flacorps

Looks clean now! Now I just have to figure out how to keep it that way...

There wasn't one. I looked other places too.

Here's the full rundown from ESET:

I'm heading out, but 7 things have been found by ESET. A couple if InstallCore.D's JS/Security Disabler and JS/Redirector a couple of Java/Exploit.CVE-2012.4681.aq.trojan

Combofix ran, but did not leave me a .txt file in the root directory of C:\ I ran RogueKiller twice, and zapped what it found, none of which looked important to me: and again: Now I can run ESET online through IE, and that's what I'm doing. And I'm going to have to leave the office and leave it running. It hasn't found anything yet. I've turned the other machine off.

192.168.2.1 is the router 192.168.2.6 is an old computer on the network that I didn't even remember I had left on 192.168.2.9 is the desktop computer I use, the one that has had the infection problem 192.168.2.2 is at the moment assigned to my android phone, but it wasn't here early this AM. 129.168.1.42 is missing from a list of devices known to the verizon DSL modem which is reporting 41-47 with the exception of .42. I am an a shared office suite situation and I believe that range is the routers and PCs on the net here.

I tried turning off the firewall in the router, but I still couldn't access those tables. Turned the firewall back on. Checked the security log on the router and I found some interesting things from the wee hours of this morning: I wasn't here to do this.

Got some hiccups on this end. Tried with IE. Got to where I could check boxes, then IE crashed. The site said I could do it with Firefox, so I tried it that way. Downloaded the program. Launched it. It said it couldn't get the virus tables, is proxy configured? Checked the proxy box. Still no go. I don't believe I have any proxy set up (that I know about--wouldn't put it past a virus to do it on the sly). Also, the second link you provided didn't work, but I could get at what I needed through the first link. That's suspicious in my mind--perhaps something malicious in my system has that address on its block list. I'll be out of the office for a bit, then I'll be back to do more.

So far, so good, but I'm worried there is some kind of vulnerability remaining that will be exploited to get a couple of malware items back in. Just like happened a few days ago.

Oh, and when I got in AVG was showing Adware Generic2.XWC again, so I had it deleted.

Here's the latest. I had Malwarebytes remove them all:

Does that mean it theoretically can't execute? Oh, and I've got to leave the affected machine until Monday again.

Running a full malwarebytes scan on the affected drive F: and it has found 1 item in system volume information. Waiting for scan to finish.

This is not the first time I've seen Reboot-AA ... It made an appearance last time, but in the fog of war I thought I had nailed it.

a0000569.exe is what was found by McAfee. Malwarebytes' log:

I'll be doing that. But while I was waiting, McAfee ran automatically and found "Reboot-AA" in the system volume information for drive F:/ ... McAfee says it can't be removed.

Here's the log from RogueKiller:

Here's the previous thread: http://forums.malwarebytes.org/index.php?showtopic=116219 System looked clean. Once I signed off I thought I was done, so I missed the last couple of posts. This morning, AVG reported that Adware Generic2.XWC had gotten into the recycle bin on one of the hard drives, and that HTML/Framer was in The windows temporary internet files. Some of my correspondents reported receiving spam from me yesterday after I had already left the office, so apparently one of these got off some e-mail. The server was in the Ukraine, so I figured it was a legacy of the old infection, not anything new. I changed the password on my e-mail account from home, and I have yet to do so from the office, so if the virus is latent it hasn't been given the new e-mail password yet. AVG removed both. Am I done?

Looks clean: Many thanks. I chipped in too.

