jstatham

Here is the report. I think all the malware is going but sometime IE is showing page cannot be displayed. 2012-11-18 16:09:59 . 2012-11-18 16:09:59 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2012-11-17 03:11:58 . 2012-11-17 03:11:58 766 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Octoshape add-in for Adobe Flash Player.reg.dat 2012-11-17 03:11:58 . 2012-11-17 03:11:58 652 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Connect Add-in.reg.dat 2012-11-17 03:11:58 . 2012-11-17 03:11:58 1,342 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Connect 9 Add-in.reg.dat 2012-11-17 03:07:26 . 2012-11-18 16:18:26 17,707 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2012-11-17 02:58:35 . 2012-11-18 16:08:45 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

I manually deleted the 0 key and it finally works. Now my big question is how in the world did those get added in. Thanks again for all your help.

The registry script would not run it I get an error. But I manually removed it and I found a bunch more that I think need removed. I exported them out into the attached regfile. It looks like to me all the paths need removed. regfix.txt codeitentifiers.txt

I disabled all startup items and disabled all services. When I rebooted into windows I still get the same error. I was wondering what would happen if I booted in safe mode and disabled the group policy client what would happen. Here is the event viewer log when i click on the Malewarebytes icon. I guess the big question is how do we find the rule? It looks like there is a policy on the path and not the exe. If I rename the Malwarebytes folder it works. Strange, Access to C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe has been restricted by your Administrator by location with policy rule {3036cfcf-7c01-4800-a2ca-e6a7873107d2} placed on path C:\Program Files (x86)\Malwarebytes' Anti-Malware.

Looks like nothing was found. This is crazy. mbar-log-2012-11-21 (19-29-57).txt system-log.txt

SHA256: ba01b5c7dd7937ff6cec89f47a6213b1328a0bea4683ef66bf0d47be15cc038b SHA1: cd514a9a366f32c18275e85747bd634d9da210b7 MD5: 5f56064d4f9334fa619f7ba9df2a57d0 File size: 577.9 KB ( 591760 bytes ) File name: 3A4F502390EDB5B3077D09CAAA9BDA00EC0AD3CA.exe File type: Win32 EXE Tags: signed Detection ratio: 3 / 41 Analysis date: 2011-05-23 02:51:11 UTC ( 1 year, 6 months ago ) 0 0 More details Analysis Comments Votes Additional information Antivirus Result Update AhnLab-V3 - 20110522 AntiVir - 20110523 Antiy-AVL - 20110523 Avast - 20110522 Avast5 - 20110522 AVG Win32/Heur 20110522 BitDefender - 20110523 CAT-QuickHeal (Suspicious) - DNAScan 20110522 ClamAV - 20110523 Commtouch - 20110522 Comodo - 20110523 DrWeb - 20110523 eSafe - 20110522 eTrust-Vet - 20110520 F-Prot - 20110522 Fortinet - 20110522 GData - 20110523 Ikarus - 20110523 Jiangmin - 20110522 K7AntiVirus - 20110520 Kaspersky - 20110523 McAfee - 20110523 McAfee-GW-Edition - 20110522 Microsoft - 20110522 NOD32 - 20110523 Norman - 20110522 nProtect - 20110522 Panda - 20110522 PCTools - 20110519 Prevx - 20110523 Rising Suspicious 20110522 Sophos - 20110523 SUPERAntiSpyware - 20110523 Symantec - 20110523 TheHacker - 20110520 TrendMicro - 20110522 TrendMicro-HouseCall - 20110523 VBA32 - 20110520 VIPRE - 20110523 ViRobot - 20110523 VirusBuster -

I will but the inquiero.exe is a remote control app we use for remote adminsitration that I have been running for years.

It will run in safe mode. Here is the log. Rkill2.txt

Nothing in Group Policy Editor

Still gives the error.

