Solved SIREFEF infection continuous reboot

[astanley86]

Hello,

I read the rules about your help and feel like there is hope you can help because you have helped others with what seems to be my problem as well. I will follow all directions by you so please let me know what the first step is.

I have windows 7 64 home premium toshiba laptop. I have sirefef trojan virus and maybe more. Please when you have the time walk me through what I should do.

Thank you so much.

Andrew

 

[astanley86]

Here is the results from frst64.exe which was executed using safe mode with command prompt:

Scan result of Farbar Recovery Scan Tool Version: 09-07-2012
Ran by andrew at 09-07-2012 15:30:13
Running from E:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-07-09 15:11 - 2012-07-09 15:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E267B84541DA928B
2012-07-09 15:04 - 2012-07-09 15:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B0CD17B24D7561EC
2012-07-09 14:57 - 2012-07-09 14:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.25457AFA650FDABC
2012-07-09 14:48 - 2012-07-09 14:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF3FFA9FBE87465E
2012-07-09 14:29 - 2012-07-09 14:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.341798E83B9BAE19
2012-07-09 14:21 - 2012-07-09 14:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F79E4B6139FC5A72
2012-07-09 14:04 - 2012-07-09 14:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4CEB74BCB88B8A14
2012-07-09 13:50 - 2012-07-09 13:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D40CDC502FECC10
2012-07-09 13:49 - 2012-07-09 13:53 - 00000494 ____A C:\Windows\Tasks\SpeedyPC Registration3.job
2012-07-09 13:49 - 2012-07-09 13:49 - 00001170 ____A C:\Users\andrew\Desktop\SpeedyPC Pro.lnk
2012-07-09 13:49 - 2012-07-09 13:49 - 00000000 ____D C:\Users\andrew\AppData\Roaming\SpeedyPC Software
2012-07-09 13:49 - 2012-07-09 13:49 - 00000000 ____D C:\Users\andrew\AppData\Roaming\DriverCure
2012-07-09 13:48 - 2012-07-09 13:53 - 00000466 ____A C:\Windows\Tasks\SpeedyPC Update Version3.job
2012-07-09 13:48 - 2012-07-09 13:53 - 00000422 ____A C:\Windows\Tasks\SpeedyPC Pro.job
2012-07-09 13:48 - 2012-07-09 13:49 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\andrew\Downloads\SpyHunter-Installer.exe
2012-07-09 13:48 - 2012-07-09 13:48 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-07-09 13:48 - 2012-07-09 13:48 - 00000000 ____D C:\Program Files (x86)\SpeedyPC Software
2012-07-09 13:47 - 2012-07-09 13:48 - 04819616 ____A (SpeedyPC Software Inc.) C:\Users\andrew\Downloads\SpeedyPC Pro Installer.exe
2012-07-09 13:47 - 2012-07-09 13:47 - 00001205 ____A C:\Users\andrew\Downloads\FixNCR.reg
2012-07-09 13:12 - 2012-07-09 13:13 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-09 13:12 - 2012-07-09 13:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-09 13:06 - 2012-07-09 13:08 - 12621696 ____A (Microsoft Corporation) C:\Users\andrew\Downloads\mseinstall.exe
2012-07-08 20:46 - 2012-07-08 20:58 - 00001937 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-08 20:46 - 2012-07-03 11:21 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-08 20:46 - 2012-07-03 11:21 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-08 20:46 - 2012-07-03 11:21 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-08 20:46 - 2012-07-03 11:21 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-07-08 20:46 - 2012-07-03 11:21 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-08 20:45 - 2012-07-03 11:21 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-08 20:45 - 2012-07-03 11:21 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-08 20:45 - 2012-07-03 11:21 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-08 20:44 - 2012-07-08 20:44 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-07-08 20:44 - 2012-07-08 20:44 - 00000000 ____D C:\Program Files\AVAST Software
2012-07-06 15:42 - 2012-07-06 15:45 - 11371532 ____A C:\Users\andrew\Downloads\Will using a PEO save me money%3F.mp4
2012-07-06 15:42 - 2012-07-06 15:44 - 06232530 ____A C:\Users\andrew\Downloads\What level of services can I expect from The Astra Group%3F.mp4
2012-07-06 12:39 - 2012-07-06 12:42 - 08633783 ____A C:\Users\andrew\Downloads\Have you had experience with other PEO%27s%3F.mp4
2012-07-06 12:38 - 2012-07-06 12:42 - 08560999 ____A C:\Users\andrew\Downloads\What will my employees think of The Astra Group%3F.mp4
2012-07-06 11:25 - 2012-07-06 11:25 - 00000000 ____D C:\Users\andrew\Downloads\relation-7.x-1.0-rc2
2012-07-06 11:19 - 2012-07-06 11:24 - 09933418 ____A C:\Users\andrew\Downloads\How can The Astra Group assist with leadership development%3F.mp4
2012-07-06 11:05 - 2012-07-06 11:05 - 00000000 ____D C:\Users\andrew\AppData\Roaming\TechSmith
2012-07-06 10:54 - 2012-07-06 10:54 - 00000000 ____D C:\Users\All Users\TechSmith
2012-07-06 10:54 - 2012-07-06 10:54 - 00000000 ____D C:\Program Files (x86)\TechSmith
2012-07-06 10:26 - 2012-07-06 10:27 - 00000000 ____D C:\Users\andrew\Downloads\redhen_demo-7.x-1.x-dev
2012-07-06 09:57 - 2012-07-06 10:00 - 05995403 ____A C:\Users\andrew\Downloads\Can The Astra Group really assist our effort to boost employee morale%3F.mp4
2012-07-06 09:57 - 2012-07-06 09:59 - 05058552 ____A C:\Users\andrew\Downloads\Can The Astra Group assist our effort to remain in legal compliance%3F.mp4
2012-07-06 09:26 - 2012-07-06 09:26 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-06 08:31 - 2012-07-06 08:32 - 04893220 ____A C:\Users\andrew\Downloads\What else can The Astra Group do for my employees%3F.mp4
2012-07-06 08:31 - 2012-07-06 08:32 - 03127126 ____A C:\Users\andrew\Downloads\Can The Astra Group really add value to our business%3F.mp4
2012-07-03 12:27 - 2012-07-03 12:34 - 00000000 ____D C:\Users\andrew\Documents\My Kindle Content
2012-07-03 12:27 - 2012-07-03 12:27 - 00000000 ____D C:\Users\andrew\AppData\Local\Amazon
2012-07-03 12:18 - 2012-07-03 12:18 - 00000922 ____A C:\Users\Public\Desktop\Balsamiq Mockups.lnk
2012-07-03 12:18 - 2012-07-03 12:18 - 00000000 ____D C:\Program Files (x86)\Balsamiq Mockups
2012-06-28 14:49 - 2012-06-28 14:53 - 33873839 ____A C:\Users\andrew\Downloads\Online Human Resources - The Astra Group.mp4
2012-06-28 14:46 - 2012-06-28 14:46 - 01529735 ____A C:\Users\andrew\Downloads\What do you enjoy the most with working with The Astra Group%3F.mp4
2012-06-28 12:25 - 2012-06-28 12:29 - 11120117 ____A C:\Users\andrew\Downloads\HRx- Hiring.mp4
2012-06-28 12:25 - 2012-06-28 12:27 - 05577686 ____A C:\Users\andrew\Downloads\Automating HR makes life easy.mp4
2012-06-26 16:08 - 2012-06-26 16:16 - 37459483 ____A C:\Users\andrew\Downloads\HRx- Relief for your Human Resources Headaches.mp4
2012-06-26 16:08 - 2012-06-26 16:15 - 23691000 ____A C:\Users\andrew\Downloads\HRx- Employee Handbooks.mp4
2012-06-25 13:50 - 2012-06-25 13:50 - 00183581 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-25T13-50-25.mysql.gz
2012-06-22 15:23 - 2012-06-22 15:23 - 00163915 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-22T15-23-33.mysql.gz