OK, I'm back. I have a quarantine report: Time : 24/09/2012 10:20:26 -------------------------- ERROR [cmd.exe.vir] -> cmd.exe ERROR [k start cmd.exe.vir] -> /k start cmd.exe And I have an RKreport: RogueKiller V8.0.5 [09/23/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows Vista (6.0.6000 ) 32 bits version Started in : Normal mode User : dothankins [Admin rights] Mode : Scan -- Date : 09/24/2012 10:20:26 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [SHELL][BLPATH] [ON_D:]HKLM\Software[...]\Winlogon : Shell (cmd.exe /k start cmd.exe) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ Extern Hives: ¤¤¤ -> D:\windows\system32\config\SOFTWARE -> D:\Users\Default\NTUSER.DAT -> E:\windows\system32\config\SOFTWARE -> E:\Users\Default\NTUSER.DAT -> E:\Users\Default User\NTUSER.DAT -> E:\Users\Mark\NTUSER.DAT -> E:\Documents and Settings\Default\NTUSER.DAT -> E:\Documents and Settings\Default User\NTUSER.DAT -> F:\windows\system32\config\SOFTWARE -> F:\Users\Administrator\NTUSER.DAT -> F:\Users\Default\NTUSER.DAT -> F:\Users\Default User\NTUSER.DAT -> F:\Users\Julie E Hankins\NTUSER.DAT -> F:\Users\Mark S Hankins\NTUSER.DAT -> F:\Users\Test\NTUSER.DAT ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS721616PLAT80 ATA Device +++++ --- User --- [MBR] 63722a15bdbcee31dd06a1707dbedbf8 [BSP] 107bb2816be0d452767ea2321ea18ee1 : MBR Code unknown Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8714 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 17848215 | Size: 143910 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD2500JB-00GVC0 ATA Device +++++ --- User --- [MBR] f71629c0b2bc5165920af661b8e301d6 [BSP] f5b36c4e0f4443bd92c6bc1d8cfe5b09 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131069 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 268431360 | Size: 107404 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt Looks to me like there may be a little left over, but what do I know?

Ok, but be patient because it may be Monday before I get back there.

Thank you. Here is the result: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-09-2012 Ran by SYSTEM at 2012-09-21 15:23:23 Run:1 Running from G:\ ============================================== C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 moved successfully. C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\@ not found. C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\L not found. C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\U not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0 moved successfully. C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\@ not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\L not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\00000001.@ not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\80000000.@ not found. C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\800000cb.@ not found. ==== End of Fixlog ==== Fixlog.txt