=============== Repairing permissions... =============== Analyzing security setting differences (This may take several minutes)... Done. Log saved to: "C:\CAT-Logs\11-20-2012 - 21.48.14.111\SECEDIT - 21.49.08.674.log" Applying default security settings (This may take several minutes)... Done. ============= Permissions Repair Complete ============== =============== Repairing explorer shell =============== Registering acelpdec.ax... Success. Registering actxprxy.dll... Success. Registering asctrls.ocx... Success. Registering daxctle.ocx... Success. Registering dhtmled.ocx... Success. Registering hhctrl.ocx... Success. Registering lcodecx.ax... Success. Registering licmgr.dll... Success. Registering mpgds.ax... Success. Registering msdxm.ocx... Success. Registering plugin.ocx... Success. Registering proctexe.ocx... Success. Registering tdc.ocx... Success. Registering wshom.ocx... Unable to determine result. Registering access.cpl... Success. Registering appwiz.cpl... Success. Registering desk.cpl... Success. Registering firewall.cpl... Success. Registering hdwwiz.cpl... Success. Registering inetcpl.cpl... Success. Registering intl.cpl... Success. Registering nusrmgr.cpl... Success. Registering netsetup.cpl... Success. Registering powercfg.cpl... Success. Registering timedate.cpl... Success. Registering wuau.cpl... Success. Registering quartz.dll... Success. Registering danim.dll... Success. Registering dxmasf.dll... Success. Registering dxtmsft.dll... Success. Registering dxtrans.dll... Success. Registering sbe.dll... Success. Registering dxva.dll... Success. Registering dxmrtp.dll... Success. Registering dxdiagn.dll... Success. Registering atl.dll... Success. Registering corpol.dll... Success. Registering dispex.dll... Success. Registering jscript.dll... Success. Registering scrrun.dll... Success. Registering scrobj.dll... Success. Registering vbscript.dll... Success. Registering wshext.dll... Success. Registering activeds.dll... Success. Registering audiodev.dll... Success. Registering browseui.dll... Success. Registering browsewm.dll... Success. Registering cabview.dll... Success. Registering cdfview.dll... Success. Registering clbcatex.dll... Success. Registering clbcatq.dll... Success. Registering comcat.dll... Success. Registering cscui.dll... Success. Registering credui.dll... Success. Registering datime.dll... Success. Registering devmgr.dll... Success. Registering dfsshlex.dll... Unable to determine result. Registering dmdlgs.dll... Success. Registering dmdeskmgr.dll... Success. Registering dmocx.dll... Success. Registering dmview.ocx... Unable to determine result. Registering dsuiext.dll... Success. Registering dsquery.dll... Success. Registering dskquoiu.dll... Success. Registering els.dll... Success. Registering es.dll... Success. Registering fontext.dll... Success. Registering hlink.dll... Success. Registering hnetcfg.dll... Success. Registering iedkcs.dll... Success. Registering iepeers.dll... Success. Registering iesetup.dll... Success. Registering ils.dll... Success. Registering imgutil.dll... Success. Registering inetcfg.dll... Success. Registering inetcomm.dll... Success. Registering inseng.dll... Success. Registering laprxy.dll... Success. Registering lmrt.dll... Success. Registering mlang.dll... Success. Registering mmcndmgr.dll... Unable to determine result. Registering mmcshext.dll... Success. Registering mscoree.dll... Success. Registering mshhtml.dll... Success. Registering msieftp.dll... Success. Registering msoe.dll... Success. Registering msoeacct.dll... Success. Registering msrc.dll... Success. Registering msrating.dll... Success. Registering mydocs.dll... Success. Registering mstime.dll... Success. Registering netcfgx.dll... Success. Registering netplwiz.dll... Success. Registering netman.dll... Success. Registering netshell.dll... Success. Registering ntmsevt.dll... Success. Registering ntmsmgr.dll... Success. Registering ntmssvc.dll... Success. Registering occache.dll... Success. Registering ole.dll... Success. Registering oleaut.dll... Success. Registering oleacc.dll... Success. Registering olepro.dll... Success. Registering photowiz.dll... Success. Registering pngfilt.dll... Success. Registering remotepg.dll... Success. Registering rpcrt.dll... Success. Registering rshx.dll... Success. Registering sendmail.dll... Success. Registering slayerxp.dll... Success. Registering shdocvw.dll... Success. Registering shsvcs.dll... Success. Registering srclient.dll... Success. Registering stobject.dll... Success. Registering themeui.dll... Success. Registering twext.dll... Success. Registering urlmon.dll... Success. Registering userenv.dll... Success. Registering webcheck.dll... Success. Registering webvw.dll... Success. Registering winhttp.dll... Success. Registering wininet.dll... Success. Registering zipfldr.dll... Success. Registering msdadc.dll... Success. Registering nsdaenum.dll... Success. Registering msdaer.dll... Success. Registering msdaipp.dll... Success. Registering msdaora.dll... Success. Registering msdaosp.dll... Success. Registering msdaps.dll... Success. Registering msdasc.dll... Success. Registering msdasql.dll... Success. Registering msdatt.dll... Success. Registering msdaurl.dll... Success. Registering msdmeng.dll... Success. Registering msdmine.dll... Success. Registering msjtor.dll... Success. Registering msmdbc.dll... Success. Registering msmdgd.dll... Success. Registering msolap.dll... Success. Registering msolui.dll... Success. Registering msxactps.dll... Success. Registering oledb.dll... Success. Registering oledbr.dll... Success. Registering sqloledb.dll... Success. Registering sqlxmlx.dll... Success. Writing to registry: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShell"... Successful. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\GeneralTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ProgramsTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\SecurityTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ContentTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\PrivacyTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\AdvancedTab"... Key/Value does not exist. Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ConnectionsTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\GeneralTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ProgramsTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\SecurityTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ContentTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\PrivacyTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\AdvancedTab"... Key/Value does not exist. Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ConnectionsTab"... Key/Value does not exist. Killing Explorer shell... Done. Restarting Explorer shell... Done. ============ Explorer Shell Repair Complete ============