2012-06-21 08:54 - 2012-06-02 17:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 08:54 - 2012-06-02 17:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 08:54 - 2012-06-02 17:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 08:53 - 2012-06-02 17:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 08:53 - 2012-06-02 17:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 08:53 - 2012-06-02 17:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 08:53 - 2012-06-02 17:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 08:52 - 2012-06-02 15:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 08:52 - 2012-06-02 15:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-18 21:13 - 2012-06-18 21:13 - 00030977 ____N C:\Users\andrew\Desktop\Purchase page 1.bmml
2012-06-18 21:13 - 2012-06-18 21:13 - 00007136 ____N C:\Users\andrew\Desktop\Tour the Features Page.bmml
2012-06-18 11:08 - 2012-06-18 11:08 - 00009257 ____A C:\Users\andrew\Desktop\mockup export v2.xml
2012-06-15 13:37 - 2012-06-15 13:36 - 00167936 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JavaAccessBridge.dll
2012-06-15 13:37 - 2012-06-15 13:36 - 00090112 ____A (Sun Microsystems©) C:\Windows\SysWOW64\WindowsAccessBridge.dll
2012-06-15 13:37 - 2012-06-15 13:36 - 00032768 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JAWTAccessBridge.dll
2012-06-15 11:51 - 2012-06-28 22:03 - 00002170 ___AH C:\Users\andrew\Documents\Default.rdp
2012-06-14 15:36 - 2012-06-14 15:36 - 00005853 ____A C:\Users\andrew\Desktop\mockup export.xml
2012-06-14 09:45 - 2012-05-17 21:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 09:45 - 2012-05-17 21:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 09:45 - 2012-05-17 21:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 09:45 - 2012-05-17 20:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 09:45 - 2012-05-17 20:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 09:45 - 2012-05-17 20:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 09:45 - 2012-05-17 20:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 09:45 - 2012-05-17 20:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 09:45 - 2012-05-17 20:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 09:45 - 2012-05-17 20:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 09:45 - 2012-05-17 20:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 09:45 - 2012-05-17 20:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 09:45 - 2012-05-17 20:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 09:45 - 2012-05-17 20:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 09:45 - 2012-05-17 18:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-14 09:45 - 2012-05-17 17:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-14 09:45 - 2012-05-17 17:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-14 09:45 - 2012-05-17 17:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-14 09:45 - 2012-05-17 17:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-14 09:45 - 2012-05-17 17:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-14 09:45 - 2012-05-17 17:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-14 09:45 - 2012-05-17 17:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-14 09:45 - 2012-05-17 17:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-14 09:45 - 2012-05-17 17:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-14 09:45 - 2012-05-17 17:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-14 09:45 - 2012-05-17 17:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-14 09:45 - 2012-05-17 17:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-14 09:44 - 2012-05-17 17:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 10:58 - 2012-05-14 20:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 10:58 - 2012-05-04 06:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 10:58 - 2012-05-04 05:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 10:58 - 2012-05-04 05:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 10:58 - 2012-05-01 00:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 10:58 - 2012-04-27 22:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 10:58 - 2012-04-26 00:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 10:58 - 2012-04-26 00:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 10:58 - 2012-04-26 00:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 10:58 - 2012-04-24 00:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 10:58 - 2012-04-24 00:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 10:58 - 2012-04-24 00:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 10:58 - 2012-04-23 23:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-13 10:58 - 2012-04-23 23:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-13 10:58 - 2012-04-23 23:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-13 10:58 - 2012-04-07 07:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-13 10:58 - 2012-04-07 06:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-13 10:02 - 2012-07-07 10:41 - 00000000 ____D C:\Users\andrew\AppData\Roaming\Audacity
2012-06-13 10:02 - 2012-06-13 10:02 - 00000982 ____A C:\Users\andrew\Desktop\Audacity.lnk
2012-06-13 10:02 - 2012-06-13 10:02 - 00000000 ____D C:\Program Files (x86)\Audacity
2012-06-11 14:27 - 2012-06-11 14:27 - 00002066 ____A C:\Windows\PFRO.log
2012-06-11 13:26 - 2012-06-11 13:39 - 00000000 ____D C:\Users\andrew\AppData\Local\blekkotb_031
2012-06-11 13:26 - 2012-06-11 13:33 - 00000000 ____D C:\Users\All Users\blekko toolbars
2012-06-11 13:03 - 2012-06-11 13:03 - 00000496 ____A C:\INSTALL.LOG
2012-06-11 12:53 - 2012-07-09 13:14 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-11 12:28 - 2012-07-09 13:42 - 01054702 ____A C:\Windows\WindowsUpdate.log
2012-06-11 12:18 - 2012-07-09 15:17 - 00001736 ____A C:\Windows\setupact.log
2012-06-11 12:18 - 2012-06-11 12:18 - 00000000 ____A C:\Windows\setuperr.log
2012-06-11 12:03 - 2012-06-11 12:04 - 00000000 ____D C:\Program Files\CCleaner
2012-06-11 11:56 - 2012-06-11 11:56 - 00000000 ____D C:\Users\andrew\AppData\Local\VS Revo Group
2012-06-11 11:56 - 2012-06-11 11:56 - 00000000 ____D C:\Program Files\VS Revo Group
2012-06-11 11:56 - 2009-12-30 11:21 - 00031800 ____A (VS Revo Group) C:\Windows\System32\Drivers\revoflt.sys
2012-06-11 10:26 - 2012-06-11 11:26 - 00000566 ____A C:\spyhunter.fix
2012-06-10 14:50 - 2012-06-10 14:50 - 00000000 ____A C:\autoexec.bat
2012-06-10 14:47 - 2012-06-10 14:48 - 00000000 ____D C:\Windows\18F97AF04F884494AFE25A5702E142CC.TMP
2012-06-10 14:46 - 2012-06-11 13:03 - 00000000 ____D C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2012-06-10 13:01 - 2012-06-10 13:01 - 00000000 ____D C:\QuiE1FD.tmp
2012-06-10 13:01 - 2012-06-10 13:01 - 00000000 ____D C:\QuiE1FC.tmp
2012-06-10 13:01 - 2012-06-10 13:01 - 00000000 ____D C:\QuiE1CD.tmp
2012-06-10 12:44 - 2012-06-11 13:03 - 00000000 ____D C:\sh4ldr
2012-06-10 12:44 - 2012-06-10 12:44 - 00000000 ____D C:\Program Files\Enigma Software Group


