Solved Win64/Patched.A

vincenth_30 · Oct 19, 2012

Hi,

Since a few days, my computer has been infected with a very annoying virus. AVG gives me the following message:
"Virus identified Win64/Patched.A, c:\Windows\System32\services.exe";"Cannot be cleaned
Remove manually"
I ran FRST64.exe as this seem to be the way to go. Help would be very much appreciated.

vincenth_30 · Oct 19, 2012

Here is the log file:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-10-2012 (ATTENTION: FRST version is 9 days old)
Ran by Vincent at 19-10-2012 04:02:50
Running from C:\Users\Vincent\Downloads
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2012-10-19 04:00 - 2012-10-19 04:00 - 01458573 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64 (1).exe
2012-10-19 03:15 - 2012-10-19 03:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-19 03:15 - 2012-10-19 03:15 - 00000000 ____D C:\Users\Vincent\AppData\Roaming\Malwarebytes
2012-10-19 03:15 - 2012-10-19 03:15 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-10-19 03:15 - 2012-10-19 03:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-19 03:15 - 2012-09-29 19:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-19 03:14 - 2012-10-19 03:14 - 09502424 ____A (Malwarebytes Corporation ) C:\Users\Vincent\Downloads\mbam-setup-1.60.1.1000.exe
2012-10-19 02:46 - 2012-10-19 03:55 - 00007632 ____A C:\Users\Vincent\Desktop\avgrep.txt
2012-10-19 00:28 - 2012-10-19 00:28 - 00000000 ____D C:\Users\Vincent\AppData\Local\{2596B2D9-2939-49BE-809B-5040499F8DE5}
2012-10-18 12:27 - 2012-10-18 12:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{AF8F6DB2-BCEA-4766-8E83-55A0B25238B2}
2012-10-18 00:27 - 2012-10-18 00:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{FA30AD11-CD24-4D9D-8677-ECAF5F76BC34}
2012-10-17 12:27 - 2012-10-17 12:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{E91FCF60-5625-41BE-A2AE-058C6FDB8AB3}
2012-10-16 23:01 - 2012-10-16 23:01 - 00000000 ____D C:\Users\Vincent\AppData\Local\{29960B07-F84B-470B-8745-1E772263FC53}
2012-10-16 11:00 - 2012-10-16 11:01 - 00000000 ____D C:\Users\Vincent\AppData\Local\{21DDA171-5825-4632-9E44-AE55E224E34F}
2012-10-15 16:58 - 2012-10-15 16:58 - 00000000 ____D C:\Users\Vincent\AppData\Local\{60D19166-97A9-44EB-AA24-7742D8768CAA}
2012-10-14 22:28 - 2012-10-14 22:28 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DD140107-C969-4040-824C-04C7DFC9109C}
2012-10-13 12:59 - 2012-10-13 12:59 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DC870297-648A-4E8C-96BC-0B06946A646F}
2012-10-13 00:30 - 2012-10-13 00:30 - 00000000 ____D C:\Users\Vincent\AppData\Local\{D6B261FC-A850-46F5-82C3-BC129429A053}
2012-10-12 14:21 - 2012-10-12 14:21 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2012-10-12 14:21 - 2012-10-12 14:21 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2012-10-12 12:29 - 2012-10-12 12:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{FB7188B6-F109-4E1F-B8E0-90513E4BF9B5}
2012-10-12 00:00 - 2012-10-12 00:00 - 11970272 ____A (ManyCam LLC) C:\Users\Vincent\Downloads\ManyCamSetup.exe
2012-10-11 19:37 - 2012-10-11 19:38 - 00000000 ____D C:\Users\Vincent\AppData\Local\{10971EA7-1CC1-4751-AF85-C62C3EA8FE63}
2012-10-11 01:27 - 2012-10-11 01:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{4381C485-C5C9-4FC0-985B-17256BC8DEE5}
2012-10-10 17:27 - 2012-10-10 17:27 - 00002533 ____A C:\Users\Public\Desktop\DBSelector.lnk
2012-10-10 17:27 - 2012-10-10 17:27 - 00002533 ____A C:\Users\Public\Desktop\aXionGUI.lnk
2012-10-10 17:27 - 2012-10-10 17:27 - 00002533 ____A C:\Users\Public\Desktop\aXion.lnk
2012-10-10 13:26 - 2012-10-10 13:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{5CDC406C-2D43-4426-851E-8C7A40295E33}
2012-10-10 13:18 - 2012-10-10 13:18 - 00003664 ____A C:\Users\Vincent\Desktop\RKreport[1].txt
2012-10-10 13:18 - 2012-10-10 13:18 - 00000000 ____D C:\Users\Vincent\Desktop\RK_Quarantine
2012-10-10 13:17 - 2012-10-10 13:17 - 01422336 ____A C:\Users\Vincent\Downloads\RogueKiller.exe
2012-10-10 13:14 - 2012-10-10 13:14 - 01456791 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64.exe
2012-10-10 13:08 - 2012-10-10 13:09 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-10-10 13:08 - 2012-10-10 13:08 - 08962000 ____A (SurfRight B.V.) C:\Users\Vincent\Downloads\HitmanPro36_x64.exe
2012-10-10 01:39 - 2012-10-10 01:41 - 92121088 ____A C:\Users\Vincent\Downloads\avg_arl_cdi_all_120_120823a5226.iso
2012-10-10 01:26 - 2012-10-10 01:26 - 00000000 ____D C:\Users\Vincent\AppData\Local\{540279FD-61AF-44F8-92B6-4E9C8ACE4934}
2012-10-10 00:21 - 2012-10-10 00:21 - 00000000 ____D C:\Users\Vincent\Desktop\avg_arl_ffi_all_120_120823a5226
2012-10-10 00:09 - 2012-10-10 00:11 - 103899007 ____A C:\Users\Vincent\Downloads\avg_arl_ffi_all_120_120823a5226.zip
2012-10-09 23:02 - 2012-10-09 23:02 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-10-09 22:57 - 2012-10-09 22:57 - 00000000 ____D C:\Users\Vincent\Downloads\IBM.Rational.PurifyPlus.v7.0.W.keygen
2012-10-09 22:53 - 2012-10-09 22:53 - 00169910 ____A C:\Users\Vincent\Downloads\IBM.Rational.PurifyPlus.v7.0.W.keygen.zip
2012-10-09 22:14 - 2012-10-09 22:50 - 00000000 ____D C:\Program Files (x86)\Rational
2012-10-09 22:14 - 2012-10-09 22:49 - 00026560 ____A C:\Users\Vincent\AppData\Local\rational_state.log
2012-10-09 13:26 - 2012-10-09 13:26 - 00000000 ____D C:\Users\Vincent\AppData\Local\{8C252A56-0F28-4498-BF79-5EAC8CB8A2AA}
2012-10-08 19:18 - 2012-10-08 19:18 - 00000000 ____D C:\Users\Vincent\AppData\Local\{AF4FE3DA-F8A7-4CE3-866A-D5BA29D0B18F}
2012-10-08 00:56 - 2012-10-08 00:56 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DFC6225C-E187-4345-9777-F91AAA83674C}
2012-10-07 12:55 - 2012-10-07 12:56 - 00000000 ____D C:\Users\Vincent\AppData\Local\{7636EAF4-49FF-4683-8649-E2EE2DB4711F}
2012-10-07 00:55 - 2012-10-07 00:55 - 00000000 ____D C:\Users\Vincent\AppData\Local\{A28611C8-4C17-4CE8-A00D-D85961850959}
2012-10-06 15:35 - 2012-10-06 15:35 - 00001473 ____A C:\Users\Vincent\AppData\Local\recently-used.xbel
2012-10-06 12:55 - 2012-10-06 12:55 - 00000000 ____D C:\Users\Vincent\AppData\Local\{1A9E419C-CE79-4172-B2C9-371017595800}
2012-10-05 19:42 - 2012-10-05 19:43 - 00000000 ____D C:\Users\Vincent\AppData\Local\{CD5EB37A-9C55-46FB-BE33-D482BB9C9B93}
2012-10-05 03:26 - 2012-10-05 03:26 - 00111456 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys
2012-10-05 03:07 - 2012-10-05 03:08 - 00000000 ____D C:\Users\Vincent\AppData\Local\{EBBFAB05-C8C9-4DFA-A921-58EFB8AF121D}
2012-10-05 02:13 - 2012-10-05 02:13 - 00000000 ____D C:\Users\Vincent\AppData\Roaming\AVG2013
2012-10-05 02:12 - 2012-10-12 14:21 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-10-05 02:12 - 2012-10-05 02:12 - 00000000 ____D C:\Users\Vincent\AppData\Roaming\TuneUp Software
2012-10-05 02:12 - 2012-10-05 02:12 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-10-05 02:11 - 2012-10-10 03:41 - 00000000 ____D C:\Users\All Users\AVG2013
2012-10-04 19:54 - 2012-10-19 02:46 - 00000000 ____D C:\Users\Vincent\AppData\Local\Avg2013
2012-10-04 19:54 - 2012-10-04 19:54 - 00000000 ____D C:\Users\Vincent\AppData\Local\MFAData
2012-10-04 15:07 - 2012-10-04 15:07 - 00000000 ____D C:\Users\Vincent\AppData\Local\{BFF74DD3-7328-468E-8371-B4CD5252DC3E}
2012-10-04 11:25 - 2012-10-03 19:15 - 14906515 ____A C:\Users\Vincent\Desktop\Standard_Pushbacks.zip
2012-10-04 02:13 - 2012-10-04 02:14 - 00000000 ____D C:\Users\Vincent\AppData\Local\{68ED4D9B-4F0F-42EE-94FD-5D08AC580645}
2012-10-03 13:05 - 2012-10-03 13:06 - 00000000 ____D C:\Users\Vincent\AppData\Local\{962B1D9C-0544-4AE1-9784-E0B330F1DD99}
2012-10-03 01:05 - 2012-10-03 01:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{F1CC3EBE-7E86-4714-B6F7-6F0B42AA0C58}
2012-10-02 13:05 - 2012-10-02 13:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{50E7C8E2-8B33-4EEE-8FCA-6E3ECE5A234F}
2012-10-02 03:30 - 2012-10-02 03:30 - 00185696 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
2012-10-02 01:05 - 2012-10-02 01:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{21BED80B-092F-43E5-BCD7-BF010FC2F1BB}
2012-10-02 00:00 - 2012-10-02 00:00 - 00295751 ____A C:\Users\Vincent\Downloads\DebugView.zip
2012-10-02 00:00 - 2012-10-02 00:00 - 00000000 ____D C:\Users\Vincent\Desktop\DebugView
2012-10-01 13:05 - 2012-10-01 13:07 - 92347544 ____A C:\Users\Vincent\Downloads\2008_03_24_divers 044.avi
