15:53 - 0000000 ____D C:\Program Files (x86)\InstallShield Installation Information
    2011-10-14 11:30 - 2011-12-15 15:48 - 0559616 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
    2011-10-14 10:02 - 2011-12-15 15:48 - 0429056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
    2011-10-12 02:32 - 2011-10-03 14:45 - 0000000 ____D C:\Users\Nicole\AppData\Local\OpenCandy
    2011-10-12 02:30 - 2006-11-02 07:33 - 0000000 ___SD C:\Windows\Downloaded Program Files
    2011-10-12 02:30 - 2006-11-02 07:33 - 0000000 ___RD C:\Windows\Offline Web Pages
    2011-10-12 02:30 - 2006-11-02 07:33 - 0000000 ____D C:\Windows\PolicyDefinitions

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 36%
    Total physical RAM: 6077.03 MB
    Available physical RAM: 3866.65 MB
    Total Pagefile: 12343.11 MB
    Available Pagefile: 10126.1 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.87 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:683.57 GB) (Free:380.84 GB) NTFS ==>[Drive with boot components]
    2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.71 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B

    Partitions of Disk 0:

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 684 GB 15 GB

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 15 GB Healthy

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 684 GB Healthy System

    ==========================================================

    Last Boot: 2012-01-04 16:04

    ======================= End Of Log ==========================
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...