============ 3 Months Modified Files ========================

2012-07-09 15:27 - 2009-07-14 00:13 - 00868724 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-09 15:17 - 2012-06-11 12:18 - 00001736 ____A C:\Windows\setupact.log
2012-07-09 15:17 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-09 15:11 - 2012-07-09 15:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E267B84541DA928B
2012-07-09 15:04 - 2012-07-09 15:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B0CD17B24D7561EC
2012-07-09 15:04 - 2012-04-05 11:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-09 15:00 - 2011-08-01 10:32 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-09 14:57 - 2012-07-09 14:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.25457AFA650FDABC
2012-07-09 14:48 - 2012-07-09 14:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF3FFA9FBE87465E
2012-07-09 14:32 - 2011-08-01 10:32 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-09 14:29 - 2012-07-09 14:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.341798E83B9BAE19
2012-07-09 14:21 - 2012-07-09 14:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F79E4B6139FC5A72
2012-07-09 14:19 - 2010-08-28 11:22 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1316227243-4030558763-2019172666-1001UA.job
2012-07-09 14:04 - 2012-07-09 14:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4CEB74BCB88B8A14
2012-07-09 13:53 - 2012-07-09 13:49 - 00000494 ____A C:\Windows\Tasks\SpeedyPC Registration3.job
2012-07-09 13:53 - 2012-07-09 13:48 - 00000466 ____A C:\Windows\Tasks\SpeedyPC Update Version3.job
2012-07-09 13:53 - 2012-07-09 13:48 - 00000422 ____A C:\Windows\Tasks\SpeedyPC Pro.job
2012-07-09 13:50 - 2012-07-09 13:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D40CDC502FECC10
2012-07-09 13:49 - 2012-07-09 13:49 - 00001170 ____A C:\Users\andrew\Desktop\SpeedyPC Pro.lnk
2012-07-09 13:49 - 2012-07-09 13:48 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\andrew\Downloads\SpyHunter-Installer.exe
2012-07-09 13:48 - 2012-07-09 13:47 - 04819616 ____A (SpeedyPC Software Inc.) C:\Users\andrew\Downloads\SpeedyPC Pro Installer.exe
2012-07-09 13:47 - 2012-07-09 13:47 - 00001205 ____A C:\Users\andrew\Downloads\FixNCR.reg
2012-07-09 13:42 - 2012-06-11 12:28 - 01054702 ____A C:\Windows\WindowsUpdate.log
2012-07-09 13:18 - 2009-07-13 23:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-09 13:18 - 2009-07-13 23:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-09 13:14 - 2012-06-11 12:53 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-09 13:12 - 2011-05-17 08:52 - 00882874 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-09 13:08 - 2012-07-09 13:06 - 12621696 ____A (Microsoft Corporation) C:\Users\andrew\Downloads\mseinstall.exe
2012-07-08 20:58 - 2012-07-08 20:46 - 00001937 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-08 20:45 - 2010-06-18 12:34 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-07-08 19:55 - 2011-10-04 13:33 - 00393216 ____A C:\Windows\System32\Ikeext.etl
2012-07-08 15:16 - 2010-08-28 11:22 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1316227243-4030558763-2019172666-1001Core.job
2012-07-06 15:45 - 2012-07-06 15:42 - 11371532 ____A C:\Users\andrew\Downloads\Will using a PEO save me money%3F.mp4
2012-07-06 15:44 - 2012-07-06 15:42 - 06232530 ____A C:\Users\andrew\Downloads\What level of services can I expect from The Astra Group%3F.mp4
2012-07-06 14:54 - 2010-06-15 12:19 - 00010240 ____A C:\Users\andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-06 12:42 - 2012-07-06 12:39 - 08633783 ____A C:\Users\andrew\Downloads\Have you had experience with other PEO%27s%3F.mp4
2012-07-06 12:42 - 2012-07-06 12:38 - 08560999 ____A C:\Users\andrew\Downloads\What will my employees think of The Astra Group%3F.mp4
2012-07-06 11:24 - 2012-07-06 11:19 - 09933418 ____A C:\Users\andrew\Downloads\How can The Astra Group assist with leadership development%3F.mp4
2012-07-06 10:00 - 2012-07-06 09:57 - 05995403 ____A C:\Users\andrew\Downloads\Can The Astra Group really assist our effort to boost employee morale%3F.mp4
2012-07-06 09:59 - 2012-07-06 09:57 - 05058552 ____A C:\Users\andrew\Downloads\Can The Astra Group assist our effort to remain in legal compliance%3F.mp4
2012-07-06 08:32 - 2012-07-06 08:31 - 04893220 ____A C:\Users\andrew\Downloads\What else can The Astra Group do for my employees%3F.mp4
2012-07-06 08:32 - 2012-07-06 08:31 - 03127126 ____A C:\Users\andrew\Downloads\Can The Astra Group really add value to our business%3F.mp4
2012-07-03 12:18 - 2012-07-03 12:18 - 00000922 ____A C:\Users\Public\Desktop\Balsamiq Mockups.lnk
2012-07-03 11:21 - 2012-07-08 20:46 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-03 11:21 - 2012-07-08 20:46 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-03 11:21 - 2012-07-08 20:46 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-03 11:21 - 2012-07-08 20:46 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-07-03 11:21 - 2012-07-08 20:46 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-03 11:21 - 2012-07-08 20:45 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-03 11:21 - 2012-07-08 20:45 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-03 11:21 - 2012-07-08 20:45 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-03 11:21 - 2011-01-15 12:17 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-06-28 22:03 - 2012-06-15 11:51 - 00002170 ___AH C:\Users\andrew\Documents\Default.rdp
2012-06-28 14:53 - 2012-06-28 14:49 - 33873839 ____A C:\Users\andrew\Downloads\Online Human Resources - The Astra Group.mp4
2012-06-28 14:46 - 2012-06-28 14:46 - 01529735 ____A C:\Users\andrew\Downloads\What do you enjoy the most with working with The Astra Group%3F.mp4
2012-06-28 12:29 - 2012-06-28 12:25 - 11120117 ____A C:\Users\andrew\Downloads\HRx- Hiring.mp4
2012-06-28 12:27 - 2012-06-28 12:25 - 05577686 ____A C:\Users\andrew\Downloads\Automating HR makes life easy.mp4
2012-06-26 16:16 - 2012-06-26 16:08 - 37459483 ____A C:\Users\andrew\Downloads\HRx- Relief for your Human Resources Headaches.mp4
2012-06-26 16:15 - 2012-06-26 16:08 - 23691000 ____A C:\Users\andrew\Downloads\HRx- Employee Handbooks.mp4
2012-06-26 14:24 - 2010-09-21 22:23 - 00001456 ____A C:\Users\andrew\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-06-25 13:50 - 2012-06-25 13:50 - 00183581 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-25T13-50-25.mysql.gz
2012-06-22 15:23 - 2012-06-22 15:23 - 00163915 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-22T15-23-33.mysql.gz
2012-06-18 21:13 - 2012-06-18 21:13 - 00030977 ____N C:\Users\andrew\Desktop\Purchase page 1.bmml
2012-06-18 21:13 - 2012-06-18 21:13 - 00007136 ____N C:\Users\andrew\Desktop\Tour the Features Page.bmml
2012-06-18 11:08 - 2012-06-18 11:08 - 00009257 ____A C:\Users\andrew\Desktop\mockup export v2.xml
2012-06-15 13:36 - 2012-06-15 13:37 - 00167936 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JavaAccessBridge.dll
2012-06-15 13:36 - 2012-06-15 13:37 - 00090112 ____A (Sun Microsystems©) C:\Windows\SysWOW64\WindowsAccessBridge.dll