2012-10-01 13:05 - 2012-10-01 13:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{B6616C7E-C3DB-4D80-97AA-EBBE11840E2F}
2012-09-30 20:22 - 2012-09-30 20:23 - 00000000 ____D C:\Users\Vincent\AppData\Local\{15C11C16-9ECA-4C61-BF3B-BA524F41C658}
2012-09-30 04:13 - 2012-09-30 04:13 - 00000000 ____D C:\Users\Vincent\AppData\Local\{C393C812-384C-4753-823E-7425881468BF}
2012-09-29 16:13 - 2012-09-29 16:13 - 00000000 ____D C:\Users\Vincent\AppData\Local\{778A3C3C-ABF9-4ADA-A4FD-9C4C3EE4CFB9}
2012-09-29 03:38 - 2012-08-21 17:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-09-29 02:58 - 2012-09-29 02:58 - 00000000 ____D C:\Users\Vincent\AppData\Local\{12BDE522-5678-4995-B859-0F080D849B39}
2012-09-28 14:04 - 2012-09-28 14:04 - 00000000 ____D C:\Users\Vincent\AppData\Local\{77F8D701-B93B-4085-A982-A274D0A0F132}
2012-09-28 02:04 - 2012-09-28 02:04 - 00000000 ____D C:\Users\Vincent\AppData\Local\{08D4CADB-C703-4737-96C0-2F2477064E1C}
2012-09-27 22:13 - 2012-09-26 04:31 - 10187660 ____A C:\Users\Vincent\Desktop\aXMessages2.xls
2012-09-27 22:13 - 2012-09-26 04:25 - 10014509 ____A C:\Users\Vincent\Desktop\aXMessages1.xls
2012-09-27 22:13 - 2012-09-26 04:24 - 01690389 ____A C:\Users\Vincent\Desktop\aXMessages3.xls
2012-09-27 14:04 - 2012-09-27 14:04 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DBDDC635-075B-4015-88D4-AEC1CC013263}
2012-09-27 04:55 - 2012-09-27 05:18 - 00021811 ____A C:\Users\Vincent\Documents\BCX 10 ans.wlmp
2012-09-27 00:29 - 2012-09-27 00:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{D9BC5BE4-05F7-47F6-BC20-57D2E22EB37C}
2012-09-26 12:28 - 2012-09-26 12:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{5443E003-59DB-4C6C-ADD5-E3072CC9F3CE}
2012-09-25 12:29 - 2012-09-25 12:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{A1FAD184-F7E2-48C4-A5FD-B443FA950F1A}
2012-09-24 12:50 - 2012-09-24 12:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DCC3C874-2DE3-4FF6-8C9C-5BCE300767AC}
2012-09-24 04:19 - 2012-09-27 05:39 - 00000000 ____D C:\Program Files (x86)\TorsionBlend
2012-09-24 04:18 - 2012-09-24 04:18 - 00000000 ____D C:\Users\Vincent\Downloads\torsionblend_trial
2012-09-24 04:17 - 2012-09-24 04:17 - 15468988 ____A C:\Users\Vincent\Downloads\torsionblend_trial.7z
2012-09-24 00:50 - 2012-09-24 00:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{696465D9-E20C-44DD-9D8A-0BF29C0C9474}
2012-09-23 20:26 - 2012-08-24 07:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-23 20:26 - 2012-08-24 06:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-23 20:26 - 2012-08-24 06:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-09-23 20:26 - 2012-08-24 06:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-23 20:26 - 2012-08-24 06:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-23 20:26 - 2012-08-24 06:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-09-23 20:26 - 2012-08-24 06:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-23 20:26 - 2012-08-24 06:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-23 20:26 - 2012-08-24 06:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-09-23 20:26 - 2012-08-24 06:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-09-23 20:26 - 2012-08-24 06:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-23 20:26 - 2012-08-24 06:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-23 20:26 - 2012-08-24 06:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-23 20:26 - 2012-08-24 06:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-23 20:26 - 2012-08-24 06:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-23 20:26 - 2012-08-24 06:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-23 20:26 - 2012-08-24 03:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-09-23 20:26 - 2012-08-24 03:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-09-23 20:26 - 2012-08-24 02:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-09-23 20:26 - 2012-08-24 02:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-09-23 20:26 - 2012-08-24 02:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-09-23 20:26 - 2012-08-24 02:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-09-23 20:26 - 2012-08-24 02:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-09-23 20:26 - 2012-08-24 02:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-09-23 20:26 - 2012-08-24 02:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-09-23 20:26 - 2012-08-24 02:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-09-23 20:26 - 2012-08-24 02:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-09-23 20:26 - 2012-08-24 02:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-09-23 20:26 - 2012-08-24 02:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-09-23 20:26 - 2012-08-24 02:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-09-23 20:26 - 2012-08-24 02:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-09-23 20:26 - 2012-08-24 02:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-09-23 12:50 - 2012-09-23 12:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{77CFEE0C-46D1-4885-B7A3-C1B754C6DAB1}
2012-09-23 00:50 - 2012-09-23 00:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{F4883C55-63D0-4CAB-AC4A-3DDE227BE255}
2012-09-22 02:35 - 2012-09-22 02:35 - 00000000 ____D C:\Users\Vincent\AppData\Local\{91B38821-3930-40A4-A73A-A66B507C2B78}
2012-09-21 04:00 - 2012-09-21 04:00 - 00000000 ____D C:\Users\Vincent\AppData\Local\{B1669182-A816-43CC-A14D-210A38299F87}
2012-09-21 03:46 - 2012-09-21 03:46 - 00225120 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgloga.sys
2012-09-21 03:46 - 2012-09-21 03:46 - 00200032 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-09-21 03:45 - 2012-09-21 03:45 - 00061792 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys
2012-09-20 14:03 - 2012-09-20 14:03 - 00000000 ____D C:\Users\Vincent\AppData\Local\{FEB60193-628A-4435-A38A-26A70E23AD6B}
2012-09-20 02:03 - 2012-09-20 02:03 - 00000000 ____D C:\Users\Vincent\AppData\Local\{5DE5CC90-1FD8-47F8-9908-20C9C7D9A730}
2012-09-19 14:03 - 2012-09-19 14:03 - 00000000 ____D C:\Users\Vincent\AppData\Local\{7E16485B-76D6-458F-B6B4-1EA7AB0BDEE6}
2012-09-19 05:27 - 2012-07-06 16:07 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-09-19 05:21 - 2012-08-22 14:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-09-19 05:21 - 2012-08-22 14:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-09-19 05:21 - 2012-08-22 14:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-09-19 05:21 - 2012-08-22 14:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-09-19 05:21 - 2012-08-02 13:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-19 05:21 - 2012-08-02 12:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-09-19 05:21 - 2012-07-04 18:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-09-19 05:21 - 2012-07-04 18:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-09-19 05:21 - 2012-07-04 18:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-09-19 05:21 - 2012-07-04 17:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-09-19 05:21 - 2012-07-04 17:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-09-19 05:21 - 2012-07-04 16:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-09-19 05:21 - 2012-05-14 01:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-09-19 05:21 - 2012-05-05 04:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-09-19 05:21 - 2012-05-05 03:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-09-19 05:21 - 2012-02-11 02:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-09-19 05:21 - 2012-02-11 02:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-09-19 05:21 - 2012-02-11 02:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-09-19 05:21 - 2012-02-11 01:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-09-19 05:20 - 2012-09-19 10:58 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2012-09-19 05:20 - 2012-09-19 05:20 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2012-09-19 05:20 - 2012-09-19 05:20 - 00000000 ____D C:\Users\All Users\McAfee
2012-09-19 05:20 - 2012-07-18 14:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-09-19 02:02 - 2012-09-19 02:02 - 00000000 ____D C:\Users\Vincent\AppData\Local\{3577E2B6-609C-4633-B24D-00EA39A8CDDB}