my situation is very similar to the one discussed here: http://forums.malwarebytes.org/index.php?showtopic=112682 I am at the stage where two log files have been produced: FRST.TXT Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-09-2012 Ran by SYSTEM at 21-09-2012 13:02:56 Running from G:\ Windows Vista (TM) Home Basic (X86) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [90112 2006-07-11] () HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2011-10-04] (Google) HKLM\...\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe [161360 2006-10-19] (McAfee Inc.) HKLM\...\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup [x] HKLM\...\Run: [HostManager] C:\Program Files\Common Files\AOL\1173636751\ee\AOLSoftware.exe [50736 2006-09-25] (America Online, Inc.) HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated) HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [622592 2007-02-06] (Brother Industries, Ltd.) HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [65536 2006-07-19] (Brother Industries, Ltd.) HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [155648 2003-09-29] (Scansoft, Inc.) HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [36864 2006-05-05] (ScanSoft, Inc.) HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [40960 2006-05-05] (ScanSoft, Inc.) HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\ereg.ini" [324 2012-09-20] () HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [3039352 2012-08-29] (AVG Technologies CZ, s.r.o.) HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [947808 2012-09-18] () HKLM\...\Run: [ROC_ROC_NT] "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [856160 2012-09-18] () HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4282728 2012-08-21] (AVAST Software) HKU\dothankins\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation) HKU\dothankins\...\Run: [PPScheduler] C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe [98304 2006-05-05] (Nuance Communications, Inc.) HKU\dothankins\...\Run: [Iligkaids] C:\Users\dothankins\AppData\Roaming\Solei\iscuw.exe [245760 2012-01-31] () HKU\dothankins\...\Run: [Google Update] "C:\Users\dothankins\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-09-20] (Google Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) Startup: C:\Users\dothankins\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ==================== Services (Whitelisted) =================== 2 AOL ACS; "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" [46640 2006-10-23] (AOL LLC) 2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-08-21] (AVAST Software) 2 AVGIDSAgent; "C:\Program Files\AVG\AVG2013\avgidsagent.exe" [5751928 2012-08-20] (AVG Technologies CZ, s.r.o.) 2 avgwd; "C:\Program Files\AVG\AVG2013\avgwdsvc.exe" [184304 2012-08-20] (AVG Technologies CZ, s.r.o.) 3 Emproxy; C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe [337488 2006-10-15] (McAfee, Inc.) 3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2011-10-04] (Google) 2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation) 2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation) 2 McAfee HackerWatch Service; "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe" [554600 2006-09-28] (McAfee, Inc.) 3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe" [227232 2010-09-02] (McAfee, Inc.) 3 mcmispupdmgr; C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe [689752 2007-01-05] (McAfee, Inc.) 2 mcmscsvc; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [361560 2007-01-05] (McAfee, Inc.) 2 McODS; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [362064 2006-10-16] (McAfee, Inc.) 2 mcpromgr; C:\PROGRA~1\McAfee\MSC\mcpromgr.exe [493144 2007-01-05] (McAfee, Inc.) 2 McShield; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [140864 2006-10-12] (McAfee, Inc.) 3 McSysmon; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [622160 2006-10-15] (McAfee, Inc.) 3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [114144 2012-09-05] (Mozilla Foundation) 2 MpfService; "C:\Program Files\McAfee\MPF\MPFSrv.exe" [828968 2006-10-12] (McAfee, Inc.) 2 MPS9; C:\PROGRA~1\McAfee\MPS\mps.exe [890408 2006-10-11] (McAfee, Inc.) 2 MSK80Service; "C:\Program Files\McAfee\MSK\MskSrver.exe" [28752 2006-10-19] (McAfee Inc.) 2 vToolbarUpdater12.2.6; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-09-18] () 2 McNASvc; "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe" [x] 2 McProxy; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [x] 2 McRedirector; c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe [x] ==================== Drivers (Whitelisted) ==================== 2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [58680 2012-08-21] (AVAST Software) 