2012-06-15 13:36 - 2012-06-15 13:37 - 00032768 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JAWTAccessBridge.dll
2012-06-14 15:36 - 2012-06-14 15:36 - 00005853 ____A C:\Users\andrew\Desktop\mockup export.xml
2012-06-14 10:27 - 2009-07-13 23:45 - 07314104 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 10:00 - 2010-06-19 18:44 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-13 10:02 - 2012-06-13 10:02 - 00000982 ____A C:\Users\andrew\Desktop\Audacity.lnk
2012-06-11 14:27 - 2012-06-11 14:27 - 00002066 ____A C:\Windows\PFRO.log
2012-06-11 13:03 - 2012-06-11 13:03 - 00000496 ____A C:\INSTALL.LOG
2012-06-11 12:18 - 2012-06-11 12:18 - 00000000 ____A C:\Windows\setuperr.log
2012-06-11 11:26 - 2012-06-11 10:26 - 00000566 ____A C:\spyhunter.fix
2012-06-10 14:50 - 2012-06-10 14:50 - 00000000 ____A C:\autoexec.bat
2012-06-02 17:19 - 2012-06-21 08:54 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 17:19 - 2012-06-21 08:54 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 17:19 - 2012-06-21 08:53 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 17:19 - 2012-06-21 08:53 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 17:19 - 2012-06-21 08:53 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 17:15 - 2012-06-21 08:54 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 17:15 - 2012-06-21 08:53 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:19 - 2012-06-21 08:52 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:15 - 2012-06-21 08:52 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 11:18 - 2010-06-14 13:20 - 00297944 ____A C:\Users\andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-30 14:11 - 2012-05-30 14:11 - 00000237 ____A C:\user.js
2012-05-22 11:48 - 2011-10-10 10:38 - 00297144 ____A C:\Users\Default\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-22 11:48 - 2011-10-10 10:38 - 00297144 ____A C:\Users\Default User\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-21 16:55 - 2012-05-21 16:55 - 00001054 ____A C:\Users\Public\Desktop\jCodeCollector.lnk
2012-05-18 18:05 - 2011-11-18 13:59 - 00000072 ____A C:\Users\Public\LMDebug.log
2012-05-17 21:47 - 2012-06-14 09:45 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 21:16 - 2012-06-14 09:45 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 21:06 - 2012-06-14 09:45 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 20:59 - 2012-06-14 09:45 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 20:59 - 2012-06-14 09:45 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 20:58 - 2012-06-14 09:45 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 20:58 - 2012-06-14 09:45 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 20:56 - 2012-06-14 09:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 20:55 - 2012-06-14 09:45 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 20:55 - 2012-06-14 09:45 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 20:54 - 2012-06-14 09:45 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 20:51 - 2012-06-14 09:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 20:51 - 2012-06-14 09:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 20:47 - 2012-06-14 09:45 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 18:11 - 2012-06-14 09:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 17:48 - 2012-06-14 09:44 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 17:45 - 2012-06-14 09:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 17:36 - 2012-06-14 09:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 17:35 - 2012-06-14 09:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 17:35 - 2012-06-14 09:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 17:33 - 2012-06-14 09:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 17:31 - 2012-06-14 09:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 17:29 - 2012-06-14 09:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 17:29 - 2012-06-14 09:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 17:27 - 2012-06-14 09:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 17:25 - 2012-06-14 09:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 17:24 - 2012-06-14 09:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 17:20 - 2012-06-14 09:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 20:32 - 2012-06-13 10:58 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-04 06:06 - 2012-06-13 10:58 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 05:03 - 2012-06-13 10:58 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 05:03 - 2012-06-13 10:58 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 00:40 - 2012-06-13 10:58 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 15:51 - 2012-04-10 16:17 - 00000215 ____A C:\Users\andrew\Desktop\Setting up Vmark.txt
2012-04-29 13:45 - 2010-08-05 10:34 - 00448000 __ASH C:\Users\andrew\Documents\Thumbs.db
2012-04-27 22:55 - 2012-06-13 10:58 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 10:22 - 2012-04-05 11:51 - 00418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-26 10:22 - 2011-05-14 15:57 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-26 00:41 - 2012-06-13 10:58 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 00:41 - 2012-06-13 10:58 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 00:34 - 2012-06-13 10:58 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 14:11 - 2012-04-24 14:12 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-04-24 14:11 - 2012-04-24 14:12 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-04-24 14:11 - 2012-04-24 14:12 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-04-24 14:11 - 2010-06-15 11:56 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-04-24 13:15 - 2012-04-24 10:20 - 00001539 ____A C:\Users\andrew\Desktop\firehost.txt
2012-04-24 00:37 - 2012-06-13 10:58 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-24 00:37 - 2012-06-13 10:58 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-24 00:37 - 2012-06-13 10:58 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 23:36 - 2012-06-13 10:58 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 23:36 - 2012-06-13 10:58 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 23:36 - 2012-06-13 10:58 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-21 10:21 - 2012-04-21 10:21 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-21 09:57 - 2012-04-21 09:57 - 00001981 ____A C:\Users\andrew\Desktop\Git GUI.lnk
2012-04-18 20:56 - 2012-04-18 20:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2012-04-18 20:56 - 2012-04-18 20:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2012-04-16 11:47 - 2012-04-16 11:47 - 00258560 ____A (TechSmith Corporation) C:\Windows\SysWOW64\tsc2_codec64.dll
2012-04-16 11:47 - 2012-04-16 11:47 - 00222208 ____A (TechSmith Corporation) C:\Windows\SysWOW64\tsc2_codec32.dll
2012-04-12 16:43 - 2009-07-13 21:34 - 00000478 ____A C:\Windows\win.ini
2012-04-12 12:13 - 2011-08-08 13:00 - 00000111 ____A C:\Windows\QBChanUtil_Trigger.ini


