TechSpot

Win64 Patched.a infection

Solved
By Rearranged
Jan 30, 2013
Topic Status:
Not open for further replies.
  1. Evening :)

    We have unfortunately come across this nasty little virus tonight, probably between 16:00 and 19:00 local time (from logging below). After scouring Google for an hour have seen lots of helpful replies from this forum and so come begging for help :)

    Below are the two logs from FRST. If anyone can help me successfully remove this I will gladly send a donation your way for your time and effort. Many thanks in advance

    Logs:
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-01-2013 02
    Ran by SYSTEM at 30-01-2013 19:25:07
    Running from F:\
    Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11101800 2010-07-28] (Realtek Semiconductor)
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-08-25] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-27] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-16] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-11] (Apple Inc.)
    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-10] (AVG Technologies CZ, s.r.o.)
    HKU\Ann\...\Run: [Google Update] "C:\Users\Ann\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-09-16] (Google Inc.)
    HKU\Ann\...\Run: [Mezzmo] C:\Program Files (x86)\Conceiva\Mezzmo\Mezzmo.exe [10608496 2012-09-26] (Conceiva Pty. Ltd.)
    HKU\Ann\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-22] (Apple Inc.)
    HKU\Ann\...\Run: [Facebook Update] "C:\Users\Ann\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-22] (Facebook Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Startup: C:\Users\Ann\Start Menu\Programs\Startup\Facebook Messenger.lnk
    ShortcutTarget: Facebook Messenger.lnk -> (No File)
    Startup: C:\Users\Ann\Start Menu\Programs\Startup\Mezzmo.lnk
    ShortcutTarget: Mezzmo.lnk -> C:\Program Files (x86)\Conceiva\Mezzmo\Mezzmo.exe (Conceiva Pty. Ltd.)
    Startup: C:\Users\Ann\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
    Startup: C:\Users\Ann\Start Menu\Programs\Startup\PeerBlock.lnk
    ShortcutTarget: PeerBlock.lnk -> C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)

    ==================== Services (Whitelisted) ===================

    2 avgfws; "C:\Program Files (x86)\AVG\AVG2013\avgfws.exe" [1342024 2012-12-09] (AVG Technologies CZ, s.r.o.)
    2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
    2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-21] (AVG Technologies CZ, s.r.o.)
    2 Mezzmo; C:\Program Files (x86)\Conceiva\Mezzmo\MezzmoMediaServer.exe [3119472 2012-09-26] (Conceiva Pty. Ltd.)
    3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

    ==================== Drivers (Whitelisted) =====================

    1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [50296 2012-09-03] (AVG Technologies CZ, s.r.o.)
    1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-21] (AVG Technologies CZ, s.r.o. )
    0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-14] (AVG Technologies CZ, s.r.o. )
    1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-01] (AVG Technologies CZ, s.r.o.)
    0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-20] (AVG Technologies CZ, s.r.o.)
    0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
    0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
    1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-20] (AVG Technologies CZ, s.r.o.)
    3 pbfilter; \??\C:\Program Files\PeerBlock\pbfilter.sys [24176 2010-11-06] ()
    3 AsrCDDrv; \??\C:\Windows\SysWOW64\Drivers\AsrCDDrv.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2013-01-29 21:27 - 2013-01-29 21:40 - 00008257 ____A C:\Windows\System32\avgrep.txt
    2013-01-29 20:52 - 2013-01-29 20:52 - 00000000 ____D C:\Users\Ann\AppData\Roaming\AVG2013
    2013-01-29 20:48 - 2013-01-29 20:49 - 00000000 ____D C:\Users\All Users\AVG2013
    2013-01-29 20:48 - 2013-01-29 20:48 - 00000972 ____A C:\Users\Public\Desktop\AVG 2013.lnk
    2013-01-29 20:48 - 2013-01-29 20:48 - 00000000 ____D C:\Users\Ann\AppData\Roaming\TuneUp Software
    2013-01-29 20:45 - 2013-01-29 21:27 - 00000000 ____D C:\Users\Ann\AppData\Local\Avg2013
    2013-01-29 20:45 - 2013-01-29 20:45 - 04411440 ____A (AVG Technologies) C:\Users\Ann\Downloads\avg_isct_stb_all_2013_2667_evol1.exe
    2013-01-29 20:45 - 2013-01-29 20:45 - 00000000 ____D C:\Users\Ann\AppData\Local\MFAData
    2013-01-29 20:20 - 2013-01-29 20:20 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2013-01-29 19:54 - 2013-01-29 19:54 - 00000000 ____D C:\Users\Ann\AppData\Roaming\Babylon
    2013-01-29 19:54 - 2013-01-29 19:54 - 00000000 ____D C:\Users\Ann\AppData\Local\Babylon
    2013-01-29 19:54 - 2013-01-29 19:54 - 00000000 ____D C:\Users\All Users\Babylon
    2013-01-28 22:26 - 2013-01-28 19:18 - 57489900 ____N C:\Users\Ann\Desktop\IMG_0713.MOV
    2013-01-19 13:21 - 2013-01-19 15:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-01-14 00:35 - 2013-01-14 00:35 - 00000444 ____A C:\Users\Ann\Downloads\google.csv
    2013-01-08 16:10 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll
    2013-01-08 16:10 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll
    2013-01-08 16:10 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll
    2013-01-08 16:10 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll
    2013-01-08 16:10 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs
    2013-01-08 16:10 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs
    2013-01-08 16:10 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs
    2013-01-08 16:10 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs
    2013-01-08 16:10 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs
    2013-01-08 16:10 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs
    2013-01-08 16:10 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs
    2013-01-08 16:10 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs
    2013-01-08 16:10 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs
    2013-01-08 16:10 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll
    2013-01-08 16:10 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
    2013-01-08 16:10 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2013-01-08 16:10 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2013-01-08 16:10 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
    2013-01-08 16:10 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
    2013-01-08 16:10 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2013-01-08 16:10 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2013-01-08 16:10 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2013-01-08 16:10 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2013-01-08 16:09 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
    2013-01-08 16:09 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
    2013-01-08 16:09 - 2012-11-29 21:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
    2013-01-08 16:09 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
    2013-01-08 16:09 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
    2013-01-08 16:09 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
    2013-01-08 16:09 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2013-01-08 16:09 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
    2013-01-08 16:09 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
    2013-01-08 16:09 - 2012-11-29 18:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2013-01-08 16:09 - 2012-11-29 18:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2013-01-08 16:09 - 2012-11-29 18:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2013-01-08 16:09 - 2012-11-29 18:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2013-01-08 16:09 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
    2013-01-08 16:09 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls
    2013-01-08 16:09 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls
    2013-01-08 16:09 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-01-08 16:09 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe


    ==================== One Month Modified Files and Folders =======

    2013-01-30 19:24 - 2013-01-30 19:24 - 00000000 ____D C:\FRST
    2013-01-29 22:17 - 2011-09-16 14:47 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000UA.job
    2013-01-29 22:00 - 2012-04-08 14:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-01-29 21:54 - 2011-11-09 17:03 - 00000000 ____D C:\Program Files\PeerBlock
    2013-01-29 21:53 - 2009-07-13 20:45 - 00022400 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-01-29 21:53 - 2009-07-13 20:45 - 00022400 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-01-29 21:50 - 2009-07-13 21:13 - 00726270 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-01-29 21:46 - 2012-09-02 19:36 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-01-29 21:46 - 2012-08-22 16:28 - 00035853 ____A C:\Windows\SysWOW64\debug.log
    2013-01-29 21:46 - 2012-06-01 18:58 - 00009540 ____A C:\Windows\setupact.log
    2013-01-29 21:46 - 2011-09-16 00:39 - 00000043 ____A C:\Windows\MezzmoMediaServer.INI
    2013-01-29 21:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-01-29 21:40 - 2013-01-29 21:27 - 00008257 ____A C:\Windows\System32\avgrep.txt
    2013-01-29 21:27 - 2013-01-29 20:45 - 00000000 ____D C:\Users\Ann\AppData\Local\Avg2013
    2013-01-29 21:00 - 2011-11-01 22:37 - 00000000 ____D C:\Users\All Users\MFAData
    2013-01-29 20:52 - 2013-01-29 20:52 - 00000000 ____D C:\Users\Ann\AppData\Roaming\AVG2013
    2013-01-29 20:51 - 2010-11-20 19:47 - 00028918 ____A C:\Windows\PFRO.log
    2013-01-29 20:49 - 2013-01-29 20:48 - 00000000 ____D C:\Users\All Users\AVG2013
    2013-01-29 20:49 - 2012-07-17 00:34 - 00000000 ___HD C:\$AVG
    2013-01-29 20:48 - 2013-01-29 20:48 - 00000972 ____A C:\Users\Public\Desktop\AVG 2013.lnk
    2013-01-29 20:48 - 2013-01-29 20:48 - 00000000 ____D C:\Users\Ann\AppData\Roaming\TuneUp Software
    2013-01-29 20:47 - 2012-07-17 00:33 - 00000000 ____D C:\Program Files (x86)\AVG
    2013-01-29 20:46 - 2012-09-02 19:36 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-01-29 20:45 - 2013-01-29 20:45 - 04411440 ____A (AVG Technologies) C:\Users\Ann\Downloads\avg_isct_stb_all_2013_2667_evol1.exe
    2013-01-29 20:45 - 2013-01-29 20:45 - 00000000 ____D C:\Users\Ann\AppData\Local\MFAData
    2013-01-29 20:42 - 2012-04-25 11:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-01-29 20:40 - 2011-09-05 23:26 - 00000000 ____D C:\Users\Ann\AppData\Roaming\uTorrent
    2013-01-29 20:20 - 2013-01-29 20:20 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2013-01-29 19:57 - 2011-09-03 22:11 - 01283296 ____A C:\Windows\WindowsUpdate.log
    2013-01-29 19:54 - 2013-01-29 19:54 - 00000000 ____D C:\Users\Ann\AppData\Roaming\Babylon
    2013-01-29 19:54 - 2013-01-29 19:54 - 00000000 ____D C:\Users\Ann\AppData\Local\Babylon
    2013-01-29 19:54 - 2013-01-29 19:54 - 00000000 ____D C:\Users\All Users\Babylon
    2013-01-29 18:32 - 2012-08-22 16:27 - 00000920 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000UA.job
    2013-01-29 15:32 - 2012-08-22 16:27 - 00000898 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000Core.job
    2013-01-29 09:17 - 2011-09-16 14:47 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000Core.job
    2013-01-28 22:26 - 2011-09-04 01:20 - 00000000 ____D C:\Users\Ann\AppData\Roaming\vlc
    2013-01-28 21:52 - 2011-09-10 22:40 - 00000000 ____D C:\Program Files\GOTSent
    2013-01-28 19:18 - 2013-01-28 22:26 - 57489900 ____N C:\Users\Ann\Desktop\IMG_0713.MOV
    2013-01-19 15:18 - 2013-01-19 13:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-01-14 00:35 - 2013-01-14 00:35 - 00000444 ____A C:\Users\Ann\Downloads\google.csv
    2013-01-09 07:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
    2013-01-09 06:21 - 2009-07-13 20:45 - 00297064 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-01-09 06:01 - 2011-09-09 12:45 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-01-08 18:00 - 2012-04-08 14:51 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-01-08 18:00 - 2011-09-17 15:05 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-01-03 12:03 - 2011-09-03 22:15 - 00000000 ____D C:\users\Ann
    2013-01-03 11:50 - 2012-01-24 16:02 - 00123388 ___AH C:\Windows\SysWOW64\mlfcache.dat