Here you go. still get the error. Perms2 .txt

Here you go. export.txt export2.txt

I did everything listed above and when I restarted I get the same error? The only way I can get the group policy error to not show is in safe mode.

I killed all the process and the services. TO my knowlede all spot bot stuff was shut down. I do not see any app ctrl policies or software restriction policies. I have attached screen shots.

I have attached the screen shots and the errors and log file. I still have the same error. combofixlog2.txt

Ok i did as instructed and I had to remove Malwarebytes in safe mode. When I ran the utility and then installed I got the same group policy error when it tried to start. I then ran the eset scan and it tool forever. I have attached the log. Please let me know what to do next. esetlog.txt

After reboot I still get the error trying to run malwarebytes.

combofix log log.txt

oop it did not upload JRT.txt

Here is the log running combox fix now.

Here Here you go. Thanks OTL.Txt Extras.Txt

I did try a system restore and uninstall and reinstall of both and got same results. Malwarebytes will only run in safe mode or in regular windows if I rename the directory. AVIRA will not run reguardless because the the group policy. Anyway here is the log. Thanks again for your help and I hope you see something. Oh I almost forgot I ran sys file checker and everything came back clean. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2012 Ran by SYSTEM at 16-11-2012 08:20:06 Running from J:\ Windows 7 Ultimate N (X64) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16329760 2009-06-16] (NVIDIA Corporation) HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [93728 2009-06-16] (NVIDIA Corporation) HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation) HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-09] (IDT, Inc.) HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated) HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG) HKLM-x32\...\Run: [standby] "c:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-03-18] (Corel) HKLM-x32\...\Run: [Firebird] C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbguard.exe -a [81920 2009-07-22] (Firebird Project) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.) HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated) HKLM-x32\...\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask) HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.) HKLM-x32\...\Run: [sDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3821592 2012-10-24] (Safer-Networking Ltd.) HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software) HKU\Administrator\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-07] (Google Inc.) HKU\justin\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-07] (Google Inc.) HKU\justin\...\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US [4321112 2011-01-05] (AOL Inc.) HKU\justin\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\isuspm.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.) HKU\justin\...\Run: [cdloader] "C:\Users\justin\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [50592 2010-12-03] (magicJack L.P.) HKU\justin\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59280 2012-08-29] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 10.28.1.120 10.22.1.29 AppInit_DLLs: C:\Windows\System32\AMInit64.dll Startup: C:\Users\All Users\Start Menu\Programs\Startup\NTRglobal Console.lnk ShortcutTarget: NTRglobal Console.lnk -> C:\Program Files (x86)\NTR global\Console\_inquiero.exe (NTR) ==================== Services (Whitelisted) =================== 2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation) 4 AeXNSClient; C:\Program Files (x86)\Altiris\Altiris Agent\aexnsagent.exe [1401640 2010-03-28] (Altiris, Inc.) 4 AltirisAgentProvider; "C:\Program Files (x86)\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe" [614400 2009-04-22] (Altiris, Inc.) 2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-10-30] (AVAST Software) 4 awhost32; "C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe" [136568 2010-01-04] (Symantec Corporation) 2 FirebirdGuardianDefaultInstance; "C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe" -s DefaultInstance [98304 2010-09-17] (Firebird Project) 3 FirebirdServerDefaultInstance; "C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe" -s DefaultInstance [3735552 2010-09-17] (Firebird Project) 3 getPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll [44576 2010-05-10] (NOS Microsystems Ltd.) 2 Iap; "C:\Program Files\Dell\OpenManage\Client\Iap.exe" [613288 2010-03-23] (Dell Inc.) 2 MSSQL$SQLSERVER; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLSERVER\MSSQL\Binn\sqlservr.exe" -sSQLSERVER [61916000 2011-04-23] (Microsoft Corporation) 2 NWVZHelper; C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [270848 2010-06-14] (Novatel Wireless Inc.) 3 oad; C:\PROGRA~2\Borland\vbroker\bin\oad.exe [1781248 1998-03-12] () 