ZeroAccess:
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L\00000004.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L\1afb2d56
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L\201d3dde
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\00000008.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\trz1E2A.tmp
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\trz276E.tmp

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3894.85 MB
Available physical RAM: 3210.64 MB
Total Pagefile: 7787.89 MB
Available Pagefile: 7109.04 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

======================= Partitions =========================

1 Drive c: (TI105444W0C) (Fixed) (Total:287.37 GB) (Free:58.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:3.75 GB) (Free:3.58 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3851 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 287 GB 1501 MB
Partition 3 Primary 9 GB 288 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105444W0C NTFS Partition 287 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3850 MB 484 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT32 Removable 3850 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-08 16:59

======================= End Of Log ==========================

 

[Jay Pfoutz]

Hi! Welcome to the forums. Were you not able to run FRST from the Recovery Environment?

Here is the instruction to do so:

SAVE Farbar Recovery Scan Tool to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64 and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Thanks!

 

[astanley86]

Thank you for the fast response. Here is the scan from the recovery environment (sorry I incorrectly did this in my previous post):

Scan result of Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 09-07-2012 16:18:18
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [166424 2009-11-13] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [390168 2009-11-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8312352 2009-11-02] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1870120 2009-10-15] (Synaptics Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4273976 2012-07-03] (AVAST Software)
HKU\andrew\...\Run: [Google Update] "C:\Users\andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-08-28] (Google Inc.)
HKU\andrew\...\Run: [chromium] C:\Users\andrew\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1250328 2012-06-28] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.1.5
Startup: C:\Users\andrew\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll [3417376 2012-05-29] ()
2 AppHostSvc; C:\Windows\SysWow64\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-07-03] (AVAST Software)
2 BRA_Scheduler; C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe [65536 2010-09-15] ()
3 BrYNSvc; "C:\Program Files (x86)\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
2 McciCMService; "C:\Program Files (x86)\Common Files\Motive\McciCMService.exe" [319488 2010-04-30] (Alcatel-Lucent)
2 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [517632 2010-04-30] (Alcatel-Lucent)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 QBCFMonitorService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [45056 2011-11-04] (Intuit)
3 QBFCService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2009-07-23] (Intuit Inc.)
2 QBVSS; "C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-06-30] (Intuit Inc.)
2 SupportSoft RemoteAssist; C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe [386424 2010-02-24] (SupportSoft, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2314240 2009-09-30] (Intel Corporation)
3 WAS; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 XMail; C:\Program Files (x86)\acquia-drupal\xmail\XMail.exe [397824 2011-06-16] ()
2 XAMPP; C:\xampp\service.exe [x]