    ZeroAccess:
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\L
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\L\00000004.@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\L\201d3dde
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\L\76603ac3
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\00000004.@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\00000008.@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\000000cb.@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\80000000.@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\80000032.@
    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\80000064.@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-01-16 03:00:06
    Restore point made on: 2013-01-23 03:00:10
    Restore point made on: 2013-01-29 20:47:50
    Restore point made on: 2013-01-29 20:48:09

    ==================== Memory info ===========================

    Percentage of memory in use: 9%
    Total physical RAM: 8174.7 MB
    Available physical RAM: 7431.99 MB
    Total Pagefile: 8172.9 MB
    Available Pagefile: 7423.39 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Partitions =============================

    1 Drive c: (Windows) (Fixed) (Total:116.96 GB) (Free:22.53 GB) NTFS
    2 Drive d: (Apps) (Fixed) (Total:814.33 GB) (Free:128.92 GB) NTFS
    3 Drive e: (Jan 16 2013) (CDROM) (Total:0.07 GB) (Free:0 GB) UDF
    4 Drive f: () (Removable) (Total:7.64 GB) (Free:7.64 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B *
    Disk 1 Online 7840 MB 0 B

    Partitions of Disk 0:
    ===============

    Disk ID: {CB6476DE-BD40-454D-ADF9-7804C41AB71B}

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System (partition with boot components) 100 MB 1024 KB
    Partition 2 Reserved 128 MB 101 MB
    Partition 3 Primary 116 GB 229 MB
    Partition 4 Primary 814 GB 117 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
    Hidden : Yes
    Required: No
    Attrib : 0X8000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 FAT32 Partition 100 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
    Hidden : Yes
    Required: No
    Attrib : 0X8000000000000000

    There is no volume associated with this partition.

    =========================================================

    Disk: 0
    Partition 3
    Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Hidden : No
    Required: No
    Attrib : 0000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C Windows NTFS Partition 116 GB Healthy

    =========================================================

    Disk: 0
    Partition 4
    Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Hidden : No
    Required: No
    Attrib : 0000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Apps NTFS Partition 814 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Disk ID: 91F72D24

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7839 MB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F FAT32 Removable 7839 MB Healthy

    =========================================================

    Last Boot: 2013-01-23 03:38

    ==================== End Of Log =============================
  2. Rearranged

    Rearranged TS Rookie Topic Starter

    Farbar Recovery Scan Tool (x64) Version: 28-01-2013 02
    Ran by SYSTEM at 2013-01-30 19:27:32
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

    ====== End Of Search ======
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please download attached fixlist.txt below (at the bottom of this post), and save it to your flash drive in the same location as FRST.exe. Make sure it maintains the same name, otherwise the fix will fail.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.


    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From TechSpot

    Direct Link (alternative)

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

    Attached Files:

  4. Rearranged

    Rearranged TS Rookie Topic Starter

    Thanks so much for your help so far. I've just run the FRST as above, here is the log below. Just about to download and run Combofix now.



