Jump to content

s4boost

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

 Content Type 

Posts posted by s4boost

    MoneyPak virus, frst64 logs in first post

    in Resolved Malware Removal Logs

    Posted

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Junkware Removal Tool (JRT) by Thisisu

    Version: 4.4.6 (01.20.2013:1)

    OS: Windows 7 Home Premium x64

    Ran by Owner on Mon 01/21/2013 at 10:28:10.24

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ~~~ Services

    ~~~ Registry Values

    Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{5911488e-9d1e-40ec-8cbb-06b231cc153f}

    Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope

    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope

    Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope

    Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope

    Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope

    Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope

    Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3673983807-3235450318-3143369733-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope

    ~~~ Registry Keys

    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\yontooieclient.api

    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\yontooieclient.api.1

    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\zgclnt.mngr

    Successfully deleted: [Registry Key] hkey_local_machine\software\classes\zgclnt.mngr.1

    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{5911488e-9d1e-40ec-8cbb-06b231cc153f}

    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{6e13d095-45c3-4271-9475-f3b48227dd9f}

    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{6e13d095-45c3-4271-9475-f3b48227dd9f}

    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{fd72061e-9fde-484d-a58a-0bab4151cad8}

    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{fd72061e-9fde-484d-a58a-0bab4151cad8}

    ~~~ Files

    ~~~ Folders

    ~~~ Event Viewer Logs were cleared

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Scan was completed on Mon 01/21/2013 at 10:34:12.15

    End of JRT log

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    # AdwCleaner v2.107 - Logfile created 01/21/2013 at 10:40:45

    # Updated 21/01/2013 by Xplode

    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

    # User : Owner - OWNER-PC

    # Boot Mode : Normal

    # Running from : C:\Users\Owner\Desktop\adwcleaner.exe

    # Option [Delete]

    ***** [services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****

    Key Deleted : HKCU\Software\InstallCore

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169}

    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{FAA8C612-F1B6-461B-8B60-B54D74D9642E}

    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{38BF9661-BDA0-4A74-BB3B-576EC7AE16DC}

    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A}

    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E65F40C8-3CEB-47C2-9E01-BF73323DF4E7}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartNow Toolbar

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E65F40C8-3CEB-47C2-9E01-BF73323DF4E7}

    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

    ***** [internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16457

    [OK] Registry is clean.

    *************************

    AdwCleaner[s1].txt - [3721 octets] - [21/01/2013 10:40:45]

    ########## EOF - C:\AdwCleaner[s1].txt - [3781 octets] ##########

    Malwarebytes Anti-Malware (Trial) 1.70.0.1100

    www.malwarebytes.org

    Database version: v2013.01.21.06

    Windows 7 Service Pack 1 x64 NTFS

    Internet Explorer 9.0.8112.16421

    Owner :: OWNER-PC [administrator]

    Protection: Enabled

    1/21/2013 10:45:53 AM

    mbam-log-2013-01-21 (10-45-53).txt

    Scan type: Quick scan

    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

    Scan options disabled: P2P

    Objects scanned: 253859

    Time elapsed: 3 minute(s), 27 second(s)

    Memory Processes Detected: 0

    (No malicious items detected)

    Memory Modules Detected: 0

    (No malicious items detected)

    Registry Keys Detected: 0

    (No malicious items detected)

    Registry Values Detected: 2

    HKCU\SOFTWARE|24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.

    HKCU\SOFTWARE|7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0

    (No malicious items detected)

    Files Detected: 1

    C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.

    (end)

    MoneyPak virus, frst64 logs in first post

    in Resolved Malware Removal Logs

    Posted

    combofix log!!!!!

    ComboFix 13-01-17.04 - Owner 01/20/2013 23:31:10.1.4 - x64

    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2381 [GMT -6:00]

    Running from: c:\users\Owner\Desktop\ComboFix.exe

    AV: Titanium *Enabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}

    SP: Titanium *Enabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}

    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    * Created a new restore point

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    c:\program files (x86)\StartNow Toolbar

    c:\program files (x86)\StartNow Toolbar\Reactivate.exe

    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png

    c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png

    c:\program files (x86)\StartNow Toolbar\Resources\installer.xml

    c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png

    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png

    c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml

    c:\program files (x86)\StartNow Toolbar\Resources\update.xml

    c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe

    c:\program files (x86)\StartNow Toolbar\Toolbar32.dll

    c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe

    c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe

    c:\program files (x86)\StartNow Toolbar\uninstall.dat

    c:\program files (x86)\StartNow Toolbar\XBrowser.dll

    c:\programdata\Microsoft\Windows\DRM\2AF6.tmp

    c:\programdata\Microsoft\Windows\DRM\2B06.tmp

    c:\programdata\Microsoft\Windows\DRM\3346.tmp

    c:\programdata\Microsoft\Windows\DRM\3366.tmp

    c:\programdata\Microsoft\Windows\DRM\C428.tmp

    c:\programdata\Microsoft\Windows\DRM\C439.tmp

    c:\programdata\Microsoft\Windows\DRM\D73.tmp

    c:\users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8F667EE3-23EF-4821-A3E8-E7C89F4359E0}.xps

    c:\users\Owner\AppData\Roaming\skype.dat

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    -------\Service_Updater Service for StartNow Toolbar

    -------\Service_Updater Service for StartNow Toolbar

    .