==================== 3 Months Modified Files ==================

2012-10-19 04:02 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-19 04:02 - 2009-07-14 00:51 - 00032867 ____A C:\Windows\setupact.log
2012-10-19 04:00 - 2012-10-19 04:00 - 01458573 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64 (1).exe
2012-10-19 03:55 - 2012-10-19 02:46 - 00007632 ____A C:\Users\Vincent\Desktop\avgrep.txt
2012-10-19 03:50 - 2009-07-14 01:13 - 00961518 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-19 03:42 - 2012-07-12 20:58 - 00364304 ____A C:\Windows\PFRO.log
2012-10-19 03:29 - 2012-07-12 20:14 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-355343389-3714370867-124594232-1001UA.job
2012-10-19 03:26 - 2009-07-14 00:45 - 00013984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-19 03:26 - 2009-07-14 00:45 - 00013984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-19 03:15 - 2012-10-19 03:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-19 03:14 - 2012-10-19 03:14 - 09502424 ____A (Malwarebytes Corporation ) C:\Users\Vincent\Downloads\mbam-setup-1.60.1.1000.exe
2012-10-19 03:11 - 2012-07-12 20:02 - 01563731 ____A C:\Windows\WindowsUpdate.log
2012-10-18 11:40 - 2012-07-12 20:14 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-355343389-3714370867-124594232-1001Core.job
2012-10-12 14:21 - 2012-10-05 02:12 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-10-12 00:00 - 2012-10-12 00:00 - 11970272 ____A (ManyCam LLC) C:\Users\Vincent\Downloads\ManyCamSetup.exe
2012-10-10 17:27 - 2012-10-10 17:27 - 00002533 ____A C:\Users\Public\Desktop\DBSelector.lnk
2012-10-10 17:27 - 2012-10-10 17:27 - 00002533 ____A C:\Users\Public\Desktop\aXionGUI.lnk
2012-10-10 17:27 - 2012-10-10 17:27 - 00002533 ____A C:\Users\Public\Desktop\aXion.lnk
2012-10-10 13:18 - 2012-10-10 13:18 - 00003664 ____A C:\Users\Vincent\Desktop\RKreport[1].txt
2012-10-10 13:17 - 2012-10-10 13:17 - 01422336 ____A C:\Users\Vincent\Downloads\RogueKiller.exe
2012-10-10 13:14 - 2012-10-10 13:14 - 01456791 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64.exe
2012-10-10 13:08 - 2012-10-10 13:08 - 08962000 ____A (SurfRight B.V.) C:\Users\Vincent\Downloads\HitmanPro36_x64.exe
2012-10-10 01:41 - 2012-10-10 01:39 - 92121088 ____A C:\Users\Vincent\Downloads\avg_arl_cdi_all_120_120823a5226.iso
2012-10-10 00:11 - 2012-10-10 00:09 - 103899007 ____A C:\Users\Vincent\Downloads\avg_arl_ffi_all_120_120823a5226.zip
2012-10-09 22:53 - 2012-10-09 22:53 - 00169910 ____A C:\Users\Vincent\Downloads\IBM.Rational.PurifyPlus.v7.0.W.keygen.zip
2012-10-09 22:49 - 2012-10-09 22:14 - 00026560 ____A C:\Users\Vincent\AppData\Local\rational_state.log
2012-10-06 15:35 - 2012-10-06 15:35 - 00001473 ____A C:\Users\Vincent\AppData\Local\recently-used.xbel
2012-10-05 03:26 - 2012-10-05 03:26 - 00111456 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys
2012-10-03 19:15 - 2012-10-04 11:25 - 14906515 ____A C:\Users\Vincent\Desktop\Standard_Pushbacks.zip
2012-10-02 03:30 - 2012-10-02 03:30 - 00185696 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
2012-10-02 00:00 - 2012-10-02 00:00 - 00295751 ____A C:\Users\Vincent\Downloads\DebugView.zip
2012-10-01 13:07 - 2012-10-01 13:05 - 92347544 ____A C:\Users\Vincent\Downloads\2008_03_24_divers 044.avi
2012-09-29 19:54 - 2012-10-19 03:15 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-29 16:13 - 2009-07-14 00:45 - 00310896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-27 15:52 - 2012-07-12 20:14 - 00067872 ____A C:\Users\Vincent\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-27 05:18 - 2012-09-27 04:55 - 00021811 ____A C:\Users\Vincent\Documents\BCX 10 ans.wlmp
2012-09-26 04:31 - 2012-09-27 22:13 - 10187660 ____A C:\Users\Vincent\Desktop\aXMessages2.xls
2012-09-26 04:25 - 2012-09-27 22:13 - 10014509 ____A C:\Users\Vincent\Desktop\aXMessages1.xls
2012-09-26 04:24 - 2012-09-27 22:13 - 01690389 ____A C:\Users\Vincent\Desktop\aXMessages3.xls
2012-09-24 04:17 - 2012-09-24 04:17 - 15468988 ____A C:\Users\Vincent\Downloads\torsionblend_trial.7z
2012-09-21 03:46 - 2012-09-21 03:46 - 00225120 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgloga.sys
2012-09-21 03:46 - 2012-09-21 03:46 - 00200032 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-09-21 03:45 - 2012-09-21 03:45 - 00061792 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys
2012-09-19 05:20 - 2012-07-12 20:17 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-19 05:20 - 2012-07-12 20:17 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-14 05:49 - 2012-09-14 05:44 - 183721414 ____A C:\Users\Vincent\Downloads\RATL_PURIFYPLUS_WIN_EVAL_V7.0.1_ML.zip
2012-09-14 05:37 - 2012-09-14 05:37 - 00000044 ____A C:\Users\Vincent\dlmgr_.pro
2012-09-14 03:05 - 2012-09-14 03:05 - 00040800 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx64.sys
2012-09-13 03:11 - 2012-09-13 03:11 - 00151904 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
2012-09-07 00:29 - 2012-09-07 00:29 - 00000020 __ASH C:\Users\VaultIndexAppPool\ntuser.ini
2012-09-06 17:07 - 2012-09-06 17:07 - 00001880 ____A C:\Users\Public\Desktop\Vault Professional Client.lnk
2012-09-06 17:06 - 2012-09-06 17:06 - 24069632 ____A C:\Users\Vincent\Downloads\VaultProClient.msi
2012-09-06 17:05 - 2012-09-06 17:05 - 00000020 ___SH C:\Users\VaultNotifyAppPool\ntuser.ini
2012-09-06 16:57 - 2012-09-06 16:57 - 00000020 ___SH C:\Users\VaultAppPool\ntuser.ini
2012-09-06 16:57 - 2012-09-06 16:57 - 00000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2012-09-06 16:40 - 2012-09-06 16:36 - 185048928 ____A (Microsoft Corporation) C:\Users\Vincent\Downloads\SQLManagementStudio_x64_ENU.exe
2012-09-04 03:54 - 2012-09-04 03:54 - 00000970 ____A C:\Users\Vincent\Desktop\Downloads - Shortcut.lnk
2012-09-04 03:53 - 2012-09-04 03:53 - 00000020 __ASH C:\Users\Classic .NET AppPool\ntuser.ini
2012-09-04 03:53 - 2012-09-04 03:48 - 00044201 ____A C:\Windows\iis7.log
2012-09-04 03:53 - 2012-07-12 23:18 - 00933150 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-04 03:51 - 2012-09-04 03:51 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-04 03:51 - 2012-09-04 03:51 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-04 03:51 - 2012-09-04 03:51 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-04 03:51 - 2012-09-04 03:51 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-04 03:51 - 2012-07-12 20:07 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-09-04 03:51 - 2012-07-12 20:07 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-09-04 03:34 - 2012-09-04 03:34 - 39076864 ____A C:\Users\Vincent\Downloads\VaultProServer64_6_0_0_30477.msi
2012-09-04 00:14 - 2012-09-04 00:14 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-09-02 00:42 - 2012-07-12 22:53 - 00306415 ____N C:\Windows\Minidump\090212-18844-01.dmp
2012-09-02 00:07 - 2012-07-13 14:10 - 00000667 ____A C:\Users\Vincent\Desktop\aXion.sln - Shortcut.lnk
2012-08-31 00:43 - 2012-07-12 20:48 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-30 01:44 - 2012-08-30 01:44 - 00001248 ____A C:\Users\Public\Desktop\NVIDIA Compute Visual Profiler v4.0.lnk
2012-08-27 13:32 - 2012-08-27 13:16 - 1000886272 ____A C:\Users\Vincent\Downloads\envi50win64_setup.exe
2012-08-24 07:15 - 2012-09-23 20:26 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 06:39 - 2012-09-23 20:26 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 06:31 - 2012-09-23 20:26 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 06:22 - 2012-09-23 20:26 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 06:21 - 2012-09-23 20:26 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 06:20 - 2012-09-23 20:26 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 06:18 - 2012-09-23 20:26 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 06:17 - 2012-09-23 20:26 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 06:14 - 2012-09-23 20:26 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 06:14 - 2012-09-23 20:26 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 06:13 - 2012-09-23 20:26 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 06:12 - 2012-09-23 20:26 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 06:11 - 2012-09-23 20:26 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 06:10 - 2012-09-23 20:26 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 06:09 - 2012-09-23 20:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 06:04 - 2012-09-23 20:26 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-24 03:27 - 2012-09-23 20:26 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-24 03:03 - 2012-09-23 20:26 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-24 02:59 - 2012-09-23 20:26 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-24 02:51 - 2012-09-23 20:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-24 02:51 - 2012-09-23 20:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-24 02:51 - 2012-09-23 20:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-24 02:49 - 2012-09-23 20:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-24 02:48 - 2012-09-23 20:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-24 02:47 - 2012-09-23 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-24 02:47 - 2012-09-23 20:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-24 02:47 - 2012-09-23 20:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-24 02:45 - 2012-09-23 20:26 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-24 02:44 - 2012-09-23 20:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-24 02:44 - 2012-09-23 20:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-24 02:43 - 2012-09-23 20:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-24 02:40 - 2012-09-23 20:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-22 14:12 - 2012-09-19 05:21 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 14:12 - 2012-09-19 05:21 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 14:12 - 2012-09-19 05:21 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 14:12 - 2012-09-19 05:21 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 17:01 - 2012-09-29 03:38 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-08-19 03:41 - 2012-08-19 03:41 - 00000000 ___AH C:\Users\Vincent\Documents\Default.rdp
2012-08-18 00:03 - 2012-08-18 00:03 - 14048031 ____A C:\Users\Vincent\Downloads\Vancouver_ETM_RGB.zip
2012-08-17 03:51 - 2012-08-17 03:51 - 00027520 ____A C:\Users\Vincent\AppData\Local\dt.dat
2012-08-17 01:39 - 2012-07-12 22:53 - 00306287 ____N C:\Windows\Minidump\081712-20326-01.dmp
2012-08-09 22:35 - 2012-08-09 22:33 - 00001993 ____A C:\Users\Vincent\Desktop\Computer.lnk
2012-08-02 13:58 - 2012-09-19 05:21 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 12:57 - 2012-09-19 05:21 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-26 13:52 - 2012-07-14 01:36 - 00007368 ____A C:\Windows\DirectX.log
2012-07-24 23:12 - 2012-07-12 22:53 - 00305455 ____N C:\Windows\Minidump\072412-22276-01.dmp