    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2013 02
    Ran by SYSTEM at 2013-01-31 06:45:18 Run:1
    Running from F:\

    ==============================================

    C:\Windows\Installer\{c812ecc5-ea15-6f7e-0181-0717ab8c5026} moved successfully.
    C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
    C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
  5. Rearranged

    Rearranged TS Rookie Topic Starter

    I've tried both of the download links for ComboFIX and both say it is currently unavailable. Is there any other trusted place I can source it from?
  6. Rearranged

    Rearranged TS Rookie Topic Starter

    Ok link came up again, here is the report:


    ComboFix 13-01-30.04 - Ann 31/01/2013 11:52:18.1.4 - x64
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.64.1033.18.8175.6790 [GMT 13:00]
    Running from: E:\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\DEBUG.log
    D:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-30 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-31 03:24 . 2013-01-31 03:24 -------- d-----w- C:\FRST
    2013-01-30 22:55 . 2013-01-30 22:55 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-01-30 04:48 . 2013-01-30 04:48 -------- d-----w- c:\users\Ann\AppData\Roaming\TuneUp Software
    2013-01-30 04:45 . 2013-01-30 04:45 -------- d-----w- c:\users\Ann\AppData\Local\MFAData
    2013-01-30 04:20 . 2013-01-30 04:20 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2013-01-30 03:54 . 2013-01-30 03:54 -------- d-----w- c:\users\Ann\AppData\Local\Babylon
    2013-01-30 03:54 . 2013-01-30 03:54 -------- d-----w- c:\users\Ann\AppData\Roaming\Babylon
    2013-01-30 03:54 . 2013-01-30 03:54 -------- d-----w- c:\programdata\Babylon
    2013-01-09 00:09 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-09 14:01 . 2011-09-09 20:45 67599240 ----a-w- c:\windows\system32\MRT.exe
    2013-01-09 02:00 . 2012-04-08 22:51 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-09 02:00 . 2011-09-17 23:05 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-16 17:11 . 2012-12-21 09:55 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 14:45 . 2012-12-21 09:55 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-16 14:13 . 2012-12-21 09:55 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-16 14:13 . 2012-12-21 09:55 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-11-30 04:45 . 2013-01-09 00:09 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2012-11-14 07:06 . 2012-12-12 14:00 17811968 ----a-w- c:\windows\system32\mshtml.dll
    2012-11-14 06:32 . 2012-12-12 14:00 10925568 ----a-w- c:\windows\system32\ieframe.dll
    2012-11-14 06:11 . 2012-12-12 14:00 2312704 ----a-w- c:\windows\system32\jscript9.dll
    2012-11-14 06:04 . 2012-12-12 14:00 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-11-14 06:04 . 2012-12-12 14:00 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-11-14 06:02 . 2012-12-12 14:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-11-14 06:02 . 2012-12-12 14:00 237056 ----a-w- c:\windows\system32\url.dll
    2012-11-14 05:59 . 2012-12-12 14:00 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-11-14 05:58 . 2012-12-12 14:00 816640 ----a-w- c:\windows\system32\jscript.dll
    2012-11-14 05:57 . 2012-12-12 14:00 599040 ----a-w- c:\windows\system32\vbscript.dll
    2012-11-14 05:57 . 2012-12-12 14:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-11-14 05:55 . 2012-12-12 14:00 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-11-14 05:55 . 2012-12-12 14:00 729088 ----a-w- c:\windows\system32\msfeeds.dll
    2012-11-14 05:53 . 2012-12-12 14:00 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-11-14 05:52 . 2012-12-12 14:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-11-14 05:46 . 2012-12-12 14:00 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-11-14 02:09 . 2012-12-12 14:00 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-11-14 01:58 . 2012-12-12 14:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57 . 2012-12-12 14:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-11-14 01:49 . 2012-12-12 14:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48 . 2012-12-12 14:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
    2012-11-14 01:44 . 2012-12-12 14:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-11-09 05:45 . 2012-12-11 21:06 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-11-09 04:42 . 2012-12-11 21:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2012-11-02 05:59 . 2012-12-11 21:06 478208 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-02 05:11 . 2012-12-11 21:06 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mezzmo"="c:\program files (x86)\Conceiva\Mezzmo\Mezzmo.exe" [2012-09-26 10608496]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "Facebook Update"="c:\users\Ann\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-23 138096]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-25 98304]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-16 252296]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    .
    c:\users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Facebook Messenger.lnk - c:\users\Ann\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe [2012-9-25 247728]
    Mezzmo.lnk - c:\program files (x86)\Conceiva\Mezzmo\Mezzmo.exe [2012-6-13 10608496]
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    PeerBlock.lnk - c:\program files\PeerBlock\peerblock.exe [2011-11-10 2646128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]
    R3 AsrCDDrv;AsrCDDrv;c:\windows\SysWOW64\Drivers\AsrCDDrv.sys [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-27 53760]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-07 1255736]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-26 203264]
    S2 Mezzmo;Mezzmo;c:\program files (x86)\Conceiva\Mezzmo\MezzmoMediaServer.exe [2012-09-26 3119472]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-07-15 116240]
    S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [2011-02-08 39936]
    S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [2011-02-08 64512]
    S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-06 24176]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-30 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 02:00]
    .
    2013-01-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000Core.job
    - c:\users\Ann\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-23 00:27]
    .
    2013-01-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000UA.job
    - c:\users\Ann\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-23 00:27]
    .
    2013-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-03 03:36]
    .
    2013-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-03 03:36]
    .
    2013-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000Core.job
    - c:\users\Ann\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 22:47]
    .
    2013-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000UA.job
    - c:\users\Ann\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-16 22:47]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = https://www.google.co.nz/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Ann\AppData\Roaming\Mozilla\Firefox\Profiles\k6w7cjkg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
    .
    **************************************************************************
    .
    Completion time: 2013-01-31 11:59:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-01-30 22:59
    .
    Pre-Run: 23,828,668,416 bytes free
    Post-Run: 24,243,453,952 bytes free
    .
    - - End Of File - - 7689E5B6BE20C06971D834ABA2F550F7
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adware Cleaning