3 osagent; C:\PROGRA~2\Borland\vbroker\bin\osagent.exe [193536 1998-03-12] () 2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1100320 2012-10-24] (Safer-Networking Ltd.) 2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1367576 2012-10-24] (Safer-Networking Ltd.) 2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-10-24] (Safer-Networking Ltd.) 2 softOSD; C:\Program Files (x86)\softOSD\softOSD.exe [284728 2009-12-15] (EnTech Taiwan) 4 SQLAgent$SQLSERVER; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i SQLSERVER [428384 2011-04-23] (Microsoft Corporation) 2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\STacSV64.exe [244736 2010-03-09] (IDT, Inc.) 2 UltiDev Web Server Pro; "C:\Program Files (x86)\UltiDev\Web Server\UltiDev.WebServer.Monitor.exe" [64512 2012-02-25] (UltiDev LLC) 2 UWS HiPriv Services; "C:\Program Files (x86)\UltiDev\Web Server\UWS.HighPrivilegeUtilities.exe" [48128 2012-02-25] (UltiDev LLC) 2 UWS LoPriv Services; "C:\Program Files (x86)\UltiDev\Web Server\UWS.LowPrivilegeUtilities.exe" [44032 2012-02-25] (UltiDev LLC) ==================== Drivers (Whitelisted) ===================== 3 61883; C:\Windows\System32\Drivers\61883.sys [60288 2009-07-13] (Microsoft Corporation) 2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software) 2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software) 1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-10-15] (AVAST Software) 1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software) 1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software) 1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software) 1 awecho; C:\Windows\SysWow64\drivers\awechomd.sys [16432 2009-12-02] (Symantec Corporation) 1 AW_HOST; C:\Windows\SysWow64\drivers\aw_host5.sys [23864 2007-03-30] (Symantec Corporation) 3 ISRegFlt; \??\C:\Program Files (x86)\InstallShield\2012\System\ISRegFlt64.sys [39576 2011-08-11] (Flexera Software) 1 omci; C:\Windows\System32\Drivers\omci.sys [26624 2010-03-08] (Dell Inc.) 1 se64a; C:\Windows\System32\Drivers\se64a.sys [14032 2007-05-03] (EnTech Taiwan) 1 se64a; C:\Windows\SysWow64\Drivers\se64a.sys [14032 2007-05-03] (EnTech Taiwan) 3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x] 3 xpvcom; C:\Windows\System32\Drivers\xpvcom.sys [x] ==================== NetSvcs (Whitelisted) ==================== ==================== One Month Created Files and Folders ======== 2012-11-15 09:04 - 2012-11-15 09:04 - 00002981 ____A C:\Users\justin\Desktop\HiJackThis.lnk 2012-11-15 09:04 - 2012-11-15 09:04 - 00000000 ____D C:\Program Files (x86)\Trend Micro 2012-11-15 07:49 - 2012-11-16 04:53 - 00003622 _RASH C:\Users\All Users\ntuser.pol 2012-11-15 06:13 - 2012-11-15 06:27 - 01056768 ____A C:\Users\justin\defltbase.sdb 2012-11-15 04:25 - 2012-11-15 04:25 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-11-15 04:25 - 2012-11-15 04:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-11-15 04:25 - 2012-09-29 16:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-11-14 19:00 - 2012-11-16 04:51 - 00000392 ____A C:\Windows\setupact.log 2012-11-14 18:56 - 2012-11-14 18:56 - 00001958 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk 2012-11-14 18:56 - 2012-11-14 18:56 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job 2012-11-14 18:56 - 2012-10-30 15:51 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys 2012-11-14 18:56 - 2012-10-30 15:51 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys 2012-11-14 18:56 - 2012-10-30 15:51 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys 2012-11-14 18:56 - 2012-10-30 15:51 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys 2012-11-14 18:56 - 2012-10-15 08:59 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys 2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Users\All Users\AVAST Software 2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Program Files\AVAST Software 2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____A C:\Windows\SysWOW64\config.nt 2012-11-14 18:55 - 2012-10-30 15:51 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys 2012-11-14 18:55 - 2012-10-30 15:51 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr 2012-11-14 18:55 - 2012-10-30 15:50 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe 2012-11-14 18:55 - 2012-10-30 15:50 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe 2012-11-14 13:42 - 2012-11-14 14:14 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy 2012-11-14 13:42 - 2012-11-14 13:42 - 00002177 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk 2012-11-14 13:42 - 2012-11-14 13:42 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2 2012-11-14 13:42 - 2009-01-25 10:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe 2012-11-14 04:46 - 2012-11-15 07:22 - 00007554 ____A C:\Windows\PFRO.log 2012-11-14 04:46 - 2012-11-14 04:46 - 00000000 ____A C:\Windows\setuperr.log 2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Google 