1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [176096 2012-08-13] (AVG Technologies CZ, s.r.o. ) 0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [54112 2012-08-09] (AVG Technologies CZ, s.r.o. ) 1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [19808 2012-08-10] (AVG Technologies CZ, s.r.o. ) 1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [151520 2012-08-09] (AVG Technologies CZ, s.r.o.) 0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [178656 2012-08-09] (AVG Technologies CZ, s.r.o.) 1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [89440 2012-08-10] (AVG Technologies CZ, s.r.o.) 0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35168 2012-08-10] (AVG Technologies CZ, s.r.o.) 1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [164704 2012-08-10] (AVG Technologies CZ, s.r.o.) 1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [27496 2012-09-18] (AVG Technologies) 3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302492 2006-11-01] (Intel Corporation) 3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-07] (Malwarebytes Corporation) 3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [71496 2006-10-12] (McAfee, Inc.) 3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [34120 2006-10-12] (McAfee, Inc.) 3 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [168392 2006-10-12] (McAfee, Inc.) 3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [31944 2006-10-12] (McAfee, Inc.) 3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [35048 2006-10-12] (McAfee, Inc.) 1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [111192 2006-10-12] (McAfee, Inc.) 3 NETw2v32; C:\Windows\System32\DRIVERS\NETw2v32.sys [2589184 2006-11-01] (Intel® Corporation) 2 PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [65536 2006-12-16] (New Boundary Technologies, Inc.) 3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.) 4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x] 3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x] 3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x] 3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2012-09-20 14:58 - 2012-09-20 14:58 - 10213296 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe 2012-09-20 13:27 - 2012-09-20 13:27 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe 2012-09-20 13:19 - 2012-09-20 13:27 - 00000000 ____D C:\Users\All Users\HitmanPro 2012-09-20 13:19 - 2012-09-20 13:27 - 00000000 ____D C:\Users\All Users\Application Data\HitmanPro 2012-09-20 13:19 - 2012-09-20 13:19 - 00135016 ____A (SurfRight B.V.) C:\Windows\System32\LnkProtect.dll 2012-09-20 13:18 - 2012-09-20 13:18 - 07758424 ____A (SurfRight B.V.) C:\Users\dothankins\Downloads\HitmanPro36.exe 2012-09-20 12:47 - 2012-09-20 12:47 - 00002067 ____A C:\Users\dothankins\Desktop\Google Chrome.lnk 2012-09-20 12:44 - 2012-09-21 08:54 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000UA.job 2012-09-20 12:44 - 2012-09-20 17:54 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000Core.job 2012-09-20 12:43 - 2012-09-20 12:44 - 00000000 ____D C:\Users\dothankins\Local Settings\Deployment 2012-09-20 12:43 - 2012-09-20 12:44 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\Deployment 2012-09-20 12:43 - 2012-09-20 12:44 - 00000000 ____D C:\Users\dothankins\AppData\Local\Deployment 2012-09-20 12:43 - 2012-09-20 12:43 - 00000000 ____D C:\Users\dothankins\AppData\Local\Apps\2.0 2012-09-20 12:30 - 2012-09-20 12:30 - 00000134 ____A C:\Users\dothankins\Desktop\Microsoft Fix it.url 2012-09-20 12:25 - 2012-09-20 12:30 - 01703936 ____A C:\Windows\ocsetup_install_MicrosoftWindowsPowerShell.etl 2012-09-20 12:25 - 2012-09-20 12:30 - 00327680 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf 2012-09-20 12:25 - 2012-09-20 12:30 - 00065536 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx 2012-09-20 12:23 - 2012-09-20 12:23 - 00347424 ____A (Microsoft Corporation) C:\Users\dothankins\Downloads\MicrosoftFixit.wu.MATSKB.Run.exe 2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\dothankins\Application Data\Malwarebytes 2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Malwarebytes 2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\All Users\Malwarebytes 2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes 2012-09-20 08:53 - 2012-09-20 08:53 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2012-09-20 08:53 - 2012-09-07 13:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-09-20 08:50 - 2012-09-20 08:51 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\dothankins\Downloads\mbam-setup-1.65.0.1400.exe 2012-09-20 08:20 - 2012-09-20 08:20 - 00000000 ____D C:\Users\dothankins\Application Data\Macromedia 2012-09-20 08:20 - 2012-09-20 08:20 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Macromedia 