ZeroAccess:
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\L
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\L\00000004.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\L\201d3dde
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\00000004.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000032.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 22519.12 MB
Available physical RAM: 19706.84 MB
Total Pagefile: 22533.31 MB
Available Pagefile: 19173.19 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:74.53 GB) (Free:7.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (geotextures) (Fixed) (Total:2794.39 GB) (Free:594.36 GB) NTFS
4 Drive f: () (Fixed) (Total:1862.92 GB) (Free:606.05 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 74 GB 1024 KB
Disk 1 Online 2794 GB 0 B *
Disk 2 Online 1863 GB 100 MB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 74 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 74 GB Healthy System (partition with boot components)

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Reserved 128 MB 17 KB
Partition 2 Primary 2794 GB 129 MB

==================================================================================

Disk: 1
Partition 1
Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

=========================================================

Disk: 1
Partition 2
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E geotextures NTFS Partition 2794 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1862 GB 101 MB

==================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Partition 1862 GB Healthy

=========================================================

Last Boot: 2012-10-16 11:34

==================== End Of Log =============================

Jay Pfoutz · Oct 19, 2012

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
If you have already asked for help somewhere, please post the link to the topic you were helped.
We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

We need to redo something...

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

Save FRST64.exe to your flash drive.

Plug the flashdrive into the infected PC.

Reboot the computer and Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to the disclaimer.
Place a check next to List Drivers MD5 as well as the default check marks that are already there
Press Scan button. It will do its scan and save a log on your flash drive.
Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:

When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
Type exit in the Command Prompt window and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

vincenth_30 · Oct 19, 2012

Thanks for the answer and very clear instructions on what to do next.

I followed your procedure and got the following log file:

Farbar Recovery Scan Tool (x64) Version: 10-10-2012
Ran by SYSTEM at 2012-10-19 22:36:08
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======

Thanks for your help!

Jay Pfoutz · Oct 20, 2012

Good, now as instructed before that search scan you did, please open the regular FRST interface, click the scan button. The log called FRST.txt will be saved on the flash drive. Please post that in your next reply.