2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia 2012-11-13 19:48 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla 2012-11-13 19:48 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google 2012-11-13 19:48 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Mozilla 2012-11-13 19:46 - 2012-11-13 19:56 - 00000000 ____D C:\Users\Administrator\AppData\Local\TSVNCache 2012-11-13 19:46 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Subversion 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\ntr 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe 2012-11-13 19:45 - 2012-11-13 19:45 - 00000020 __ASH C:\Users\Administrator\ntuser.ini 2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ___RD C:\Users\Administrator\Virtual Machines 2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ____D C:\users\Administrator 2012-11-13 19:45 - 2012-03-07 13:17 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2008 2012-11-13 19:45 - 2012-03-07 05:09 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2010 2012-11-13 19:45 - 2012-03-06 05:01 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2005 2012-11-13 19:45 - 2012-03-06 05:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help 2012-11-13 19:45 - 2010-05-07 11:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia 2012-11-13 19:23 - 2012-11-13 19:23 - 00001021 ____A C:\Users\Public\Desktop\CCleaner.lnk 2012-11-13 18:04 - 2012-11-14 13:34 - 00000808 ____A C:\rkill.log 2012-11-13 17:54 - 2012-11-13 18:46 - 00000000 ____D C:\Windows\erdnt 2012-11-13 17:34 - 2012-11-16 05:14 - 00000000 ____D C:\removaltools 2012-11-13 17:34 - 2012-11-13 17:34 - 00000000 ____D C:\Users\justin\Documents\My Weblog Posts 2012-11-13 13:25 - 2012-11-13 13:25 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\justin\Downloads\mbam-setup-1.65.1.1000.exe 2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Scooter Software 2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Claro 2012-11-13 08:35 - 2012-11-13 08:35 - 05869768 ____A (Scooter Software ) C:\Users\justin\Downloads\BCompare-3.3.5.15075.exe 2012-11-13 08:35 - 2012-11-13 08:35 - 00000000 ____D C:\Users\All Users\Browser Manager 2012-11-13 07:29 - 2012-11-13 07:29 - 04693333 ____A (FileZilla Project) C:\Users\justin\Downloads\FileZilla_3.6.0_win32-setup.exe 2012-11-12 08:06 - 2012-11-12 08:08 - 00000000 ____D C:\medicalplan 2012-11-08 06:38 - 2012-11-08 06:38 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk 2012-11-08 06:38 - 2012-11-08 06:38 - 00000000 ____D C:\Program Files (x86)\QuickTime 2012-11-08 06:34 - 2012-11-08 06:34 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk 2012-11-08 06:34 - 2012-08-21 10:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys 2012-11-08 06:32 - 2012-11-08 06:34 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69 2012-11-08 06:32 - 2012-11-08 06:34 - 00000000 ____D C:\Program Files\iTunes 2012-11-08 06:32 - 2012-11-08 06:32 - 00000000 ____D C:\Program Files\iPod 2012-11-06 07:51 - 2012-11-06 07:51 - 00000000 ____D C:\Users\justin\AppData\Roaming\smkits 2012-11-05 08:59 - 2012-11-05 08:59 - 00079360 ____A (WANGXUEFENG, CHANGZHOU,JIANGSU province) C:\Windows\System32\dxdiinfo64.dll 2012-10-30 12:00 - 2012-10-30 12:00 - 00000000 ____D C:\Users\justin\Documents\host[1] 2012-10-25 00:12 - 2012-10-25 00:12 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx 2012-10-25 00:12 - 2012-10-25 00:12 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts 2012-10-23 10:43 - 2012-10-23 12:36 - 00000533 ____A C:\Users\justin\Desktop\QESettings.xml 2012-10-17 08:30 - 2012-10-17 08:30 - 00002758 ____A C:\Users\justin\Desktop\Microsoft SQL Server 2012 Update for Developers Training Kit.lnk 2012-10-17 08:29 - 2012-10-17 08:30 - 00000000 ____D C:\SQL2012UpdateForDevsTrainingKit ==================== One Month Modified Files and Folders ======= 2012-11-16 08:19 - 2012-11-16 08:19 - 00000000 ____D C:\FRST 2012-11-16 05:16 - 2012-04-05 04:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-11-16 05:16 - 2010-08-03 09:59 - 00000000 ____D C:\Users\justin\AppData\Local\TSVNCache 2012-11-16 05:16 - 2010-04-23 05:33 - 01311694 ____A C:\Windows\WindowsUpdate.log 2012-11-16 05:14 - 2012-11-13 17:34 - 00000000 ____D C:\removaltools 2012-11-16 05:13 - 2009-07-13 20:50 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-11-16 05:13 - 2009-07-13 20:50 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-11-16 05:12 - 2010-12-29 08:34 - 00105472 ____A C:\Users\justin\Documents\JustinProgressChart.xls 2012-11-16 05:11 - 2009-07-13 21:12 - 00984700 ____A C:\Windows\System32\PerfStringBackup.INI 2012-11-16 05:00 - 2010-05-07 09:52 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-11-16 04:53 - 2012-11-15 07:49 - 00003622 _RASH C:\Users\All Users\ntuser.pol 2012-11-16 04:51 - 2012-11-14 19:00 - 00000392 ____A C:\Windows\setupact.log 2012-11-16 04:51 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-11-15 13:28 - 2011-09-27 07:16 - 00000000 ____D C:\Users\All Users\firebird 