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-07-03] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71064 2012-07-03] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-07-03] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [958400 2012-07-03] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [355856 2012-07-03] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-07-03] (AVAST Software)
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA))
3 WsAudio_DeviceS(1); C:\Windows\System32\Drivers\WsAudio_DeviceS(1).sys [29288 2010-02-23] (Wondershare)
3 WsAudio_DeviceS(2); C:\Windows\System32\Drivers\WsAudio_DeviceS(2).sys [29288 2010-02-23] (Wondershare)
3 WsAudio_DeviceS(3); C:\Windows\System32\Drivers\WsAudio_DeviceS(3).sys [29288 2010-02-23] (Wondershare)
3 WsAudio_DeviceS(4); C:\Windows\System32\Drivers\WsAudio_DeviceS(4).sys [29288 2010-02-23] (Wondershare)
3 WsAudio_DeviceS(5); C:\Windows\System32\Drivers\WsAudio_DeviceS(5).sys [29288 2010-02-23] (Wondershare)
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-09 12:11 - 2012-07-09 12:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E267B84541DA928B
2012-07-09 12:04 - 2012-07-09 12:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B0CD17B24D7561EC
2012-07-09 11:57 - 2012-07-09 11:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.25457AFA650FDABC
2012-07-09 11:48 - 2012-07-09 11:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF3FFA9FBE87465E
2012-07-09 11:29 - 2012-07-09 11:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.341798E83B9BAE19
2012-07-09 11:21 - 2012-07-09 11:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F79E4B6139FC5A72
2012-07-09 11:04 - 2012-07-09 11:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4CEB74BCB88B8A14
2012-07-09 10:50 - 2012-07-09 10:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D40CDC502FECC10
2012-07-09 10:49 - 2012-07-09 10:53 - 00000494 ____A C:\Windows\Tasks\SpeedyPC Registration3.job
2012-07-09 10:49 - 2012-07-09 10:49 - 00001170 ____A C:\Users\andrew\Desktop\SpeedyPC Pro.lnk
2012-07-09 10:49 - 2012-07-09 10:49 - 00000000 ____D C:\Users\andrew\AppData\Roaming\SpeedyPC Software
2012-07-09 10:49 - 2012-07-09 10:49 - 00000000 ____D C:\Users\andrew\AppData\Roaming\DriverCure
2012-07-09 10:48 - 2012-07-09 10:53 - 00000466 ____A C:\Windows\Tasks\SpeedyPC Update Version3.job
2012-07-09 10:48 - 2012-07-09 10:53 - 00000422 ____A C:\Windows\Tasks\SpeedyPC Pro.job
2012-07-09 10:48 - 2012-07-09 10:49 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\andrew\Downloads\SpyHunter-Installer.exe
2012-07-09 10:48 - 2012-07-09 10:48 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-07-09 10:48 - 2012-07-09 10:48 - 00000000 ____D C:\Program Files (x86)\SpeedyPC Software
2012-07-09 10:47 - 2012-07-09 10:48 - 04819616 ____A (SpeedyPC Software Inc.) C:\Users\andrew\Downloads\SpeedyPC Pro Installer.exe
2012-07-09 10:47 - 2012-07-09 10:47 - 00001205 ____A C:\Users\andrew\Downloads\FixNCR.reg
2012-07-09 10:12 - 2012-07-09 10:13 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-09 10:12 - 2012-07-09 10:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-09 10:06 - 2012-07-09 10:08 - 12621696 ____A (Microsoft Corporation) C:\Users\andrew\Downloads\mseinstall.exe
2012-07-08 17:46 - 2012-07-08 17:58 - 00001937 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-08 17:46 - 2012-07-03 08:21 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-08 17:46 - 2012-07-03 08:21 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-08 17:46 - 2012-07-03 08:21 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-08 17:46 - 2012-07-03 08:21 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-07-08 17:46 - 2012-07-03 08:21 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-08 17:45 - 2012-07-03 08:21 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-08 17:45 - 2012-07-03 08:21 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-08 17:45 - 2012-07-03 08:21 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-08 17:44 - 2012-07-08 17:44 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-07-08 17:44 - 2012-07-08 17:44 - 00000000 ____D C:\Program Files\AVAST Software
2012-07-06 12:42 - 2012-07-06 12:45 - 11371532 ____A C:\Users\andrew\Downloads\Will using a PEO save me money%3F.mp4
2012-07-06 12:42 - 2012-07-06 12:44 - 06232530 ____A C:\Users\andrew\Downloads\What level of services can I expect from The Astra Group%3F.mp4
2012-07-06 09:39 - 2012-07-06 09:42 - 08633783 ____A C:\Users\andrew\Downloads\Have you had experience with other PEO%27s%3F.mp4
2012-07-06 09:38 - 2012-07-06 09:42 - 08560999 ____A C:\Users\andrew\Downloads\What will my employees think of The Astra Group%3F.mp4
2012-07-06 08:25 - 2012-07-06 08:25 - 00000000 ____D C:\Users\andrew\Downloads\relation-7.x-1.0-rc2
2012-07-06 08:19 - 2012-07-06 08:24 - 09933418 ____A C:\Users\andrew\Downloads\How can The Astra Group assist with leadership development%3F.mp4
2012-07-06 08:05 - 2012-07-06 08:05 - 00000000 ____D C:\Users\andrew\AppData\Roaming\TechSmith
2012-07-06 07:54 - 2012-07-06 07:54 - 00000000 ____D C:\Users\All Users\TechSmith
2012-07-06 07:54 - 2012-07-06 07:54 - 00000000 ____D C:\Program Files (x86)\TechSmith
2012-07-06 07:26 - 2012-07-06 07:27 - 00000000 ____D C:\Users\andrew\Downloads\redhen_demo-7.x-1.x-dev
2012-07-06 06:57 - 2012-07-06 07:00 - 05995403 ____A C:\Users\andrew\Downloads\Can The Astra Group really assist our effort to boost employee morale%3F.mp4
2012-07-06 06:57 - 2012-07-06 06:59 - 05058552 ____A C:\Users\andrew\Downloads\Can The Astra Group assist our effort to remain in legal compliance%3F.mp4
2012-07-06 06:26 - 2012-07-06 06:26 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-06 05:31 - 2012-07-06 05:32 - 04893220 ____A C:\Users\andrew\Downloads\What else can The Astra Group do for my employees%3F.mp4
2012-07-06 05:31 - 2012-07-06 05:32 - 03127126 ____A C:\Users\andrew\Downloads\Can The Astra Group really add value to our business%3F.mp4
2012-07-03 09:27 - 2012-07-03 09:34 - 00000000 ____D C:\Users\andrew\Documents\My Kindle Content
2012-07-03 09:27 - 2012-07-03 09:27 - 00000000 ____D C:\Users\andrew\AppData\Local\Amazon
2012-07-03 09:18 - 2012-07-03 09:18 - 00000922 ____A C:\Users\Public\Desktop\Balsamiq Mockups.lnk
2012-07-03 09:18 - 2012-07-03 09:18 - 00000000 ____D C:\Program Files (x86)\Balsamiq Mockups
2012-06-28 11:49 - 2012-06-28 11:53 - 33873839 ____A C:\Users\andrew\Downloads\Online Human Resources - The Astra Group.mp4
2012-06-28 11:46 - 2012-06-28 11:46 - 01529735 ____A C:\Users\andrew\Downloads\What do you enjoy the most with working with The Astra Group%3F.mp4
2012-06-28 09:25 - 2012-06-28 09:29 - 11120117 ____A C:\Users\andrew\Downloads\HRx- Hiring.mp4
2012-06-28 09:25 - 2012-06-28 09:27 - 05577686 ____A C:\Users\andrew\Downloads\Automating HR makes life easy.mp4
2012-06-26 13:08 - 2012-06-26 13:16 - 37459483 ____A C:\Users\andrew\Downloads\HRx- Relief for your Human Resources Headaches.mp4
2012-06-26 13:08 - 2012-06-26 13:15 - 23691000 ____A C:\Users\andrew\Downloads\HRx- Employee Handbooks.mp4
2012-06-25 10:50 - 2012-06-25 10:50 - 00183581 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-25T13-50-25.mysql.gz
2012-06-22 12:23 - 2012-06-22 12:23 - 00163915 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-22T15-23-33.mysql.gz
2012-06-21 05:54 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 05:54 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 05:54 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 05:53 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 05:53 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 05:53 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 05:53 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 05:52 - 2012-06-02 12:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 05:52 - 2012-06-02 12:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-18 18:13 - 2012-06-18 18:13 - 00030977 ____N C:\Users\andrew\Desktop\Purchase page 1.bmml
2012-06-18 18:13 - 2012-06-18 18:13 - 00007136 ____N C:\Users\andrew\Desktop\Tour the Features Page.bmml
2012-06-18 08:08 - 2012-06-18 08:08 - 00009257 ____A C:\Users\andrew\Desktop\mockup export v2.xml
2012-06-15 10:37 - 2012-06-15 10:36 - 00167936 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JavaAccessBridge.dll
2012-06-15 10:37 - 2012-06-15 10:36 - 00090112 ____A (Sun Microsystems©) C:\Windows\SysWOW64\WindowsAccessBridge.dll
2012-06-15 10:37 - 2012-06-15 10:36 - 00032768 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JAWTAccessBridge.dll
2012-06-15 08:51 - 2012-06-28 19:03 - 00002170 ___AH C:\Users\andrew\Documents\Default.rdp
2012-06-14 12:36 - 2012-06-14 12:36 - 00005853 ____A C:\Users\andrew\Desktop\mockup export.xml
2012-06-14 06:45 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 06:45 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 06:45 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 06:45 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 06:45 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 06:45 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 06:45 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 06:45 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 06:45 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 06:45 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 06:45 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 06:45 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 06:45 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 06:45 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 06:45 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-14 06:45 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-14 06:45 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-14 06:45 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-14 06:45 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-14 06:45 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-14 06:45 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-14 06:45 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-14 06:45 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-14 06:45 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-14 06:45 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-14 06:45 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-14 06:45 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-14 06:44 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 07:58 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 07:58 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 07:58 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 07:58 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 07:58 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 07:58 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 07:58 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 07:58 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 07:58 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 07:58 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 07:58 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 07:58 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 07:58 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-13 07:58 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-13 07:58 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-13 07:58 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-13 07:58 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-13 07:02 - 2012-07-07 07:41 - 00000000 ____D C:\Users\andrew\AppData\Roaming\Audacity
2012-06-13 07:02 - 2012-06-13 07:02 - 00000982 ____A C:\Users\andrew\Desktop\Audacity.lnk
2012-06-13 07:02 - 2012-06-13 07:02 - 00000000 ____D C:\Program Files (x86)\Audacity
2012-06-11 11:27 - 2012-06-11 11:27 - 00002066 ____A C:\Windows\PFRO.log
2012-06-11 10:26 - 2012-06-11 10:39 - 00000000 ____D C:\Users\andrew\AppData\Local\blekkotb_031
2012-06-11 10:26 - 2012-06-11 10:33 - 00000000 ____D C:\Users\All Users\blekko toolbars
2012-06-11 10:03 - 2012-06-11 10:03 - 00000496 ____A C:\INSTALL.LOG
2012-06-11 09:53 - 2012-07-09 10:14 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-11 09:28 - 2012-07-09 10:42 - 01054702 ____A C:\Windows\WindowsUpdate.log
2012-06-11 09:18 - 2012-07-09 13:05 - 00001848 ____A C:\Windows\setupact.log
2012-06-11 09:18 - 2012-06-11 09:18 - 00000000 ____A C:\Windows\setuperr.log
2012-06-11 09:03 - 2012-06-11 09:04 - 00000000 ____D C:\Program Files\CCleaner
2012-06-11 08:56 - 2012-06-11 08:56 - 00000000 ____D C:\Users\andrew\AppData\Local\VS Revo Group
2012-06-11 08:56 - 2012-06-11 08:56 - 00000000 ____D C:\Program Files\VS Revo Group
2012-06-11 08:56 - 2009-12-30 08:21 - 00031800 ____A (VS Revo Group) C:\Windows\System32\Drivers\revoflt.sys
2012-06-11 07:26 - 2012-06-11 08:26 - 00000566 ____A C:\spyhunter.fix
2012-06-10 11:50 - 2012-06-10 11:50 - 00000000 ____A C:\autoexec.bat
2012-06-10 11:47 - 2012-06-10 11:48 - 00000000 ____D C:\Windows\18F97AF04F884494AFE25A5702E142CC.TMP
2012-06-10 11:46 - 2012-06-11 10:03 - 00000000 ____D C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2012-06-10 10:01 - 2012-06-10 10:01 - 00000000 ____D C:\QuiE1FD.tmp
2012-06-10 10:01 - 2012-06-10 10:01 - 00000000 ____D C:\QuiE1FC.tmp
2012-06-10 10:01 - 2012-06-10 10:01 - 00000000 ____D C:\QuiE1CD.tmp
2012-06-10 09:44 - 2012-06-11 10:03 - 00000000 ____D C:\sh4ldr
2012-06-10 09:44 - 2012-06-10 09:44 - 00000000 ____D C:\Program Files\Enigma Software Group