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
    .

    Junkware Removal Tool

    Please download Junkware Removal Tool to your desktop.
    • Warning! Once the scan is complete JRT will shut down your browser with NO warning.
    • Shut down your protection software now to avoid potential conflicts.
    • Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
    • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Copy and Paste the JRT.txt log into your next message.



    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

    Sometimes these logs can be very large, in that case please attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  8. Rearranged

    Rearranged TS Rookie Topic Starter

    # AdwCleaner v2.109 - Logfile created 02/01/2013 at 12:22:44
    # Updated 26/01/2013 by Xplode
    # Operating system : Windows 7 Enterprise Service Pack 1 (64 bits)
    # User : Ann - CUJO
    # Boot Mode : Normal
    # Running from : C:\Users\Ann\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\ProgramData\Babylon
    Folder Deleted : C:\Users\Ann\AppData\Local\Babylon
    Folder Deleted : C:\Users\Ann\AppData\Roaming\Babylon
    Folder Deleted : C:\Users\Ann\AppData\Roaming\OpenCandy

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKLM\Software\AVG Secure Search
    Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16457

    [OK] Registry is clean.

    -\\ Mozilla Firefox v18.0.1 (en-GB)

    File : C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\Profiles\k6w7cjkg.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v24.0.1312.56

    File : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [1133 octets] - [01/02/2013 12:22:44]

    ########## EOF - C:\AdwCleaner[S1].txt - [1193 octets] ##########
  9. Rearranged

    Rearranged TS Rookie Topic Starter

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.5.7 (01.30.2013:4)
    OS: Windows 7 Enterprise x64
    Ran by Ann on Fri 01/02/2013 at 12:30:04.78
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Folder] "C:\Program Files (x86)\free youtube downloader"



    ~~~ FireFox

    Emptied folder: C:\Users\Ann\AppData\Roaming\mozilla\firefox\profiles\k6w7cjkg.default\minidumps [45 files]



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 01/02/2013 at 12:34:18.52
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10. Rearranged

    Rearranged TS Rookie Topic Starter

    And last bit!

    Attached Files:

  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.


    OTL Quick Scan

    Please download OTL by OldTimer to your Desktop.
    • Close all windows and double click OTL.exe.
    • Click Quick Scan button and let the program run uninterrupted.
    • It will produce a log for you called OTL.txt, please post it in your next reply.
    • You may need to use two posts to get it all.


    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
     
  12. Rearranged

    Rearranged TS Rookie Topic Starter

    ESET found 6 threats but saiud it removed them all. Log below. Just about to run OTL now

    C:\FRST\Quarantine\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\00000004.@ Win64/Conedex.C trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\80000000.@ Win64/Sirefef.AW trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\80000032.@ probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{c812ecc5-ea15-6f7e-0181-0717ab8c5026}\U\80000064.@ a variant of Win64/Sirefef.AN trojan cleaned by deleting - quarantined
  13. Rearranged

    Rearranged TS Rookie Topic Starter

    OTL logs below

    OTL logfile created on: 4/02/2013 4:57:02 p.m. - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Ann\Downloads
    64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy

    7.98 Gb Total Physical Memory | 6.45 Gb Available Physical Memory | 80.81% Memory free
    15.96 Gb Paging File | 14.35 Gb Available in Paging File | 89.87% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 116.96 Gb Total Space | 19.82 Gb Free Space | 16.94% Space Free | Partition Type: NTFS
    Drive D: | 814.33 Gb Total Space | 128.92 Gb Free Space | 15.83% Space Free | Partition Type: NTFS
    Drive F: | 153.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: CUJO | User Name: Ann | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/02/04 16:56:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Ann\Downloads\OTL.exe
    PRC - [2012/12/19 03:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2012/09/27 10:41:14 | 003,119,472 | ---- | M] (Conceiva Pty. Ltd.) -- C:\Program Files (x86)\Conceiva\Mezzmo\MezzmoMediaServer.exe
    PRC - [2012/02/23 13:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    PRC - [2010/11/06 00:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    PRC - [2010/11/06 00:54:20 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/01/10 03:27:35 | 000,475,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\ab54c04b3df40416205883b4049fe273\IAStorUtil.ni.dll
    MOD - [2013/01/10 03:27:35 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\4d6518ef6ae8d6f005c49ab1c86de7fe\IAStorCommon.ni.dll
    MOD - [2013/01/10 03:25:37 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
    MOD - [2013/01/10 03:25:19 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\865d2bf19a7af7fab8660a42d92550fe\System.Windows.Forms.ni.dll
    MOD - [2013/01/10 03:25:14 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
    MOD - [2013/01/10 03:25:05 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll
    MOD - [2013/01/10 03:25:01 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
    MOD - [2013/01/10 03:24:59 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
    MOD - [2013/01/10 03:24:58 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
    MOD - [2013/01/10 03:24:53 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
    MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll


    ========== Services (SafeList) ==========

    SRV:64bit: - [2010/08/26 14:57:14 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2009/07/14 14:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/14 14:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV - [2013/01/20 10:22:00 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2013/01/09 15:00:10 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/12/19 03:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/09/27 10:41:14 | 003,119,472 | ---- | M] (Conceiva Pty. Ltd.) [Auto | Running] -- C:\Program Files (x86)\Conceiva\Mezzmo\MezzmoMediaServer.exe -- (Mezzmo)
    SRV - [2011/11/30 16:12:40 | 000,718,888 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2011/11/16 21:09:12 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2010/11/06 00:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/11 10:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/09/28 10:32:56 | 000,053,760 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
    DRV:64bit: - [2012/03/01 19:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2011/11/01 10:07:26 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltjx64.sys -- (UsbserFilt)
    DRV:64bit: - [2011/11/01 10:07:26 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev)
    DRV:64bit: - [2011/11/01 10:07:24 | 000,027,136 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdc)
    DRV:64bit: - [2011/11/01 10:07:24 | 000,019,968 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcd)
    DRV:64bit: - [2011/03/11 19:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 19:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2011/02/08 18:30:52 | 000,064,512 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\EtronXHCI.sys -- (EtronXHCI)
    DRV:64bit: - [2011/02/08 18:30:52 | 000,039,936 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\EtronHub3.sys -- (EtronHub3)
    DRV:64bit: - [2010/11/21 16:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
    DRV:64bit: - [2010/11/21 16:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/21 16:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
    DRV:64bit: - [2010/11/21 16:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
    DRV:64bit: - [2010/11/21 16:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
    DRV:64bit: - [2010/11/21 16:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
    DRV:64bit: - [2010/11/21 16:23:48 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser)
    DRV:64bit: - [2010/11/21 16:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/21 16:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
    DRV:64bit: - [2010/11/06 00:45:48 | 000,438,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
    DRV:64bit: - [2010/10/19 17:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
    DRV:64bit: - [2010/08/26 16:37:26 | 007,767,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
    DRV:64bit: - [2010/08/26 14:20:56 | 000,279,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
    DRV:64bit: - [2010/07/16 01:47:42 | 000,116,240 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
    DRV:64bit: - [2010/06/23 22:10:56 | 000,344,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2009/07/14 14:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/14 14:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/14 14:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/11 09:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/11 09:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/11 09:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/11 09:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2008/08/28 11:44:42 | 000,025,600 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd)
    DRV - [2009/07/14 14:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.nz/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-nz
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 52 DE B0 41 CC 6A CC 01 [binary data]
    IE - HKCU\..\SearchScopes,DefaultScope =
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.google.co.nz/"
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Ann\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Ann\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\facebook.com/fbDesktopPlugin: C:\Users\Ann\AppData\Local\Facebook\Messenger\2.1.4651.0\npFbDesktopPlugin.dll (Facebook, Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/20 10:22:00 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

    [2011/09/04 19:39:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ann\AppData\Roaming\Mozilla\Extensions
    [2013/01/30 17:37:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\Profiles\k6w7cjkg.default\extensions
    [2013/01/20 10:21:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2013/01/20 10:22:00 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/12/06 09:01:12 | 000,001,738 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2012/08/29 17:06:36 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/12/06 09:01:12 | 000,001,148 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/12/06 09:01:12 | 000,001,379 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2012/10/13 12:24:08 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
    [2012/12/06 09:01:12 | 000,001,334 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml

    ========== Chrome ==========

    CHR - homepage: http://www.google.com/
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
    CHR - homepage: http://www.google.com/
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\Ann\AppData\Local\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Ann\AppData\Local\Google\Chrome\Application\24.0.1312.57\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Ann\AppData\Local\Google\Chrome\Application\24.0.1312.57\gcswf32.dll
    CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
    CHR - plugin: DownloadStudio (Enabled) = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgkplflikgolndhankdkfghmmmebkjcp\1.6_1\plugin\npds.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U22 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\Ann\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    CHR - Extension: YouTube = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
    CHR - Extension: DownloadStudio = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgkplflikgolndhankdkfghmmmebkjcp\1.6_1\
    CHR - Extension: Google Search = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
    CHR - Extension: Gmail = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

    O1 HOSTS File: ([2013/01/31 11:56:51 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O4 - HKCU..\Run: [Facebook Update] C:\Users\Ann\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
    O4 - HKCU..\Run: [Mezzmo] C:\Program Files (x86)\Conceiva\Mezzmo\Mezzmo.exe (Conceiva Pty. Ltd.)
    O4 - HKCU..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
    O4 - Startup: C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk = C:\Users\Ann\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe (Facebook)
    O4 - Startup: C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mezzmo.lnk = C:\Program Files (x86)\Conceiva\Mezzmo\Mezzmo.exe (Conceiva Pty. Ltd.)
    O4 - Startup: C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
    O4 - Startup: C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PeerBlock.lnk = C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13 - gopher Prefix: missing
    O16:64bit: - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 10.5.1)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 10.5.1)
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClient Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EB4510E3-2EF4-4787-A8EA-E304E79263B3}: DhcpNameServer = 192.168.0.1
    O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll File not found
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll File not found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/02/04 16:18:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
    [2013/02/01 12:30:03 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
    [2013/02/01 12:29:59 | 000,000,000 | ---D | C] -- C:\JRT
    [2013/02/01 12:19:59 | 000,537,421 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\Ann\Desktop\JRT.exe
    [2013/01/31 16:24:57 | 000,000,000 | ---D | C] -- C:\FRST
    [2013/01/31 11:59:42 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2013/01/31 11:56:53 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2013/01/31 11:51:13 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2013/01/31 11:51:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2013/01/31 11:51:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2013/01/31 11:49:25 | 000,000,000 | ---D | C] -- C:\Users\Ann\AppData\Local\Avg2013
    [2013/01/31 11:47:34 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2013/01/31 11:47:22 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2013/01/30 17:49:27 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2013/01/30 17:48:59 | 000,000,000 | ---D | C] -- C:\Users\Ann\AppData\Roaming\TuneUp Software
    [2013/01/30 17:45:55 | 000,000,000 | ---D | C] -- C:\Users\Ann\AppData\Local\MFAData
    [2013/01/30 17:20:01 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
    [2013/01/20 10:21:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
    [2013/01/09 13:10:14 | 000,750,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
    [2013/01/09 13:10:14 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
    [2013/01/09 13:10:09 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usp10.dll
    [2013/01/09 13:10:09 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
    [2013/01/09 13:10:05 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\fpb.rs
    [2013/01/09 13:10:05 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysNative\fpb.rs
    [2013/01/09 13:10:05 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc-nz.rs
    [2013/01/09 13:10:05 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc-nz.rs
    [2013/01/09 13:10:05 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegibbfc.rs
    [2013/01/09 13:10:05 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegibbfc.rs
    [2013/01/09 13:10:05 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\csrr.rs
    [2013/01/09 13:10:05 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysNative\csrr.rs
    [2013/01/09 13:10:05 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cob-au.rs
    [2013/01/09 13:10:05 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cob-au.rs
    [2013/01/09 13:10:05 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\usk.rs
    [2013/01/09 13:10:05 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysNative\usk.rs
    [2013/01/09 13:10:05 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\grb.rs
    [2013/01/09 13:10:05 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysNative\grb.rs
    [2013/01/09 13:10:05 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-pt.rs
    [2013/01/09 13:10:05 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-pt.rs
    [2013/01/09 13:10:05 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi.rs
    [2013/01/09 13:10:05 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi.rs
    [2013/01/09 13:10:05 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\djctq.rs
    [2013/01/09 13:10:05 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysNative\djctq.rs
    [2013/01/09 13:10:04 | 002,746,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll
    [2013/01/09 13:10:04 | 002,576,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll
    [2013/01/09 13:10:04 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wpc.dll
    [2013/01/09 13:10:04 | 000,308,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Wpc.dll
    [2013/01/09 13:10:04 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cero.rs
    [2013/01/09 13:10:04 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cero.rs
    [2013/01/09 13:10:04 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\esrb.rs
    [2013/01/09 13:10:04 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysNative\esrb.rs
    [2013/01/09 13:10:04 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc.rs
    [2013/01/09 13:10:04 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc.rs
    [2013/01/09 13:10:04 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-fi.rs
    [2013/01/09 13:10:04 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-fi.rs
    [2013/01/09 13:09:55 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
    [2013/01/09 13:09:54 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
    [2013/01/09 13:09:54 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
    [2013/01/09 13:09:54 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
    [2013/01/09 13:09:54 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
    [2013/01/09 13:09:54 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
    [2013/01/09 13:09:54 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
    [2013/01/09 13:09:54 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
    [2013/01/09 13:09:54 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
    [2013/01/09 13:09:54 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
    [2013/01/09 13:09:54 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
    [2013/01/09 13:09:54 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
    [2013/01/09 13:09:54 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
    [2013/01/09 13:09:54 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
    [2013/01/09 13:09:47 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskhost.exe