2012-11-15 12:47 - 2010-05-07 09:52 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-11-15 09:04 - 2012-11-15 09:04 - 00002981 ____A C:\Users\justin\Desktop\HiJackThis.lnk 2012-11-15 09:04 - 2012-11-15 09:04 - 00000000 ____D C:\Program Files (x86)\Trend Micro 2012-11-15 07:57 - 2011-10-18 08:16 - 00000000 ____D C:\7.6 2012-11-15 07:54 - 2012-06-28 11:47 - 00000000 ____D C:\7.7 2012-11-15 07:22 - 2012-11-14 04:46 - 00007554 ____A C:\Windows\PFRO.log 2012-11-15 07:10 - 2010-12-13 12:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2012-11-15 06:27 - 2012-11-15 06:13 - 01056768 ____A C:\Users\justin\defltbase.sdb 2012-11-15 06:13 - 2010-04-23 05:33 - 00000000 ____D C:\users\justin 2012-11-15 04:25 - 2012-11-15 04:25 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-11-15 04:25 - 2012-11-15 04:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-11-14 18:56 - 2012-11-14 18:56 - 00001958 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk 2012-11-14 18:56 - 2012-11-14 18:56 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job 2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Users\All Users\AVAST Software 2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Program Files\AVAST Software 2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____A C:\Windows\SysWOW64\config.nt 2012-11-14 14:14 - 2012-11-14 13:42 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy 2012-11-14 13:42 - 2012-11-14 13:42 - 00002177 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk 2012-11-14 13:42 - 2012-11-14 13:42 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2 2012-11-14 13:34 - 2012-11-13 18:04 - 00000808 ____A C:\rkill.log 2012-11-14 12:22 - 2010-06-12 13:39 - 00000000 ____D C:\Users\justin\AppData\Local\Apps\2.0 2012-11-14 12:22 - 2009-07-13 20:50 - 00578032 ____A C:\Windows\System32\FNTCACHE.DAT 2012-11-14 07:07 - 2010-12-14 12:43 - 00000000 ____D C:\spywaretools 2012-11-14 04:46 - 2012-11-14 04:46 - 00000000 ____A C:\Windows\setuperr.log 2012-11-14 02:40 - 2011-01-27 05:58 - 00000000 ____D C:\Program Files (x86)\IdentaFone Software 2012-11-13 19:56 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\TSVNCache 2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Google 2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia 2012-11-13 19:49 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla 2012-11-13 19:49 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google 2012-11-13 19:49 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe 2012-11-13 19:48 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Mozilla 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Subversion 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\ntr 2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe 2012-11-13 19:45 - 2012-11-13 19:45 - 00000020 __ASH C:\Users\Administrator\ntuser.ini 2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ___RD C:\Users\Administrator\Virtual Machines 2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ____D C:\users\Administrator 2012-11-13 19:25 - 2010-10-04 12:19 - 00000000 ____D C:\Users\justin\AppData\Roaming\FileZilla 2012-11-13 19:24 - 2010-04-23 09:15 - 00000000 ____D C:\Windows\Panther 2012-11-13 19:23 - 2012-11-13 19:23 - 00001021 ____A C:\Users\Public\Desktop\CCleaner.lnk 2012-11-13 19:23 - 2010-12-14 12:48 - 00000000 ____D C:\Program Files (x86)\CCleaner 2012-11-13 18:54 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default 2012-11-13 18:46 - 2012-11-13 17:54 - 00000000 ____D C:\Windows\erdnt 2012-11-13 18:37 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini 2012-11-13 17:34 - 2012-11-13 17:34 - 00000000 ____D C:\Users\justin\Documents\My Weblog Posts 2012-11-13 17:34 - 2011-10-20 05:22 - 00000000 ____D C:\Users\justin\AppData\Local\Windows Live Writer 2012-11-13 14:41 - 2010-11-03 12:49 - 00000000 ____D C:\8.0 2012-11-13 13:25 - 2012-11-13 13:25 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\justin\Downloads\mbam-setup-1.65.1.1000.exe 2012-11-13 09:29 - 2012-05-21 04:19 - 00000000 ____D C:\8.0 NET 2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Scooter Software 2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Claro 2012-11-13 08:35 - 2012-11-13 08:35 - 05869768 ____A (Scooter Software ) C:\Users\justin\Downloads\BCompare-3.3.5.15075.exe 2012-11-13 08:35 - 2012-11-13 08:35 - 00000000 ____D C:\Users\All Users\Browser Manager 2012-11-13 07:29 - 2012-11-13 07:29 - 04693333 ____A (FileZilla Project) C:\Users\justin\Downloads\FileZilla_3.6.0_win32-setup.exe 2012-11-13 07:29 - 2010-10-04 12:19 - 00000000 ____D C:\Program Files (x86)\FileZilla FTP Client 2012-11-12 08:08 - 2012-11-12 08:06 - 00000000 ____D C:\medicalplan 2012-11-12 06:02 - 2010-05-10 06:49 - 00000000 ____D C:\tempsp 2012-11-09 05:07 - 2011-09-01 11:52 - 00000000 ____D C:\calls 2012-11-08 13:36 - 2011-07-07 05:33 - 00000000 ____D C:\justin 2012-11-08 08:07 - 2012-02-16 07:31 - 00000600 ____A C:\Users\justin\AppData\Roaming\winscp.rndx 2012-11-08 