2012-09-20 08:15 - 2012-09-20 08:15 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2012-09-20 07:55 - 2012-09-20 07:56 - 17790056 ____A (Mozilla) C:\Users\dothankins\Downloads\Firefox Setup 15.0.1.exe 2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk 2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk 2012-09-18 16:13 - 2012-08-21 01:13 - 00058680 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys 2012-09-18 15:47 - 2012-09-18 15:47 - 216786920 ____A C:\Windows\MEMORY.DMP 2012-09-18 15:47 - 2012-09-18 15:47 - 00138096 ____A C:\Windows\Minidump\Mini091812-01.dmp 2012-09-18 15:47 - 2012-09-18 15:47 - 00000000 ____D C:\Windows\Minidump 2012-09-18 15:09 - 2012-09-18 15:09 - 00000000 ____D C:\Users\dothankins\Application Data\AVG2013 2012-09-18 15:09 - 2012-09-18 15:09 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\AVG2013 2012-09-18 15:04 - 2012-09-18 15:17 - 00000000 ____D C:\Users\All Users\AVG Secure Search 2012-09-18 15:04 - 2012-09-18 15:17 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search 2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk 2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\All Users\Desktop\AVG 2013.lnk 2012-09-18 15:04 - 2012-09-18 15:04 - 00000000 ____D C:\Users\dothankins\Application Data\TuneUp Software 2012-09-18 15:04 - 2012-09-18 15:04 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\TuneUp Software 2012-09-18 15:03 - 2012-09-18 15:03 - 00027496 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys 2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Users\dothankins\Local Settings\AVG Secure Search 2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\AVG Secure Search 2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Users\dothankins\AppData\Local\AVG Secure Search 2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search 2012-09-18 15:03 - 2012-09-18 15:03 - 00000000 ____D C:\Program Files\AVG Secure Search 2012-09-18 15:00 - 2012-09-18 15:35 - 00000000 ____D C:\Users\All Users\AVG2013 2012-09-18 15:00 - 2012-09-18 15:35 - 00000000 ____D C:\Users\All Users\Application Data\AVG2013 2012-09-18 15:00 - 2012-09-18 15:00 - 00000000 ___HD C:\$AVG 2012-09-18 14:58 - 2012-09-18 14:58 - 00000000 ____D C:\Program Files\AVG 2012-09-18 14:50 - 2012-09-21 08:04 - 00000000 ____D C:\Users\All Users\MFAData 2012-09-18 14:50 - 2012-09-21 08:04 - 00000000 ____D C:\Users\All Users\Application Data\MFAData 2012-09-18 14:50 - 2012-09-18 15:32 - 00000000 ____D C:\Users\dothankins\Local Settings\Avg2013 2012-09-18 14:50 - 2012-09-18 15:32 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\Avg2013 2012-09-18 14:50 - 2012-09-18 15:32 - 00000000 ____D C:\Users\dothankins\AppData\Local\Avg2013 2012-09-18 14:50 - 2012-09-18 14:50 - 00000000 ____D C:\Users\dothankins\Local Settings\MFAData 2012-09-18 14:50 - 2012-09-18 14:50 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\MFAData 2012-09-18 14:50 - 2012-09-18 14:50 - 00000000 ____D C:\Users\dothankins\AppData\Local\MFAData 2012-09-18 14:41 - 2012-08-21 01:12 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe 2012-09-18 14:41 - 2012-08-21 01:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr 2012-09-18 14:39 - 2012-09-18 16:09 - 00000000 ____D C:\Users\All Users\AVAST Software 2012-09-18 14:39 - 2012-09-18 16:09 - 00000000 ____D C:\Users\All Users\Application Data\AVAST Software 2012-09-18 14:39 - 2012-09-18 16:09 - 00000000 ____D C:\Program Files\AVAST Software 2012-09-18 14:19 - 2012-09-18 14:19 - 00000000 ____D C:\Users\All Users\McAfee Security Scan 2012-09-18 14:19 - 2012-09-18 14:19 - 00000000 ____D C:\Users\All Users\Application Data\McAfee Security Scan 2012-09-18 14:19 - 2012-09-18 14:18 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe 2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe 2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe 2012-09-18 14:18 - 2012-09-18 14:18 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll 2012-09-18 13:09 - 2012-09-18 13:10 - 00894952 ____A (Oracle Corporation) C:\Users\dothankins\Downloads\jre-7u7-windows-i586-iftw.exe 2012-09-18 12:02 - 2012-09-19 06:26 - 00000000 ___HD C:\Users\dothankins\Application Data\80B1A0DF 2012-09-18 12:02 - 2012-09-19 06:26 - 00000000 ___HD C:\Users\dothankins\AppData\Roaming\80B1A0DF 2012-09-12 10:44 - 2012-09-20 09:43 - 00000000 ____D C:\Users\dothankins\Application Data\Ultotu 2012-09-12 10:44 - 2012-09-20 09:43 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Ultotu 2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\Application Data\Solei 2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\Application Data\Azlemu 2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Solei 2012-09-12 10:44 - 2012-09-12 10:44 - 00000000 ____D