vincenth_30 · Oct 20, 2012

Arrrg, I suck, I skipped that line with the scan

Here is the scan result:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-10-2012 (ATTENTION: FRST version is 10 days old)
Ran by SYSTEM at 20-10-2012 15:50:05
Running from H:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11660904 2010-11-29] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [613536 2010-11-25] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe" [379040 2010-11-25] (Atheros Commnucations)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent [x]
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [43632 2010-01-18] ()
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [947808 2012-10-04] ()
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3116152 2012-10-10] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [856160 2012-10-04] ()
HKU\Vincent\...\Run: [Google Update] "C:\Users\Vincent\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-12] (Google Inc.)
HKU\Vincent\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Vincent\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Vincent\...\Run: [ManyCam] "C:\Program Files (x86)\ManyCam\Bin\ManyCam.exe" /silent [2164632 2012-09-13] (ManyCam LLC)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Vincent\Start Menu\Programs\Startup\wlmail.exe - Shortcut.lnk
ShortcutTarget: wlmail.exe - Shortcut.lnk -> C:\Program Files (x86)\Windows Live\Mail\wlmail.exe (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5783672 2012-10-01] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [193568 2012-10-01] (AVG Technologies CZ, s.r.o.)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe" [237008 2011-06-17] (McAfee, Inc.)
2 vToolbarUpdater12.2.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-09-03] ()
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [151904 2012-09-12] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [61792 2012-09-20] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-01] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-20] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-04] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-13] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-20] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [31080 2012-09-03] (AVG Technologies)
3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv_x64.sys [44928 2012-07-20] (ManyCam LLC)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [29696 2012-07-20] (ManyCam LLC)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
2 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)
2 Sentinel; C:\Windows\SysWow64\Drivers\Sentinel.sys [73728 2001-06-21] (Rainbow Technologies, Inc.)
3 Sntnlusb; C:\Windows\SysWow64\Drivers\Sntnlusb.sys [20032 2001-06-21] (Rainbow Technologies Inc.)
2 DS1410D; \??\C:\Windows\system32\drivers\ds1410d.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-10-19 19:52 - 2012-10-19 19:52 - 00004608 ____A C:\Users\Vincent\AppData\Local\recently-used.xbel
2012-10-19 11:02 - 2012-10-19 11:02 - 00000000 ____D C:\Users\Vincent\AppData\Local\{212743EC-4D70-4CA6-BB84-CA933A7C5033}
2012-10-19 00:03 - 2012-10-19 00:03 - 00036047 ____A C:\Users\Vincent\Downloads\FRST.txt
2012-10-19 00:00 - 2012-10-19 00:02 - 00000000 ____D C:\FRST
2012-10-19 00:00 - 2012-10-19 00:00 - 01458573 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64 (1).exe
2012-10-18 23:15 - 2012-10-18 23:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-18 23:15 - 2012-10-18 23:15 - 00000000 ____D C:\Users\Vincent\AppData\Roaming\Malwarebytes
2012-10-18 23:15 - 2012-10-18 23:15 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-10-18 23:15 - 2012-10-18 23:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-18 23:15 - 2012-09-29 15:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-18 23:14 - 2012-10-18 23:14 - 09502424 ____A (Malwarebytes Corporation ) C:\Users\Vincent\Downloads\mbam-setup-1.60.1.1000.exe
2012-10-18 22:46 - 2012-10-18 23:55 - 00007632 ____A C:\Users\Vincent\Desktop\avgrep.txt
2012-10-18 20:28 - 2012-10-18 20:28 - 00000000 ____D C:\Users\Vincent\AppData\Local\{2596B2D9-2939-49BE-809B-5040499F8DE5}
2012-10-18 08:27 - 2012-10-18 08:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{AF8F6DB2-BCEA-4766-8E83-55A0B25238B2}
2012-10-17 20:27 - 2012-10-17 20:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{FA30AD11-CD24-4D9D-8677-ECAF5F76BC34}
2012-10-17 08:27 - 2012-10-17 08:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{E91FCF60-5625-41BE-A2AE-058C6FDB8AB3}
2012-10-16 19:01 - 2012-10-16 19:01 - 00000000 ____D C:\Users\Vincent\AppData\Local\{29960B07-F84B-470B-8745-1E772263FC53}
2012-10-16 07:00 - 2012-10-16 07:01 - 00000000 ____D C:\Users\Vincent\AppData\Local\{21DDA171-5825-4632-9E44-AE55E224E34F}
2012-10-15 12:58 - 2012-10-15 12:58 - 00000000 ____D C:\Users\Vincent\AppData\Local\{60D19166-97A9-44EB-AA24-7742D8768CAA}
2012-10-14 18:28 - 2012-10-14 18:28 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DD140107-C969-4040-824C-04C7DFC9109C}
2012-10-13 08:59 - 2012-10-13 08:59 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DC870297-648A-4E8C-96BC-0B06946A646F}
2012-10-12 20:30 - 2012-10-12 20:30 - 00000000 ____D C:\Users\Vincent\AppData\Local\{D6B261FC-A850-46F5-82C3-BC129429A053}
2012-10-12 10:21 - 2012-10-12 10:21 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2012-10-12 10:21 - 2012-10-12 10:21 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2012-10-12 08:29 - 2012-10-12 08:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{FB7188B6-F109-4E1F-B8E0-90513E4BF9B5}
2012-10-11 20:00 - 2012-10-11 20:00 - 11970272 ____A (ManyCam LLC) C:\Users\Vincent\Downloads\ManyCamSetup.exe
2012-10-11 15:37 - 2012-10-11 15:38 - 00000000 ____D C:\Users\Vincent\AppData\Local\{10971EA7-1CC1-4751-AF85-C62C3EA8FE63}
2012-10-10 21:27 - 2012-10-10 21:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{4381C485-C5C9-4FC0-985B-17256BC8DEE5}
2012-10-10 13:27 - 2012-10-10 13:27 - 00002533 ____A C:\Users\Public\Desktop\DBSelector.lnk
2012-10-10 13:27 - 2012-10-10 13:27 - 00002533 ____A C:\Users\Public\Desktop\aXionGUI.lnk
2012-10-10 13:27 - 2012-10-10 13:27 - 00002533 ____A C:\Users\Public\Desktop\aXion.lnk
2012-10-10 09:26 - 2012-10-10 09:27 - 00000000 ____D C:\Users\Vincent\AppData\Local\{5CDC406C-2D43-4426-851E-8C7A40295E33}
2012-10-10 09:18 - 2012-10-10 09:18 - 00003664 ____A C:\Users\Vincent\Desktop\RKreport[1].txt
2012-10-10 09:18 - 2012-10-10 09:18 - 00000000 ____D C:\Users\Vincent\Desktop\RK_Quarantine
2012-10-10 09:17 - 2012-10-10 09:17 - 01422336 ____A C:\Users\Vincent\Downloads\RogueKiller.exe
2012-10-10 09:14 - 2012-10-10 09:14 - 01456791 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64.exe
2012-10-10 09:08 - 2012-10-10 09:09 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-10-10 09:08 - 2012-10-10 09:08 - 08962000 ____A (SurfRight B.V.) C:\Users\Vincent\Downloads\HitmanPro36_x64.exe
2012-10-09 21:39 - 2012-10-09 21:41 - 92121088 ____A C:\Users\Vincent\Downloads\avg_arl_cdi_all_120_120823a5226.iso
2012-10-09 21:26 - 2012-10-09 21:26 - 00000000 ____D C:\Users\Vincent\AppData\Local\{540279FD-61AF-44F8-92B6-4E9C8ACE4934}
2012-10-09 20:21 - 2012-10-09 20:21 - 00000000 ____D C:\Users\Vincent\Desktop\avg_arl_ffi_all_120_120823a5226
2012-10-09 20:09 - 2012-10-09 20:11 - 103899007 ____A C:\Users\Vincent\Downloads\avg_arl_ffi_all_120_120823a5226.zip
2012-10-09 19:02 - 2012-10-09 19:02 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-10-09 18:57 - 2012-10-09 18:57 - 00000000 ____D C:\Users\Vincent\Downloads\IBM.Rational.PurifyPlus.v7.0.W.keygen
2012-10-09 18:53 - 2012-10-09 18:53 - 00169910 ____A C:\Users\Vincent\Downloads\IBM.Rational.PurifyPlus.v7.0.W.keygen.zip
2012-10-09 18:14 - 2012-10-09 18:50 - 00000000 ____D C:\Program Files (x86)\Rational
2012-10-09 18:14 - 2012-10-09 18:49 - 00026560 ____A C:\Users\Vincent\AppData\Local\rational_state.log
2012-10-09 09:26 - 2012-10-09 09:26 - 00000000 ____D C:\Users\Vincent\AppData\Local\{8C252A56-0F28-4498-BF79-5EAC8CB8A2AA}
2012-10-08 15:18 - 2012-10-08 15:18 - 00000000 ____D C:\Users\Vincent\AppData\Local\{AF4FE3DA-F8A7-4CE3-866A-D5BA29D0B18F}