07:55 - 2012-09-11 08:10 - 00000000 ____D C:\aaa 2012-11-08 07:17 - 2012-02-13 12:06 - 00000000 ____D C:\iphonejailbreak 2012-11-08 06:38 - 2012-11-08 06:38 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk 2012-11-08 06:38 - 2012-11-08 06:38 - 00000000 ____D C:\Program Files (x86)\QuickTime 2012-11-08 06:34 - 2012-11-08 06:34 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk 2012-11-08 06:34 - 2012-11-08 06:32 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69 2012-11-08 06:34 - 2012-11-08 06:32 - 00000000 ____D C:\Program Files\iTunes 2012-11-08 06:34 - 2012-07-16 08:01 - 00000000 ____D C:\Program Files (x86)\iTunes 2012-11-08 06:32 - 2012-11-08 06:32 - 00000000 ____D C:\Program Files\iPod 2012-11-07 08:51 - 2010-04-28 07:25 - 00175272 ____A C:\Users\justin\AppData\Local\GDIPFONTCACHEV1.DAT 2012-11-07 07:39 - 2010-06-15 05:33 - 00000000 ____D C:\Users\All Users\Microsoft Help 2012-11-07 05:48 - 2012-09-12 04:21 - 00002378 ____A C:\Users\Public\Desktop\Google Chrome.lnk 2012-11-06 07:51 - 2012-11-06 07:51 - 00000000 ____D C:\Users\justin\AppData\Roaming\smkits 2012-11-05 08:59 - 2012-11-05 08:59 - 00079360 ____A (WANGXUEFENG, CHANGZHOU,JIANGSU province) C:\Windows\System32\dxdiinfo64.dll 2012-11-01 11:45 - 2012-04-09 05:08 - 00025088 ____A C:\Users\justin\Documents\daddyloangood.xls 2012-10-31 10:20 - 2010-05-14 05:21 - 00000000 ____D C:\Users\justin\AppData\Local\Downloaded Installations 2012-10-31 05:46 - 2010-07-28 06:20 - 00000000 ____D C:\mitchell 2012-10-30 15:51 - 2012-11-14 18:56 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys 2012-10-30 15:51 - 2012-11-14 18:56 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys 2012-10-30 15:51 - 2012-11-14 18:56 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys 2012-10-30 15:51 - 2012-11-14 18:56 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys 2012-10-30 15:51 - 2012-11-14 18:55 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys 2012-10-30 15:51 - 2012-11-14 18:55 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr 2012-10-30 15:50 - 2012-11-14 18:55 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe 2012-10-30 15:50 - 2012-11-14 18:55 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe 2012-10-30 12:00 - 2012-10-30 12:00 - 00000000 ____D C:\Users\justin\Documents\host[1] 2012-10-30 11:30 - 2010-05-10 06:49 - 00000000 ____D C:\Program Files (x86)\napa 2012-10-26 11:39 - 2012-04-27 06:11 - 18722816 ____A C:\Users\justin\Documents\tracs7.6blank.mdb 2012-10-25 00:12 - 2012-10-25 00:12 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx 2012-10-25 00:12 - 2012-10-25 00:12 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts 2012-10-24 11:55 - 2010-05-12 04:50 - 00000000 ____D C:\Delphi DevEnv 2012-10-23 12:36 - 2012-10-23 10:43 - 00000533 ____A C:\Users\justin\Desktop\QESettings.xml 2012-10-23 12:36 - 2010-06-15 05:43 - 00000000 ____D C:\Users\justin\Documents\SQL Server Management Studio 2012-10-23 04:44 - 2010-08-19 11:54 - 00000000 ____D C:\bob hammer 2012-10-17 08:30 - 2012-10-17 08:30 - 00002758 ____A C:\Users\justin\Desktop\Microsoft SQL Server 2012 Update for Developers Training Kit.lnk 2012-10-17 08:30 - 2012-10-17 08:29 - 00000000 ____D C:\SQL2012UpdateForDevsTrainingKit 2012-10-17 06:02 - 2012-02-28 05:33 - 00000000 ____D C:\recovermyfiles ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-10-30 06:00:06 Restore point made on: 2012-10-30 06:01:14 Restore point made on: 2012-10-30 06:02:30 Restore point made on: 2012-10-30 06:04:35 Restore point made on: 2012-11-07 07:35:49 Restore point made on: 2012-11-13 16:24:18 Restore point made on: 2012-11-15 09:03:55 Restore point made on: 2012-11-16 04:59:13 ==================== Memory info =========================== Percentage of memory in use: 10% Total physical RAM: 8179.89 MB Available physical RAM: 7310.24 MB Total Pagefile: 8178.04 MB Available Pagefile: 7298.8 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:465.66 GB) (Free:51.27 GB) NTFS 7 Drive j: () (Removable) (Total:0.94 GB) (Free:0.03 GB) FAT 8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 465 GB 0 B Disk 1 No Media 0 B 0 B Disk 2 No Media 0 B 0 B Disk 3 No Media 0 B 0 B Disk 4 No Media 0 B 0 B Disk 5 Online 967 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 465 GB 101 MB ================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System Rese NTFS Partition 100 MB Healthy ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 465 GB Healthy ========================================================= Partitions of Disk 5: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 966 MB 764 KB ================================================================================== Disk: 5 Partition 1 Type : 06 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 7 J FAT Removable 966 MB Healthy ========================================================= Last Boot: 2012-11-06 06:39 ==================== End Of Log ============================= FRST.txt