============ 3 Months Modified Files ========================

2012-07-09 13:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-09 13:05 - 2012-06-11 09:18 - 00001848 ____A C:\Windows\setupact.log
2012-07-09 13:01 - 2011-08-01 07:32 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-09 12:27 - 2009-07-13 21:13 - 00868724 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-09 12:11 - 2012-07-09 12:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E267B84541DA928B
2012-07-09 12:04 - 2012-07-09 12:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B0CD17B24D7561EC
2012-07-09 12:04 - 2012-04-05 08:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-09 11:57 - 2012-07-09 11:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.25457AFA650FDABC
2012-07-09 11:48 - 2012-07-09 11:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF3FFA9FBE87465E
2012-07-09 11:32 - 2011-08-01 07:32 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-09 11:29 - 2012-07-09 11:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.341798E83B9BAE19
2012-07-09 11:21 - 2012-07-09 11:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F79E4B6139FC5A72
2012-07-09 11:19 - 2010-08-28 08:22 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1316227243-4030558763-2019172666-1001UA.job
2012-07-09 11:04 - 2012-07-09 11:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4CEB74BCB88B8A14
2012-07-09 10:53 - 2012-07-09 10:49 - 00000494 ____A C:\Windows\Tasks\SpeedyPC Registration3.job
2012-07-09 10:53 - 2012-07-09 10:48 - 00000466 ____A C:\Windows\Tasks\SpeedyPC Update Version3.job
2012-07-09 10:53 - 2012-07-09 10:48 - 00000422 ____A C:\Windows\Tasks\SpeedyPC Pro.job
2012-07-09 10:50 - 2012-07-09 10:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D40CDC502FECC10
2012-07-09 10:49 - 2012-07-09 10:49 - 00001170 ____A C:\Users\andrew\Desktop\SpeedyPC Pro.lnk
2012-07-09 10:49 - 2012-07-09 10:48 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\andrew\Downloads\SpyHunter-Installer.exe
2012-07-09 10:48 - 2012-07-09 10:47 - 04819616 ____A (SpeedyPC Software Inc.) C:\Users\andrew\Downloads\SpeedyPC Pro Installer.exe
2012-07-09 10:47 - 2012-07-09 10:47 - 00001205 ____A C:\Users\andrew\Downloads\FixNCR.reg
2012-07-09 10:42 - 2012-06-11 09:28 - 01054702 ____A C:\Windows\WindowsUpdate.log
2012-07-09 10:18 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-09 10:18 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-09 10:14 - 2012-06-11 09:53 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-09 10:12 - 2011-05-17 05:52 - 00882874 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-09 10:08 - 2012-07-09 10:06 - 12621696 ____A (Microsoft Corporation) C:\Users\andrew\Downloads\mseinstall.exe
2012-07-08 17:58 - 2012-07-08 17:46 - 00001937 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-08 17:45 - 2010-06-18 09:34 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-07-08 16:55 - 2011-10-04 10:33 - 00393216 ____A C:\Windows\System32\Ikeext.etl
2012-07-08 12:16 - 2010-08-28 08:22 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1316227243-4030558763-2019172666-1001Core.job
2012-07-06 12:45 - 2012-07-06 12:42 - 11371532 ____A C:\Users\andrew\Downloads\Will using a PEO save me money%3F.mp4
2012-07-06 12:44 - 2012-07-06 12:42 - 06232530 ____A C:\Users\andrew\Downloads\What level of services can I expect from The Astra Group%3F.mp4
2012-07-06 11:54 - 2010-06-15 09:19 - 00010240 ____A C:\Users\andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-06 09:42 - 2012-07-06 09:39 - 08633783 ____A C:\Users\andrew\Downloads\Have you had experience with other PEO%27s%3F.mp4
2012-07-06 09:42 - 2012-07-06 09:38 - 08560999 ____A C:\Users\andrew\Downloads\What will my employees think of The Astra Group%3F.mp4
2012-07-06 08:24 - 2012-07-06 08:19 - 09933418 ____A C:\Users\andrew\Downloads\How can The Astra Group assist with leadership development%3F.mp4
2012-07-06 07:00 - 2012-07-06 06:57 - 05995403 ____A C:\Users\andrew\Downloads\Can The Astra Group really assist our effort to boost employee morale%3F.mp4
2012-07-06 06:59 - 2012-07-06 06:57 - 05058552 ____A C:\Users\andrew\Downloads\Can The Astra Group assist our effort to remain in legal compliance%3F.mp4
2012-07-06 05:32 - 2012-07-06 05:31 - 04893220 ____A C:\Users\andrew\Downloads\What else can The Astra Group do for my employees%3F.mp4
2012-07-06 05:32 - 2012-07-06 05:31 - 03127126 ____A C:\Users\andrew\Downloads\Can The Astra Group really add value to our business%3F.mp4
2012-07-03 09:18 - 2012-07-03 09:18 - 00000922 ____A C:\Users\Public\Desktop\Balsamiq Mockups.lnk
2012-07-03 08:21 - 2012-07-08 17:46 - 00958400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-03 08:21 - 2012-07-08 17:46 - 00355856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-03 08:21 - 2012-07-08 17:46 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-03 08:21 - 2012-07-08 17:46 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-07-03 08:21 - 2012-07-08 17:46 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-03 08:21 - 2012-07-08 17:45 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-03 08:21 - 2012-07-08 17:45 - 00071064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-03 08:21 - 2012-07-08 17:45 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-03 08:21 - 2011-01-15 09:17 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-06-28 19:03 - 2012-06-15 08:51 - 00002170 ___AH C:\Users\andrew\Documents\Default.rdp
2012-06-28 11:53 - 2012-06-28 11:49 - 33873839 ____A C:\Users\andrew\Downloads\Online Human Resources - The Astra Group.mp4
2012-06-28 11:46 - 2012-06-28 11:46 - 01529735 ____A C:\Users\andrew\Downloads\What do you enjoy the most with working with The Astra Group%3F.mp4
2012-06-28 09:29 - 2012-06-28 09:25 - 11120117 ____A C:\Users\andrew\Downloads\HRx- Hiring.mp4
2012-06-28 09:27 - 2012-06-28 09:25 - 05577686 ____A C:\Users\andrew\Downloads\Automating HR makes life easy.mp4
2012-06-26 13:16 - 2012-06-26 13:08 - 37459483 ____A C:\Users\andrew\Downloads\HRx- Relief for your Human Resources Headaches.mp4
2012-06-26 13:15 - 2012-06-26 13:08 - 23691000 ____A C:\Users\andrew\Downloads\HRx- Employee Handbooks.mp4
2012-06-26 11:24 - 2010-09-21 19:23 - 00001456 ____A C:\Users\andrew\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-06-25 10:50 - 2012-06-25 10:50 - 00183581 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-25T13-50-25.mysql.gz
2012-06-22 12:23 - 2012-06-22 12:23 - 00163915 ____A C:\Users\andrew\Downloads\RetainedSearch-2012-06-22T15-23-33.mysql.gz
2012-06-18 18:13 - 2012-06-18 18:13 - 00030977 ____N C:\Users\andrew\Desktop\Purchase page 1.bmml
2012-06-18 18:13 - 2012-06-18 18:13 - 00007136 ____N C:\Users\andrew\Desktop\Tour the Features Page.bmml
2012-06-18 08:08 - 2012-06-18 08:08 - 00009257 ____A C:\Users\andrew\Desktop\mockup export v2.xml
2012-06-15 10:36 - 2012-06-15 10:37 - 00167936 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JavaAccessBridge.dll
2012-06-15 10:36 - 2012-06-15 10:37 - 00090112 ____A (Sun Microsystems©) C:\Windows\SysWOW64\WindowsAccessBridge.dll
2012-06-15 10:36 - 2012-06-15 10:37 - 00032768 ____A (Sun Microsystems©) C:\Windows\SysWOW64\JAWTAccessBridge.dll
2012-06-14 12:36 - 2012-06-14 12:36 - 00005853 ____A C:\Users\andrew\Desktop\mockup export.xml
2012-06-14 07:27 - 2009-07-13 20:45 - 07314104 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 07:00 - 2010-06-19 15:44 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-13 07:02 - 2012-06-13 07:02 - 00000982 ____A C:\Users\andrew\Desktop\Audacity.lnk
2012-06-11 11:27 - 2012-06-11 11:27 - 00002066 ____A C:\Windows\PFRO.log
2012-06-11 10:03 - 2012-06-11 10:03 - 00000496 ____A C:\INSTALL.LOG
2012-06-11 09:18 - 2012-06-11 09:18 - 00000000 ____A C:\Windows\setuperr.log
2012-06-11 08:26 - 2012-06-11 07:26 - 00000566 ____A C:\spyhunter.fix
2012-06-10 11:50 - 2012-06-10 11:50 - 00000000 ____A C:\autoexec.bat
2012-06-02 14:19 - 2012-06-21 05:54 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 05:54 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 05:53 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 05:53 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 05:53 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 05:54 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 05:53 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-21 05:52 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-21 05:52 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 08:18 - 2010-06-14 10:20 - 00297944 ____A C:\Users\andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-30 11:11 - 2012-05-30 11:11 - 00000237 ____A C:\user.js
2012-05-22 08:48 - 2011-10-10 07:38 - 00297144 ____A C:\Users\Default\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-22 08:48 - 2011-10-10 07:38 - 00297144 ____A C:\Users\Default User\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-21 13:55 - 2012-05-21 13:55 - 00001054 ____A C:\Users\Public\Desktop\jCodeCollector.lnk
2012-05-18 15:05 - 2011-11-18 10:59 - 00000072 ____A C:\Users\Public\LMDebug.log
2012-05-17 18:47 - 2012-06-14 06:45 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-14 06:45 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-14 06:45 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-14 06:45 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-14 06:45 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-14 06:45 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-14 06:45 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-14 06:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-14 06:45 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-14 06:45 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-14 06:45 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-14 06:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-14 06:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-14 06:45 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-14 06:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-14 06:44 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-14 06:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-14 06:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-14 06:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-14 06:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-14 06:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-14 06:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-14 06:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-14 06:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-14 06:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-14 06:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-14 06:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-14 06:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 17:32 - 2012-06-13 07:58 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-04 03:06 - 2012-06-13 07:58 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 07:58 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 07:58 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 21:40 - 2012-06-13 07:58 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 12:51 - 2012-04-10 13:17 - 00000215 ____A C:\Users\andrew\Desktop\Setting up Vmark.txt
2012-04-29 10:45 - 2010-08-05 07:34 - 00448000 __ASH C:\Users\andrew\Documents\Thumbs.db
2012-04-27 19:55 - 2012-06-13 07:58 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 07:22 - 2012-04-05 08:51 - 00418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-26 07:22 - 2011-05-14 12:57 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-25 21:41 - 2012-06-13 07:58 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 07:58 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 07:58 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 11:11 - 2012-04-24 11:12 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-04-24 11:11 - 2012-04-24 11:12 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-04-24 11:11 - 2012-04-24 11:12 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-04-24 11:11 - 2010-06-15 08:56 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-04-24 10:15 - 2012-04-24 07:20 - 00001539 ____A C:\Users\andrew\Desktop\firehost.txt
2012-04-23 21:37 - 2012-06-13 07:58 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-13 07:58 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-13 07:58 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-13 07:58 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-13 07:58 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 07:58 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-21 07:21 - 2012-04-21 07:21 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-21 06:57 - 2012-04-21 06:57 - 00001981 ____A C:\Users\andrew\Desktop\Git GUI.lnk
2012-04-18 17:56 - 2012-04-18 17:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2012-04-18 17:56 - 2012-04-18 17:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2012-04-16 08:47 - 2012-04-16 08:47 - 00258560 ____A (TechSmith Corporation) C:\Windows\SysWOW64\tsc2_codec64.dll
2012-04-16 08:47 - 2012-04-16 08:47 - 00222208 ____A (TechSmith Corporation) C:\Windows\SysWOW64\tsc2_codec32.dll
2012-04-12 13:43 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-04-12 09:13 - 2011-08-08 10:00 - 00000111 ____A C:\Windows\QBChanUtil_Trigger.ini