C:\Users\dothankins\AppData\Roaming\Azlemu 2012-09-12 10:43 - 2012-09-18 15:08 - 00006530 ____A C:\Users\dothankins\Local Settings\chromeupdate.crx 2012-09-12 10:43 - 2012-09-18 15:08 - 00006530 ____A C:\Users\dothankins\Local Settings\Application Data\chromeupdate.crx 2012-09-12 10:43 - 2012-09-18 15:08 - 00006530 ____A C:\Users\dothankins\AppData\Local\chromeupdate.crx 2012-09-12 10:43 - 2012-09-12 10:43 - 00000000 ____D C:\Users\dothankins\Local Settings\Application Data\{D0ADB54E-FD09-11E1-8271-B8AC6F996F26} 2012-09-12 10:43 - 2012-09-12 10:43 - 00000000 ____D C:\Users\dothankins\Local Settings\{D0ADB54E-FD09-11E1-8271-B8AC6F996F26} 2012-09-12 10:43 - 2012-09-12 10:43 - 00000000 ____D C:\Users\dothankins\AppData\Local\{D0ADB54E-FD09-11E1-8271-B8AC6F996F26} 2012-09-07 12:16 - 2012-09-20 08:15 - 00000000 ____D C:\Program Files\Mozilla Firefox 2012-09-04 12:20 - 2012-09-04 12:20 - 00003001 ____A C:\Users\dothankins\Downloads\covenant mortuary cover.htm 2012-09-04 12:20 - 2012-09-04 12:20 - 00000000 ____D C:\Users\dothankins\Downloads\covenant mortuary cover_files 2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\My Documents\~WRL2356.tmp 2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\Documents\~WRL2356.tmp 2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\My Documents\msh_searchpoint_signature.html 2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\Documents\msh_searchpoint_signature.html 2012-08-23 11:41 - 2012-08-23 11:41 - 00168572 ____A C:\Users\dothankins\Downloads\Grunau Hankins & Associates.08.16.2011.mdi 2012-08-23 09:40 - 2012-08-23 09:40 - 00000000 ____D C:\Users\dothankins\Downloads\jne amendment cover_files 2012-08-23 09:39 - 2012-08-23 09:40 - 00002995 ____A C:\Users\dothankins\Downloads\jne amendment cover.htm 2012-08-22 06:09 - 2012-08-22 06:09 - 01105016 ____A C:\Users\dothankins\Downloads\drupal-6.26.tar.gz ==================== 3 Months Modified Files ================== 2012-09-21 08:57 - 2006-12-16 14:40 - 00083222 ____A C:\Windows\System32\Config.MPF 2012-09-21 08:57 - 2006-11-02 04:58 - 00027722 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-09-21 08:57 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-09-21 08:56 - 2006-11-02 04:45 - 00003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2012-09-21 08:56 - 2006-11-02 04:45 - 00003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2012-09-21 08:54 - 2012-09-20 12:44 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000UA.job 2012-09-21 07:58 - 2012-05-14 05:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-09-20 17:54 - 2012-09-20 12:44 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3074645540-534623877-3370066440-1000Core.job 2012-09-20 14:58 - 2012-09-20 14:58 - 10213296 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe 2012-09-20 14:58 - 2012-05-14 05:17 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2012-09-20 14:58 - 2011-10-04 06:06 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2012-09-20 13:27 - 2012-09-20 13:27 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe 2012-09-20 13:19 - 2012-09-20 13:19 - 00135016 ____A (SurfRight B.V.) C:\Windows\System32\LnkProtect.dll 2012-09-20 13:18 - 2012-09-20 13:18 - 07758424 ____A (SurfRight B.V.) C:\Users\dothankins\Downloads\HitmanPro36.exe 2012-09-20 12:47 - 2012-09-20 12:47 - 00002067 ____A C:\Users\dothankins\Desktop\Google Chrome.lnk 2012-09-20 12:38 - 2006-12-16 13:37 - 01918392 ____A C:\Windows\WindowsUpdate.log 2012-09-20 12:35 - 2011-10-06 05:38 - 00005728 ____A C:\Windows\IE9_main.log 2012-09-20 12:30 - 2012-09-20 12:30 - 00000134 ____A C:\Users\dothankins\Desktop\Microsoft Fix it.url 2012-09-20 12:30 - 2012-09-20 12:25 - 01703936 ____A C:\Windows\ocsetup_install_MicrosoftWindowsPowerShell.etl 2012-09-20 12:30 - 2012-09-20 12:25 - 00327680 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf 2012-09-20 12:30 - 2012-09-20 12:25 - 00065536 ____A C:\Windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx 2012-09-20 12:23 - 2012-09-20 12:23 - 00347424 ____A (Microsoft Corporation) C:\Users\dothankins\Downloads\MicrosoftFixit.wu.MATSKB.Run.exe 2012-09-20 11:59 - 2006-11-02 02:33 - 00716774 ____A C:\Windows\System32\PerfStringBackup.INI 2012-09-20 09:30 - 2006-12-16 14:17 - 00042528 ____A C:\Windows\PFRO.log 2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-09-20 08:53 - 2012-09-20 08:53 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2012-09-20 08:51 - 2012-09-20 08:50 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\dothankins\Downloads\mbam-setup-1.65.0.1400.exe 2012-09-20 07:56 - 2012-09-20 07:55 - 17790056 ____A (Mozilla) C:\Users\dothankins\Downloads\Firefox Setup 15.0.1.exe 2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk 2012-09-18 16:13 - 2012-09-18 