    ========== Files - Modified Within 30 Days ==========

    [2013/02/04 16:46:01 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2013/02/04 16:17:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000UA.job
    [2013/02/04 16:14:14 | 000,022,400 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/02/04 16:14:14 | 000,022,400 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/02/04 16:10:16 | 000,726,270 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2013/02/04 16:10:16 | 000,628,414 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2013/02/04 16:10:16 | 000,110,598 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2013/02/04 16:06:06 | 000,000,043 | ---- | M] () -- C:\Windows\MezzmoMediaServer.INI
    [2013/02/04 16:06:02 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2013/02/04 16:05:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2013/02/04 16:05:55 | 2133,880,831 | -HS- | M] () -- C:\hiberfil.sys
    [2013/02/01 18:32:02 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000UA.job
    [2013/02/01 18:00:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2013/02/01 12:32:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000Core.job
    [2013/02/01 12:20:00 | 000,537,421 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\Ann\Desktop\JRT.exe
    [2013/02/01 12:19:50 | 000,580,235 | ---- | M] () -- C:\Users\Ann\Desktop\adwcleaner.exe
    [2013/01/31 11:56:51 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2013/01/31 06:17:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3317690383-389001063-789236981-1000Core.job
    [2013/01/29 16:18:44 | 057,489,900 | ---- | M] () -- C:\Users\Ann\Desktop\IMG_0713.MOV
    [2013/01/13 16:43:00 | 000,000,760 | ---- | M] () -- C:\Users\Ann\Desktop\Document.rtf
    [2013/01/13 11:25:55 | 000,027,386 | ---- | M] () -- C:\Users\Ann\Desktop\gollum_rotk_3.jpg
    [2013/01/10 03:21:38 | 000,297,064 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2013/01/09 15:00:10 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
    [2013/01/09 15:00:10 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

    ========== Files Created - No Company Name ==========

    [2013/02/01 12:19:48 | 000,580,235 | ---- | C] () -- C:\Users\Ann\Desktop\adwcleaner.exe
    [2013/01/31 11:51:13 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2013/01/31 11:51:13 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2013/01/31 11:51:13 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2013/01/31 11:51:13 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2013/01/31 11:51:13 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2013/01/29 19:26:23 | 057,489,900 | ---- | C] () -- C:\Users\Ann\Desktop\IMG_0713.MOV
    [2013/01/13 11:15:06 | 000,027,386 | ---- | C] () -- C:\Users\Ann\Desktop\gollum_rotk_3.jpg
    [2012/02/23 12:34:34 | 000,004,608 | ---- | C] () -- C:\Users\Ann\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/01/25 13:02:47 | 000,123,388 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
    [2011/10/14 18:19:41 | 000,000,033 | ---- | C] () -- C:\Windows\DownloadStudioScheduleMonitor.INI
    [2011/09/16 21:39:07 | 000,000,043 | ---- | C] () -- C:\Windows\MezzmoMediaServer.INI
    [2011/09/04 19:54:37 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
    [2011/09/04 19:53:19 | 000,002,857 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

    ========== ZeroAccess Check ==========

    [2009/07/14 17:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 18:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 17:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 14:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 16:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 14:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    < End of report >
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    What other issues?
  15. Rearranged

    Rearranged TS Rookie Topic Starter

    No other issues from what we can tell
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advanced System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create


    Remove tools, temp files, old Restore Points

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL sometimes hides your Desktop and Start menu so the cleanup can be completed. Do not be alerted, as this is normal.
    • It may open a log for you, but I don't need that.

    To remove all of the tools we used and the files and folders they created do the following:
    Double click OTL.exe.
    • Click the CleanUp button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  17. Rearranged

    Rearranged TS Rookie Topic Starter

    Here is the security check log

    Results of screen317's Security Check version 0.99.57
    Windows 7 Service Pack 1 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    JavaFX 2.1.1
    Java(TM) 6 Update 22
    Java(TM) 7 Update 5
    Java version out of Date!
    Adobe Flash Player 11.5.502.146
    Adobe Reader 10.1.5 Adobe Reader out of Date!
    Mozilla Firefox (18.0.1)
    Google Chrome 24.0.1312.56
    Google Chrome 24.0.1312.57
    Google Chrome Plugins...
    ````````Process Check: objlist.exe by Laurent````````
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems


    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

    Any other questions before I mark this topic solved?
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Topic marked solved. :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.