I download a program call beyond repair from CNET 2 days ago and my system has not been the same since. I believe I have removed all the infections using Malwarebytes(in safe mode) Hijackthis, cccleaner,rkill,spybot, etc. I have googled and tried everything I could find but here is the current state of my machine. If I try and run MalwareBytes I get an error staying that "This Program is Blocked by Group Policy" I then check the event viewer and see this " Access to C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe has been restricted by your Administrator by location with policy rule {3036cfcf-7c01-4800-a2ca-e6a7873107d2} placed on path C:\Program Files (x86)\Malwarebytes' Anti-Malware. I have googled and looked and I cannot find anywhere on my system where I have a group policy. I know for a fact I did not add one. I also get the same error when I try and start the avira control panel. If I go rename the C:\Program Files (x86)\Malwarebytes' Anti-Malware to C:\Program Files (x86)\Malwarebytes' Anti-Malware1 and run the exe it runs fine and does not find or detect anything. It also works in safe mode. I also found online a command option to reset all your group policys back to default and I still get the error. I am not a member of a domain. Whatever virus or spyware that was on my system found I was running Malwarebytes and Avira and added a rule somehwere that I cannot remove. I have also tried the Avira rescue disk as well as loaded Avast and peformed a boot scan and found nothing. I am not sure what to try next any help will be greatly appericated. I attached my hijackthis log and screen shots. My user is the Administrator and I also get the same error if I login and use the Windows Default Admin Account. hijackthis.log