2012-10-07 20:56 - 2012-10-07 20:56 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DFC6225C-E187-4345-9777-F91AAA83674C}
2012-10-07 08:55 - 2012-10-07 08:56 - 00000000 ____D C:\Users\Vincent\AppData\Local\{7636EAF4-49FF-4683-8649-E2EE2DB4711F}
2012-10-06 20:55 - 2012-10-06 20:55 - 00000000 ____D C:\Users\Vincent\AppData\Local\{A28611C8-4C17-4CE8-A00D-D85961850959}
2012-10-06 08:55 - 2012-10-06 08:55 - 00000000 ____D C:\Users\Vincent\AppData\Local\{1A9E419C-CE79-4172-B2C9-371017595800}
2012-10-05 15:42 - 2012-10-05 15:43 - 00000000 ____D C:\Users\Vincent\AppData\Local\{CD5EB37A-9C55-46FB-BE33-D482BB9C9B93}
2012-10-04 23:26 - 2012-10-04 23:26 - 00111456 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys
2012-10-04 23:07 - 2012-10-04 23:08 - 00000000 ____D C:\Users\Vincent\AppData\Local\{EBBFAB05-C8C9-4DFA-A921-58EFB8AF121D}
2012-10-04 22:13 - 2012-10-04 22:13 - 00000000 ____D C:\Users\Vincent\AppData\Roaming\AVG2013
2012-10-04 22:12 - 2012-10-19 11:08 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-10-04 22:12 - 2012-10-04 22:12 - 00000000 ____D C:\Users\Vincent\AppData\Roaming\TuneUp Software
2012-10-04 22:12 - 2012-10-04 22:12 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-10-04 22:11 - 2012-10-09 23:41 - 00000000 ____D C:\Users\All Users\AVG2013
2012-10-04 15:54 - 2012-10-18 22:46 - 00000000 ____D C:\Users\Vincent\AppData\Local\Avg2013
2012-10-04 15:54 - 2012-10-04 15:54 - 00000000 ____D C:\Users\Vincent\AppData\Local\MFAData
2012-10-04 11:07 - 2012-10-04 11:07 - 00000000 ____D C:\Users\Vincent\AppData\Local\{BFF74DD3-7328-468E-8371-B4CD5252DC3E}
2012-10-04 07:25 - 2012-10-03 15:15 - 14906515 ____A C:\Users\Vincent\Desktop\Standard_Pushbacks.zip
2012-10-03 22:13 - 2012-10-03 22:14 - 00000000 ____D C:\Users\Vincent\AppData\Local\{68ED4D9B-4F0F-42EE-94FD-5D08AC580645}
2012-10-03 09:05 - 2012-10-03 09:06 - 00000000 ____D C:\Users\Vincent\AppData\Local\{962B1D9C-0544-4AE1-9784-E0B330F1DD99}
2012-10-02 21:05 - 2012-10-02 21:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{F1CC3EBE-7E86-4714-B6F7-6F0B42AA0C58}
2012-10-02 09:05 - 2012-10-02 09:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{50E7C8E2-8B33-4EEE-8FCA-6E3ECE5A234F}
2012-10-01 23:30 - 2012-10-01 23:30 - 00185696 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
2012-10-01 21:05 - 2012-10-01 21:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{21BED80B-092F-43E5-BCD7-BF010FC2F1BB}
2012-10-01 20:00 - 2012-10-01 20:00 - 00295751 ____A C:\Users\Vincent\Downloads\DebugView.zip
2012-10-01 20:00 - 2012-10-01 20:00 - 00000000 ____D C:\Users\Vincent\Desktop\DebugView
2012-10-01 09:05 - 2012-10-01 09:07 - 92347544 ____A C:\Users\Vincent\Downloads\2008_03_24_divers 044.avi
2012-10-01 09:05 - 2012-10-01 09:05 - 00000000 ____D C:\Users\Vincent\AppData\Local\{B6616C7E-C3DB-4D80-97AA-EBBE11840E2F}
2012-09-30 16:22 - 2012-09-30 16:23 - 00000000 ____D C:\Users\Vincent\AppData\Local\{15C11C16-9ECA-4C61-BF3B-BA524F41C658}
2012-09-30 00:13 - 2012-09-30 00:13 - 00000000 ____D C:\Users\Vincent\AppData\Local\{C393C812-384C-4753-823E-7425881468BF}
2012-09-29 12:13 - 2012-09-29 12:13 - 00000000 ____D C:\Users\Vincent\AppData\Local\{778A3C3C-ABF9-4ADA-A4FD-9C4C3EE4CFB9}
2012-09-28 23:38 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-09-28 22:58 - 2012-09-28 22:58 - 00000000 ____D C:\Users\Vincent\AppData\Local\{12BDE522-5678-4995-B859-0F080D849B39}
2012-09-28 10:04 - 2012-09-28 10:04 - 00000000 ____D C:\Users\Vincent\AppData\Local\{77F8D701-B93B-4085-A982-A274D0A0F132}
2012-09-27 22:04 - 2012-09-27 22:04 - 00000000 ____D C:\Users\Vincent\AppData\Local\{08D4CADB-C703-4737-96C0-2F2477064E1C}
2012-09-27 18:13 - 2012-09-26 00:31 - 10187660 ____A C:\Users\Vincent\Desktop\aXMessages2.xls
2012-09-27 18:13 - 2012-09-26 00:25 - 10014509 ____A C:\Users\Vincent\Desktop\aXMessages1.xls
2012-09-27 18:13 - 2012-09-26 00:24 - 01690389 ____A C:\Users\Vincent\Desktop\aXMessages3.xls
2012-09-27 10:04 - 2012-09-27 10:04 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DBDDC635-075B-4015-88D4-AEC1CC013263}
2012-09-27 00:55 - 2012-09-27 01:18 - 00021811 ____A C:\Users\Vincent\Documents\BCX 10 ans.wlmp
2012-09-26 20:29 - 2012-09-26 20:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{D9BC5BE4-05F7-47F6-BC20-57D2E22EB37C}
2012-09-26 08:28 - 2012-09-26 08:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{5443E003-59DB-4C6C-ADD5-E3072CC9F3CE}
2012-09-25 08:29 - 2012-09-25 08:29 - 00000000 ____D C:\Users\Vincent\AppData\Local\{A1FAD184-F7E2-48C4-A5FD-B443FA950F1A}
2012-09-24 08:50 - 2012-09-24 08:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{DCC3C874-2DE3-4FF6-8C9C-5BCE300767AC}
2012-09-24 00:19 - 2012-09-27 01:39 - 00000000 ____D C:\Program Files (x86)\TorsionBlend
2012-09-24 00:18 - 2012-09-24 00:18 - 00000000 ____D C:\Users\Vincent\Downloads\torsionblend_trial
2012-09-24 00:17 - 2012-09-24 00:17 - 15468988 ____A C:\Users\Vincent\Downloads\torsionblend_trial.7z
2012-09-23 20:50 - 2012-09-23 20:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{696465D9-E20C-44DD-9D8A-0BF29C0C9474}
2012-09-23 16:26 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-23 16:26 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-23 16:26 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-09-23 16:26 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-23 16:26 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-23 16:26 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-09-23 16:26 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-23 16:26 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-23 16:26 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-09-23 16:26 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-09-23 16:26 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-23 16:26 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-23 16:26 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-23 16:26 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-23 16:26 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-23 16:26 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-23 16:26 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-09-23 16:26 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-09-23 16:26 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-09-23 16:26 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-09-23 16:26 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-09-23 16:26 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-09-23 16:26 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-09-23 16:26 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-09-23 16:26 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-09-23 16:26 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-09-23 16:26 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-09-23 16:26 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-09-23 16:26 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-09-23 16:26 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-09-23 16:26 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-09-23 16:26 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-09-23 08:50 - 2012-09-23 08:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{77CFEE0C-46D1-4885-B7A3-C1B754C6DAB1}
2012-09-22 20:50 - 2012-09-22 20:50 - 00000000 ____D C:\Users\Vincent\AppData\Local\{F4883C55-63D0-4CAB-AC4A-3DDE227BE255}
2012-09-21 22:35 - 2012-09-21 22:35 - 00000000 ____D C:\Users\Vincent\AppData\Local\{91B38821-3930-40A4-A73A-A66B507C2B78}
2012-09-21 00:00 - 2012-09-21 00:00 - 00000000 ____D C:\Users\Vincent\AppData\Local\{B1669182-A816-43CC-A14D-210A38299F87}
2012-09-20 23:46 - 2012-09-20 23:46 - 00225120 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgloga.sys
2012-09-20 23:46 - 2012-09-20 23:46 - 00200032 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-09-20 23:45 - 2012-09-20 23:45 - 00061792 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys
2012-09-20 10:03 - 2012-09-20 10:03 - 00000000 ____D C:\Users\Vincent\AppData\Local\{FEB60193-628A-4435-A38A-26A70E23AD6B}