16:13 - 00001829 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk 2012-09-18 16:13 - 2006-11-02 02:23 - 00002577 ____A C:\Windows\System32\config.nt 2012-09-18 15:47 - 2012-09-18 15:47 - 216786920 ____A C:\Windows\MEMORY.DMP 2012-09-18 15:47 - 2012-09-18 15:47 - 00138096 ____A C:\Windows\Minidump\Mini091812-01.dmp 2012-09-18 15:08 - 2012-09-12 10:43 - 00006530 ____A C:\Users\dothankins\Local Settings\chromeupdate.crx 2012-09-18 15:08 - 2012-09-12 10:43 - 00006530 ____A C:\Users\dothankins\Local Settings\Application Data\chromeupdate.crx 2012-09-18 15:08 - 2012-09-12 10:43 - 00006530 ____A C:\Users\dothankins\AppData\Local\chromeupdate.crx 2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\Public\Desktop\AVG 2013.lnk 2012-09-18 15:04 - 2012-09-18 15:04 - 00000842 ____A C:\Users\All Users\Desktop\AVG 2013.lnk 2012-09-18 15:03 - 2012-09-18 15:03 - 00027496 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys 2012-09-18 14:37 - 2006-11-02 04:49 - 00002696 ____A C:\Windows\setupact.log 2012-09-18 14:18 - 2012-09-18 14:19 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe 2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe 2012-09-18 14:18 - 2012-09-18 14:18 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe 2012-09-18 14:18 - 2012-09-18 14:18 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll 2012-09-18 14:18 - 2012-06-28 06:31 - 00821736 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll 2012-09-18 14:18 - 2012-06-28 06:31 - 00746984 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll 2012-09-18 13:10 - 2012-09-18 13:09 - 00894952 ____A (Oracle Corporation) C:\Users\dothankins\Downloads\jre-7u7-windows-i586-iftw.exe 2012-09-13 16:56 - 2007-03-10 14:01 - 00000376 ____A C:\Windows\ODBC.INI 2012-09-12 23:02 - 2006-11-02 02:24 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe 2012-09-07 13:04 - 2012-09-20 08:53 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-09-04 12:20 - 2012-09-04 12:20 - 00003001 ____A C:\Users\dothankins\Downloads\covenant mortuary cover.htm 2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\My Documents\~WRL2356.tmp 2012-08-31 09:09 - 2012-08-31 09:09 - 00051712 ___AH C:\Users\dothankins\Documents\~WRL2356.tmp 2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\My Documents\msh_searchpoint_signature.html 2012-08-27 12:33 - 2012-08-27 12:33 - 00003761 ____A C:\Users\dothankins\Documents\msh_searchpoint_signature.html 2012-08-23 11:41 - 2012-08-23 11:41 - 00168572 ____A C:\Users\dothankins\Downloads\Grunau Hankins & Associates.08.16.2011.mdi 2012-08-23 09:40 - 2012-08-23 09:39 - 00002995 ____A C:\Users\dothankins\Downloads\jne amendment cover.htm 2012-08-22 06:09 - 2012-08-22 06:09 - 01105016 ____A C:\Users\dothankins\Downloads\drupal-6.26.tar.gz 2012-08-21 12:53 - 2012-08-21 12:53 - 02234513 ____A C:\Users\dothankins\Downloads\daniels bank of america sale page 1.jpeg 2012-08-21 01:13 - 2012-09-18 16:13 - 00058680 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys 2012-08-21 01:12 - 2012-09-18 14:41 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe 2012-08-21 01:12 - 2012-09-18 14:41 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr 2012-08-13 12:40 - 2012-08-13 12:40 - 00176096 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsdriverx.sys 2012-08-10 07:21 - 2012-03-20 10:26 - 00000162 ___AH C:\Users\dothankins\My Documents\~$rpe diem counseling RUSH LLC 2 ARTICLES FLACORPS RA.DOT 2012-08-10 07:21 - 2012-03-20 10:26 - 00000162 ___AH C:\Users\dothankins\Documents\~$rpe diem counseling RUSH LLC 2 ARTICLES FLACORPS RA.DOT 2012-08-10 00:52 - 2012-08-10 00:52 - 00164704 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdix.sys 2012-08-10 00:52 - 2012-08-10 00:52 - 00089440 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx86.sys 2012-08-10 00:52 - 2012-08-10 00:52 - 00035168 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx86.sys 2012-08-10 00:52 - 2012-08-10 00:52 - 00019808 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidsshimx.sys 2012-08-09 09:56 - 2012-08-09 09:56 - 00178656 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avglogx.sys 2012-08-09 09:56 - 2012-08-09 09:56 - 00151520 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx86.sys 2012-08-09 09:56 - 2012-08-09 09:56 - 00054112 ____A (AVG Technologies CZ, s.r.o. ) C:\Windows\System32\Drivers\avgidshx.sys 2012-07-17 10:02 - 2011-10-11 12:43 - 00000426 ____A C:\Windows\BRWMARK.INI 2012-07-16 11:41 - 2012-07-16 11:39 - 00000104 ___AH C:\Users\dothankins\Downloads\.picasa.ini 2012-07-16 11:38 - 2012-07-16 11:38 - 00000899 ____A C:\Users\Public\Desktop\Picasa 3.lnk 2012-07-16 11:38 - 2012-07-16 11:38 - 00000899 ____A C:\Users\All Users\Desktop\Picasa 3.lnk 2012-07-16 11:33 - 2012-07-16 11:32 - 