ZeroAccess:
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L\00000004.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L\1afb2d56
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\L\201d3dde
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\00000004.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\00000008.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\000000cb.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\80000000.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\80000032.@
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\trz1E2A.tmp
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\trz276E.tmp

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3894.85 MB
Available physical RAM: 3303.36 MB
Total Pagefile: 3893 MB
Available Pagefile: 3293.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (TI105444W0C) (Fixed) (Total:287.37 GB) (Free:58.52 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:3.75 GB) (Free:3.57 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 3851 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 287 GB 1501 MB
Partition 3 Primary 9 GB 288 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105444W0C NTFS Partition 287 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3850 MB 484 KB

==================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 3850 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-08 13:59

======================= End Of Log ==========================

 

[Jay Pfoutz]

Additional scans

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.

 

[astanley86]

Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 2012-07-09 16:46:52
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======

Thanks

 

[Jay Pfoutz]

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[astanley86]

Thank you! I'm restarting it now to see if I can finish the virus scan (there may be other viruses) Here is the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-07-2012
Ran by SYSTEM at 2012-07-10 07:42:00 Run:1
Running from G:\

==============================================

C:\Windows\Installer\{ffab1d8d-ea11-2f41-8aae-146b3b346e03} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

 

[astanley86]

My computer is just hanging at login. It will show the welcome screen, I'll type my password, and then it is a black screen with my mouse cursor and it never boots up windows.

 

[astanley86]

My computer is just hanging at login. It will show the welcome screen, I'll type my password, and then it is a black screen with my mouse cursor and it never boots up windows.

Sorry, just had to be more patient. It seems to be working now. Much slower than usual. I ran a quick scan of MSE and now I'm waiting for a full scan to be completed. There are quarantined viruses in my History but no threats detected it says.

Any suggested next steps? Thank you again so much for taking the time to individually help me solve this problem! How can I help techspot.com in return?

 

[Jay Pfoutz]

Let's run one more effective scan before we clean up our tools and System Restore, and get your computer back on track how it should be!

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

Per giving back

Unless if someone corrects me, I don't know of any way to donate to TechSpot. However, Please consider optionally donating to me to help boost my individual services on the site.

I do know that TechSpot staff love if you stay around and contribute on the forums when you have available time.

 

[astanley86]

Thanks. It did find one virus.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=13d0f3c389098e458063e45a96c8fc1c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-11 02:36:32
# local_time=2012-07-10 09:36:32 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=768 16777215 100 0 64146078 64146078 0 0
# compatibility_mode=5893 16776574 66 94 1587518 93493548 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=677394
# found=1
# cleaned=1
# scan_time=24093
C:\FRST\Quarantine\{ffab1d8d-ea11-2f41-8aae-146b3b346e03}\U\00000008.@Win64/Agent.BA trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C

 

[Jay Pfoutz]

Okay, that's in quarantine, which means your computer is in good shape!!

If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran TFC
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[astanley86]

Thanks. I created the system restore, deleted all previous system restores, ran otc, ran tfc, and ran the security check. It says that microsoft security essentials is not running but I did turn it back on and it appears to be working and protecting the computer. Here are the results (I don't even use firefox - just chrome mainly)

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 31
Java version out of Date!
Adobe Flash Player 11.1.102.63 Flash Player out of Date!
Adobe Reader X (10.1.3)
Mozilla Firefox 8.0 Firefox out of Date!
Mozilla Thunderbird 10.0.2 Thunderbird out of Date!
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
seems to be running well! THANK YOU

 

[Jay Pfoutz]

Probably would be best to remove Firefox or get it updated. It can leave vulnerabilities that can be exploited by viruses/malware.

Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?

 

[astanley86]

Thank you! I will do all of these things. The computer is running like its old self again. I really appreciate all your help, you really saved me.

 

[Jay Pfoutz]

Since this issue appears to be solved, this topic is now being marked solved.