==================== 3 Months Modified Files ==================

2012-10-20 11:44 - 2012-07-12 17:00 - 00000035 ____A C:\Users\Public\Documents\AtherosServiceConfig.ini
2012-10-20 11:44 - 2012-07-12 16:14 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-355343389-3714370867-124594232-1001UA.job
2012-10-20 07:53 - 2012-07-12 16:14 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-355343389-3714370867-124594232-1001Core.job
2012-10-19 19:52 - 2012-10-19 19:52 - 00004608 ____A C:\Users\Vincent\AppData\Local\recently-used.xbel
2012-10-19 18:44 - 2009-07-13 20:45 - 00013984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-19 18:44 - 2009-07-13 20:45 - 00013984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-19 18:43 - 2009-07-13 21:13 - 00961518 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-19 18:37 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-19 18:37 - 2009-07-13 20:51 - 00033717 ____A C:\Windows\setupact.log
2012-10-19 11:08 - 2012-10-04 22:12 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2012-10-19 00:03 - 2012-10-19 00:03 - 00036047 ____A C:\Users\Vincent\Downloads\FRST.txt
2012-10-19 00:00 - 2012-10-19 00:00 - 01458573 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64 (1).exe
2012-10-18 23:55 - 2012-10-18 22:46 - 00007632 ____A C:\Users\Vincent\Desktop\avgrep.txt
2012-10-18 23:42 - 2012-07-12 16:58 - 00364304 ____A C:\Windows\PFRO.log
2012-10-18 23:15 - 2012-10-18 23:15 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-10-18 23:14 - 2012-10-18 23:14 - 09502424 ____A (Malwarebytes Corporation ) C:\Users\Vincent\Downloads\mbam-setup-1.60.1.1000.exe
2012-10-18 23:11 - 2012-07-12 16:02 - 01563731 ____A C:\Windows\WindowsUpdate.log
2012-10-11 20:00 - 2012-10-11 20:00 - 11970272 ____A (ManyCam LLC) C:\Users\Vincent\Downloads\ManyCamSetup.exe
2012-10-10 13:27 - 2012-10-10 13:27 - 00002533 ____A C:\Users\Public\Desktop\DBSelector.lnk
2012-10-10 13:27 - 2012-10-10 13:27 - 00002533 ____A C:\Users\Public\Desktop\aXionGUI.lnk
2012-10-10 13:27 - 2012-10-10 13:27 - 00002533 ____A C:\Users\Public\Desktop\aXion.lnk
2012-10-10 09:18 - 2012-10-10 09:18 - 00003664 ____A C:\Users\Vincent\Desktop\RKreport[1].txt
2012-10-10 09:17 - 2012-10-10 09:17 - 01422336 ____A C:\Users\Vincent\Downloads\RogueKiller.exe
2012-10-10 09:14 - 2012-10-10 09:14 - 01456791 ____A (Farbar) C:\Users\Vincent\Downloads\FRST64.exe
2012-10-10 09:08 - 2012-10-10 09:08 - 08962000 ____A (SurfRight B.V.) C:\Users\Vincent\Downloads\HitmanPro36_x64.exe
2012-10-09 21:41 - 2012-10-09 21:39 - 92121088 ____A C:\Users\Vincent\Downloads\avg_arl_cdi_all_120_120823a5226.iso
2012-10-09 20:11 - 2012-10-09 20:09 - 103899007 ____A C:\Users\Vincent\Downloads\avg_arl_ffi_all_120_120823a5226.zip
2012-10-09 18:53 - 2012-10-09 18:53 - 00169910 ____A C:\Users\Vincent\Downloads\IBM.Rational.PurifyPlus.v7.0.W.keygen.zip
2012-10-09 18:49 - 2012-10-09 18:14 - 00026560 ____A C:\Users\Vincent\AppData\Local\rational_state.log
2012-10-04 23:26 - 2012-10-04 23:26 - 00111456 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys
2012-10-03 15:15 - 2012-10-04 07:25 - 14906515 ____A C:\Users\Vincent\Desktop\Standard_Pushbacks.zip
2012-10-01 23:30 - 2012-10-01 23:30 - 00185696 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
2012-10-01 20:00 - 2012-10-01 20:00 - 00295751 ____A C:\Users\Vincent\Downloads\DebugView.zip
2012-10-01 09:07 - 2012-10-01 09:05 - 92347544 ____A C:\Users\Vincent\Downloads\2008_03_24_divers 044.avi
2012-09-29 15:54 - 2012-10-18 23:15 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-29 12:13 - 2009-07-13 20:45 - 00310896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-27 11:52 - 2012-07-12 16:14 - 00067872 ____A C:\Users\Vincent\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-27 01:18 - 2012-09-27 00:55 - 00021811 ____A C:\Users\Vincent\Documents\BCX 10 ans.wlmp
2012-09-26 00:31 - 2012-09-27 18:13 - 10187660 ____A C:\Users\Vincent\Desktop\aXMessages2.xls
2012-09-26 00:25 - 2012-09-27 18:13 - 10014509 ____A C:\Users\Vincent\Desktop\aXMessages1.xls
2012-09-26 00:24 - 2012-09-27 18:13 - 01690389 ____A C:\Users\Vincent\Desktop\aXMessages3.xls
2012-09-24 00:17 - 2012-09-24 00:17 - 15468988 ____A C:\Users\Vincent\Downloads\torsionblend_trial.7z
2012-09-20 23:46 - 2012-09-20 23:46 - 00225120 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgloga.sys
2012-09-20 23:46 - 2012-09-20 23:46 - 00200032 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-09-20 23:45 - 2012-09-20 23:45 - 00061792 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsha.sys
2012-09-19 01:20 - 2012-07-12 16:17 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-19 01:20 - 2012-07-12 16:17 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-14 01:49 - 2012-09-14 01:44 - 183721414 ____A C:\Users\Vincent\Downloads\RATL_PURIFYPLUS_WIN_EVAL_V7.0.1_ML.zip
2012-09-14 01:37 - 2012-09-14 01:37 - 00000044 ____A C:\Users\Vincent\dlmgr_.pro
2012-09-13 23:05 - 2012-09-13 23:05 - 00040800 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx64.sys
2012-09-12 23:11 - 2012-09-12 23:11 - 00151904 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdrivera.sys
2012-09-06 20:29 - 2012-09-06 20:29 - 00000020 __ASH C:\Users\VaultIndexAppPool\ntuser.ini
2012-09-06 13:07 - 2012-09-06 13:07 - 00001880 ____A C:\Users\Public\Desktop\Vault Professional Client.lnk
2012-09-06 13:06 - 2012-09-06 13:06 - 24069632 ____A C:\Users\Vincent\Downloads\VaultProClient.msi
2012-09-06 13:05 - 2012-09-06 13:05 - 00000020 ___SH C:\Users\VaultNotifyAppPool\ntuser.ini
2012-09-06 12:57 - 2012-09-06 12:57 - 00000020 ___SH C:\Users\VaultAppPool\ntuser.ini
2012-09-06 12:57 - 2012-09-06 12:57 - 00000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2012-09-06 12:40 - 2012-09-06 12:36 - 185048928 ____A (Microsoft Corporation) C:\Users\Vincent\Downloads\SQLManagementStudio_x64_ENU.exe
2012-09-03 23:54 - 2012-09-03 23:54 - 00000970 ____A C:\Users\Vincent\Desktop\Downloads - Shortcut.lnk
2012-09-03 23:53 - 2012-09-03 23:53 - 00000020 __ASH C:\Users\Classic .NET AppPool\ntuser.ini
2012-09-03 23:53 - 2012-09-03 23:48 - 00044201 ____A C:\Windows\iis7.log
2012-09-03 23:53 - 2012-07-12 19:18 - 00933150 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-03 23:51 - 2012-09-03 23:51 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-03 23:51 - 2012-09-03 23:51 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-03 23:51 - 2012-09-03 23:51 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-03 23:51 - 2012-09-03 23:51 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-03 23:51 - 2012-07-12 16:07 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-09-03 23:51 - 2012-07-12 16:07 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-09-03 23:34 - 2012-09-03 23:34 - 39076864 ____A C:\Users\Vincent\Downloads\VaultProServer64_6_0_0_30477.msi
2012-09-03 20:14 - 2012-09-03 20:14 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-09-01 20:42 - 2012-07-12 18:53 - 00306415 ____N C:\Windows\Minidump\090212-18844-01.dmp
2012-09-01 20:07 - 2012-07-13 10:10 - 00000667 ____A C:\Users\Vincent\Desktop\aXion.sln - Shortcut.lnk
2012-08-30 20:43 - 2012-07-12 16:48 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-29 21:44 - 2012-08-29 21:44 - 00001248 ____A C:\Users\Public\Desktop\NVIDIA Compute Visual Profiler v4.0.lnk
2012-08-27 09:32 - 2012-08-27 09:16 - 1000886272 ____A C:\Users\Vincent\Downloads\envi50win64_setup.exe
2012-08-24 03:15 - 2012-09-23 16:26 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 02:39 - 2012-09-23 16:26 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:31 - 2012-09-23 16:26 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:22 - 2012-09-23 16:26 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:21 - 2012-09-23 16:26 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:20 - 2012-09-23 16:26 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:18 - 2012-09-23 16:26 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:17 - 2012-09-23 16:26 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:14 - 2012-09-23 16:26 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:14 - 2012-09-23 16:26 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:13 - 2012-09-23 16:26 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:12 - 2012-09-23 16:26 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:11 - 2012-09-23 16:26 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:10 - 2012-09-23 16:26 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:09 - 2012-09-23 16:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:04 - 2012-09-23 16:26 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 23:27 - 2012-09-23 16:26 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 23:03 - 2012-09-23 16:26 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 22:59 - 2012-09-23 16:26 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 22:51 - 2012-09-23 16:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 22:51 - 2012-09-23 16:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 22:51 - 2012-09-23 16:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 22:49 - 2012-09-23 16:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 22:48 - 2012-09-23 16:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 22:47 - 2012-09-23 16:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 22:47 - 2012-09-23 16:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-23 22:47 - 2012-09-23 16:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 22:45 - 2012-09-23 16:26 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-23 22:44 - 2012-09-23 16:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 22:44 - 2012-09-23 16:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 22:43 - 2012-09-23 16:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 22:40 - 2012-09-23 16:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-22 10:12 - 2012-09-19 01:21 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-19 01:21 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 10:12 - 2012-09-19 01:21 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-19 01:21 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 13:01 - 2012-09-28 23:38 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-08-18 23:41 - 2012-08-18 23:41 - 00000000 ___AH C:\Users\Vincent\Documents\Default.rdp
2012-08-17 20:03 - 2012-08-17 20:03 - 14048031 ____A C:\Users\Vincent\Downloads\Vancouver_ETM_RGB.zip
2012-08-16 23:51 - 2012-08-16 23:51 - 00027520 ____A C:\Users\Vincent\AppData\Local\dt.dat
2012-08-16 21:39 - 2012-07-12 18:53 - 00306287 ____N C:\Windows\Minidump\081712-20326-01.dmp
2012-08-09 18:35 - 2012-08-09 18:33 - 00001993 ____A C:\Users\Vincent\Desktop\Computer.lnk
2012-08-02 09:58 - 2012-09-19 01:21 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 08:57 - 2012-09-19 01:21 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-26 09:52 - 2012-07-13 21:36 - 00007368 ____A C:\Windows\DirectX.log
2012-07-24 19:12 - 2012-07-12 18:53 - 00305455 ____N C:\Windows\Minidump\072412-22276-01.dmp

ZeroAccess:
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\L
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\L\00000004.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\L\201d3dde
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\00000004.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\00000008.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\000000cb.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000000.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000032.@
C:\Windows\Installer\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-19 14:36:33

==================== Memory info ===========================

Percentage of memory in use: 6%
Total physical RAM: 22519.12 MB
Available physical RAM: 21118.05 MB
Total Pagefile: 22517.27 MB
Available Pagefile: 21106.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:74.53 GB) (Free:6.88 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (geotextures) (Fixed) (Total:2794.39 GB) (Free:594.36 GB) NTFS
3 Drive e: () (Fixed) (Total:1862.92 GB) (Free:606.06 GB) NTFS
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive h: () (Removable) (Total:1.9 GB) (Free:0.91 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 74 GB 1024 KB
Disk 1 Online 2794 GB 0 B *
Disk 2 Online 1863 GB 100 MB
Disk 3 Online 1952 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 74 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 74 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Reserved 128 MB 17 KB
Partition 2 Primary 2794 GB 129 MB

==================================================================================

Disk: 1
Partition 1
Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

=========================================================

Disk: 1
Partition 2
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D geotextures NTFS Partition 2794 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1862 GB 101 MB

==================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E NTFS Partition 1862 GB Healthy

=========================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1950 MB 122 KB

==================================================================================

Disk: 3
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT Removable 1950 MB Healthy

=========================================================

Last Boot: 2012-10-16 07:34

==================== End Of Log =============================

Thanks again

Jay Pfoutz · Oct 21, 2012

FRST Fixlist

Please download attached fixlist.txt below, and save it to your flash drive in the same location as FRST.exe. Make sure it maintains the same name, otherwise the fix will fail.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

vincenth_30 · Oct 22, 2012

That worked beautifully! Thank you so much! You're far more effective than AVG, or other things I tried

Jay Pfoutz · Oct 22, 2012

Good, now back to Normal Mode to check for more malware. There is probably still quite a bit...

ComboFix scan

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on ComboFix.exe & follow the prompts.
When ComboFix finishes, it will produce a report for you.
Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

vincenth_30 · Oct 22, 2012

That ran smoothly. Here is the report:

ComboFix 12-10-22.01 - Vincent 10/22/2012 13:23:25.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.22519.17759 [GMT -4:00]
Running from: c:\users\Vincent\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6E7A.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6EAB.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6ECC.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6EDE.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6F0F.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6F30.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6F42.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM6FA1.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7001.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7032.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7043.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7074.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7086.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM70B6.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM70D8.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM70E9.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM711A.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM712C.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM716C.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM717E.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM71DD.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM71EF.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7220.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7290.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM72D0.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7311.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7351.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM73A1.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM73D2.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7431.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7462.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7493.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM74B4.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7504.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7554.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7585.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM75A6.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM75D7.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7637.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7667.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM7698.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM76C9.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM76FB.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM771C.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM772E.tmp
c:\users\Vincent\AppData\Local\Temp\XTMP1MC3VE\DEM774F.tmp
c:\users\Vincent\AppData\Local\Temp\YTMP7MC8AA\TAA77F7.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_nvsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
.
.
2012-10-22 17:27 . 2012-10-22 17:27--------d-----w-c:\users\VaultNotifyAppPool\AppData\Local\temp
2012-10-22 17:27 . 2012-10-22 17:27--------d-----w-c:\users\VaultIndexAppPool\AppData\Local\temp
2012-10-22 17:27 . 2012-10-22 17:27--------d-----w-c:\users\VaultAppPool\AppData\Local\temp
2012-10-22 17:27 . 2012-10-22 17:27--------d-----w-c:\users\DefaultAppPool\AppData\Local\temp
2012-10-19 08:00 . 2012-10-19 08:02--------d-----w-C:\FRST
2012-10-19 07:15 . 2012-10-19 07:15--------d-----w-c:\users\Vincent\AppData\Roaming\Malwarebytes
2012-10-19 07:15 . 2012-10-19 07:15--------d-----w-c:\programdata\Malwarebytes
2012-10-19 07:15 . 2012-10-19 07:15--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-19 07:15 . 2012-09-29 23:5425928----a-w-c:\windows\system32\drivers\mbam.sys
2012-10-12 18:21 . 2012-10-12 18:21--------d-----w-c:\users\Default\AppData\Roaming\TuneUp Software
2012-10-10 17:08 . 2012-10-10 17:09--------d-----w-c:\programdata\HitmanPro
2012-10-10 03:02 . 2012-10-10 03:02--------d-sh--w-c:\windows\SysWow64\%APPDATA%
2012-10-10 02:14 . 2012-10-10 02:50--------d-----w-c:\program files (x86)\Rational
2012-10-05 07:26 . 2012-10-05 07:26111456----a-w-c:\windows\system32\drivers\avgmfx64.sys
2012-10-05 06:13 . 2012-10-05 06:13--------d-----w-c:\users\Vincent\AppData\Roaming\AVG2013
2012-10-05 06:12 . 2012-10-05 06:12--------d-----w-c:\users\Vincent\AppData\Roaming\TuneUp Software
2012-10-05 06:12 . 2012-10-05 06:12--------d-----w-c:\program files (x86)\AVG Secure Search
2012-10-05 06:11 . 2012-10-10 07:41--------d-----w-c:\programdata\AVG2013
2012-10-04 23:54 . 2012-10-19 06:46--------d-----w-c:\users\Vincent\AppData\Local\Avg2013
2012-10-04 23:54 . 2012-10-04 23:54--------d-----w-c:\users\Vincent\AppData\Local\MFAData
2012-10-02 07:30 . 2012-10-02 07:30185696----a-w-c:\windows\system32\drivers\avgldx64.sys
2012-09-29 07:38 . 2012-08-21 21:01245760----a-w-c:\windows\system32\OxpsConverter.exe
2012-09-24 08:19 . 2012-09-27 09:39--------d-----w-c:\program files (x86)\TorsionBlend
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-10 02:11 . 2012-07-13 03:252379552----a-w-c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-09-21 07:46 . 2012-09-21 07:46200032----a-w-c:\windows\system32\drivers\avgtdia.sys
2012-09-21 07:46 . 2012-09-21 07:46225120----a-w-c:\windows\system32\drivers\avgloga.sys
2012-09-21 07:45 . 2012-09-21 07:4561792----a-w-c:\windows\system32\drivers\avgidsha.sys
2012-09-19 09:20 . 2012-07-13 00:1773136----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-19 09:20 . 2012-07-13 00:17696240----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-14 07:05 . 2012-09-14 07:0540800----a-w-c:\windows\system32\drivers\avgrkx64.sys
2012-09-13 07:11 . 2012-09-13 07:11151904----a-w-c:\windows\system32\drivers\avgidsdrivera.sys
2012-09-04 07:51 . 2012-09-04 07:5195208----a-w-c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-04 07:51 . 2012-07-13 00:07821736----a-w-c:\windows\SysWow64\npDeployJava1.dll
2012-09-04 07:51 . 2012-07-13 00:07746984----a-w-c:\windows\SysWow64\deployJava1.dll
2012-09-04 04:14 . 2012-09-04 04:1431080----a-w-c:\windows\system32\drivers\avgtpx64.sys
2012-08-31 04:43 . 2012-07-13 00:4864462936----a-w-c:\windows\system32\MRT.exe
2012-08-22 18:12 . 2012-09-19 09:211913200----a-w-c:\windows\system32\drivers\tcpip.sys
2012-08-22 18:12 . 2012-09-19 09:21376688----a-w-c:\windows\system32\drivers\netio.sys
2012-08-22 18:12 . 2012-09-19 09:21950128----a-w-c:\windows\system32\drivers\ndis.sys
2012-08-22 18:12 . 2012-09-19 09:21288624----a-w-c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-02 17:58 . 2012-09-19 09:21574464----a-w-c:\windows\system32\d3d10level9.dll
2012-08-02 16:57 . 2012-09-19 09:21490496----a-w-c:\windows\SysWow64\d3d10level9.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-10-05 06:121734240----a-w-c:\program files (x86)\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll" [2012-10-05 1734240]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"ManyCam"="c:\program files (x86)\ManyCam\Bin\ManyCam.exe" [2012-09-14 2164632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-10-05 947808]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-10-10 3116152]
"ROC_ROC_NT"="c:\program files (x86)\AVG Secure Search\ROC_ROC_NT.exe" [2012-10-05 856160]
.
c:\users\Vincent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wlmail.exe - Shortcut.lnk - c:\program files (x86)\Windows Live\Mail\wlmail.exe [2012-3-8 92024]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2012-7-13 1207312]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-07-09 123856]
R3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys [2010-11-26 51872]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-07-13 1255736]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-09-21 61792]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-10-05 111456]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]
S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys [2010-11-22 24880]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-11-22 303408]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-09-13 151904]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-09-21 200032]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-09-04 31080]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-10-02 5783672]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-02 193568]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [2012-09-04 722528]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2010-11-26 28832]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2010-11-26 275616]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2010-04-07 290008]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-07-20 44928]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-07-20 29696]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcsREG_MULTI_SZ w3svc was
apphostREG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-355343389-3714370867-124594232-1001Core.job
- c:\users\Vincent\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-13 00:14]
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-355343389-3714370867-124594232-1001UA.job
- c:\users\Vincent\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-13 00:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2010-11-26 613536]
"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2010-11-26 379040]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-ROC_ROC_JULY_P1 - c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe
AddRemove-Rainbow Sentinel Driver - c:\windows\SYSTEM32\RNBOSENT\SETUPX86.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d3,8e,bd,34,72,8c,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,ae,61,a1,3f,18,7e,45,99,08,c3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,ae,61,a1,3f,18,7e,45,99,08,c3,\
.
[HKEY_USERS\S-1-5-21-355343389-3714370867-124594232-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-355343389-3714370867-124594232-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
.
**************************************************************************
.
Completion time: 2012-10-22 13:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-22 17:31
.
Pre-Run: 6,468,800,512 bytes free
Post-Run: 20,282,855,424 bytes free
.
- - End Of File - - 6FA0D1171A0CAAFF522C9D882AB9CC2D

Jay Pfoutz · Oct 23, 2012

TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

vincenth_30 · Oct 23, 2012

Hi,

I'm encountering a weird problem since I started that whole cleaning process: I'm no longer able to do screen recording, with any application. I always get a popup saying "Error Crating AVI file". Does this ring a bell?

Anyhow, attached is the log file from TDS killer:

Jay Pfoutz · Oct 24, 2012

I would say to reinstall CamStudio, that's what it sounds like.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
Click Start or wait for the scanner to load.
Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, there are a couple of things to keep in mind:
1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
Open the logfile from wherever you saved it
Copy and paste the contents in your next reply.

vincenth_30 · Oct 25, 2012

I tried reinstalling the video-recorder and it didn't help. However, I noticed that if I start it by right-clicking on the application and select "run as administrator", it does work. That's weird, but at least I have a work-around.

Now for ESET online, it gave me the following 6 threats:

C:\FRST\Quarantine\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\00000004.@Win64/Conedex.C trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\00000008.@Win64/Agent.BA trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\000000cb.@Win64/Conedex.B trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000000.@Win64/Sirefef.AP trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000032.@probably a variant of Win32/Sirefef.FD trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{e2b02ccd-6083-4afe-10b5-4d16529e2728}\U\80000064.@Win64/Sirefef.AN trojancleaned by deleting - quarantined

Jay Pfoutz · Oct 25, 2012

Stick with the workaround, as I cannot find a fix anywhere suited for it...

We will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name I.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive I.e. C
For a few moments the system will make some calculations:
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

Double-click the CCleaner shortcut on the desktop to start the program.
A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Jay Pfoutz · Oct 30, 2012

Topic marked solved.

Solved Win64/Patched.A

vincenth_30

Posts: 8 +0

Attachments

vincenth_30

Posts: 8 +0

Jay Pfoutz

Posts: 4,279 +49

vincenth_30

Posts: 8 +0

Jay Pfoutz

Posts: 4,279 +49

vincenth_30

Posts: 8 +0

Jay Pfoutz

Posts: 4,279 +49

Attachments

vincenth_30

Posts: 8 +0

Jay Pfoutz

Posts: 4,279 +49

vincenth_30

Posts: 8 +0

Jay Pfoutz

Posts: 4,279 +49

vincenth_30

Posts: 8 +0

Attachments

Jay Pfoutz

Posts: 4,279 +49

vincenth_30

Posts: 8 +0

Jay Pfoutz

Posts: 4,279 +49

Jay Pfoutz

Posts: 4,279 +49

Similar threads

Latest posts