15267728 ____A (Google Inc.) C:\Users\dothankins\Downloads\picasa39-setup.exe 2012-06-28 06:22 - 2012-06-28 06:22 - 00894448 ____A (Oracle Corporation) C:\Users\dothankins\Downloads\jxpiinstall.exe 2012-06-26 06:17 - 2011-10-11 12:40 - 00000065 ____A C:\Windows\System32\bd7820n.dat ZeroAccess: C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 ZeroAccess: C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\@ C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\L C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0\U ZeroAccess: C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0 ZeroAccess: C:\$Recycle.Bin\S-1-5-18\$a1dff5358c3b104b481c8ceb9be89fd0 C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\@ C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\L C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\00000001.@ C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\80000000.@ C:\$Recycle.Bin\S-1-5-21-3074645540-534623877-3370066440-1000\$a1dff5358c3b104b481c8ceb9be89fd0\U\800000cb.@ ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-09-07 17:47:57 Restore point made on: 2012-09-08 20:00:50 Restore point made on: 2012-09-09 20:00:49 Restore point made on: 2012-09-10 20:00:52 Restore point made on: 2012-09-11 06:22:07 Restore point made on: 2012-09-11 20:00:51 Restore point made on: 2012-09-12 23:01:16 Restore point made on: 2012-09-18 14:16:17 Restore point made on: 2012-09-18 14:39:50 Restore point made on: 2012-09-18 14:58:09 Restore point made on: 2012-09-18 14:59:41 Restore point made on: 2012-09-18 16:09:30 Restore point made on: 2012-09-19 14:15:42 Restore point made on: 2012-09-20 08:03:45 Restore point made on: 2012-09-20 08:04:57 Restore point made on: 2012-09-20 08:07:50 ==================== Memory info =========================== Percentage of memory in use: 17% Total physical RAM: 1501.01 MB Available physical RAM: 1235.23 MB Total Pagefile: 1451.44 MB Available Pagefile: 1292.93 MB Total Virtual: 2047.88 MB Available Virtual: 1983.51 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:140.54 GB) (Free:93.44 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: () (Fixed) (Total:104.89 GB) (Free:58.58 GB) NTFS ==>[System with boot components (obtained from reading drive)] 3 Drive e: (DRV1_VOL1) (Fixed) (Total:128 GB) (Free:31.67 GB) NTFS ==>[System with boot components (obtained from reading drive)] 4 Drive f: (990928_1326) (CDROM) (Total:0.49 GB) (Free:0 GB) CDFS 5 Drive g: () (Removable) (Total:14.89 GB) (Free:14.65 GB) FAT32 10 Drive r: (MS-RAMDRIVE) (Fixed) (Total:0.01 GB) (Free:0.01 GB) FAT 11 Drive x: (Recovery) (Fixed) (Total:8.51 GB) (Free:3.65 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 153 GB 4441 MB Disk 1 Online 233 GB 822 KB Disk 2 Online 15 GB 0 B Disk 3 No Media 0 B 0 B Disk 4 No Media 0 B 0 B Disk 5 No Media 0 B 0 B Disk 6 No Media 0 B 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 9 GB 32 KB Partition 2 Primary 141 GB 9 GB ========================================================= Disk: 0 Partition 1 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 X Recovery NTFS Partition 9 GB Healthy Boot ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 6 C NTFS Partition 141 GB Healthy ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 128 GB 32 KB Partition 2 Primary 105 GB 128 GB ========================================================= Disk: 1 Partition 1 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 E DRV1_VOL1 NTFS Partition 128 GB Healthy ========================================================= Disk: 1 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 9 D NTFS Partition 105 GB Healthy ========================================================= Partitions of Disk 2: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 15 GB 16 KB ========================================================= Disk: 2 Partition 1 Type : 0C Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 7 G FAT32 Removable 15 GB Healthy ========================================================= Last Boot: 2012-09-20 21:38 ==================== End Of Log ============================ and search.txt Farbar Recovery Scan Tool (x86) Version: 20-09-2012 Ran by SYSTEM at 2012-09-21 13:05:32 Running from G:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0 C:\Windows\System32\services.exe [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0 C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe [2011-10-07 00:31] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C === End Of Search === I have beaten my system to death with antivirus software and my browser is still redirected, even though I think I've gotten the droppers out of the picture. Help! Thanks in advance for what comes next! FRST.txt Search.txt