    .

    ((((((((((((((((((((((((( Files Created from 2012-12-21 to 2013-01-21 )))))))))))))))))))))))))))))))

    .

    .

    2013-01-21 06:30 . 2013-01-21 06:30 -------- d-----w- C:\FRST

    2013-01-21 04:06 . 2013-01-21 04:06 32152 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

    2013-01-21 04:06 . 2013-01-21 04:06 -------- d-----w- c:\program files\HitmanPro

    2013-01-21 04:06 . 2013-01-21 04:06 -------- d-----w- c:\programdata\HitmanPro

    2013-01-09 00:53 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll

    2013-01-09 00:42 . 2013-01-09 00:42 -------- d-----w- c:\users\Mallory\AppData\Roaming\Publish Providers

    2013-01-09 00:42 . 2013-01-09 00:42 -------- d-----w- c:\users\Mallory\AppData\Roaming\Sony

    2013-01-09 00:42 . 2013-01-09 00:42 -------- d-----w- c:\users\Mallory\AppData\Local\Sony

    2012-12-27 05:27 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

    2012-12-27 05:27 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

    2012-12-27 05:27 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

    2012-12-27 05:27 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2013-01-09 04:14 . 2010-07-28 02:25 67599240 ----a-w- c:\windows\system32\MRT.exe

    2012-11-30 04:45 . 2013-01-09 00:53 44032 ----a-w- c:\windows\apppatch\acwow64.dll

    2012-11-26 02:26 . 2012-11-26 02:26 998456 ----a-w- c:\programdata\Microsoft\Windows\DRM\install_flashplayer.exe

    2012-11-14 07:06 . 2012-12-14 04:34 17811968 ----a-w- c:\windows\system32\mshtml.dll

    2012-11-14 06:32 . 2012-12-14 04:34 10925568 ----a-w- c:\windows\system32\ieframe.dll

    2012-11-14 06:11 . 2012-12-14 04:34 2312704 ----a-w- c:\windows\system32\jscript9.dll

    2012-11-14 06:04 . 2012-12-14 04:34 1346048 ----a-w- c:\windows\system32\urlmon.dll

    2012-11-14 06:04 . 2012-12-14 04:34 1392128 ----a-w- c:\windows\system32\wininet.dll

    2012-11-14 06:02 . 2012-12-14 04:34 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

    2012-11-14 06:02 . 2012-12-14 04:34 237056 ----a-w- c:\windows\system32\url.dll

    2012-11-14 05:59 . 2012-12-14 04:34 85504 ----a-w- c:\windows\system32\jsproxy.dll

    2012-11-14 05:58 . 2012-12-14 04:34 816640 ----a-w- c:\windows\system32\jscript.dll

    2012-11-14 05:57 . 2012-12-14 04:34 599040 ----a-w- c:\windows\system32\vbscript.dll

    2012-11-14 05:57 . 2012-12-14 04:34 173056 ----a-w- c:\windows\system32\ieUnatt.exe

    2012-11-14 05:55 . 2012-12-14 04:34 2144768 ----a-w- c:\windows\system32\iertutil.dll

    2012-11-14 05:55 . 2012-12-14 04:34 729088 ----a-w- c:\windows\system32\msfeeds.dll

    2012-11-14 05:53 . 2012-12-14 04:34 96768 ----a-w- c:\windows\system32\mshtmled.dll

    2012-11-14 05:52 . 2012-12-14 04:34 2382848 ----a-w- c:\windows\system32\mshtml.tlb

    2012-11-14 05:46 . 2012-12-14 04:34 248320 ----a-w- c:\windows\system32\ieui.dll

    2012-11-14 02:09 . 2012-12-14 04:34 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll

    2012-11-14 01:58 . 2012-12-14 04:34 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

    2012-11-14 01:57 . 2012-12-14 04:34 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

    2012-11-14 01:49 . 2012-12-14 04:34 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

    2012-11-14 01:48 . 2012-12-14 04:34 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

    2012-11-14 01:44 . 2012-12-14 04:34 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

    2012-11-09 05:45 . 2012-12-13 02:57 2048 ----a-w- c:\windows\system32\tzres.dll

    2012-11-09 04:42 . 2012-12-13 02:57 2048 ----a-w- c:\windows\SysWow64\tzres.dll

    2012-11-02 05:59 . 2012-12-13 02:56 478208 ----a-w- c:\windows\system32\dpnet.dll

    2012-11-02 05:11 . 2012-12-13 02:56 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

    2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

    2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

    2001-05-24 18:59 . 2011-10-10 13:35 162304 ----a-w- c:\program files (x86)\UNWISE.EXE

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

    2011-07-22 23:53 787744 ----a-w- c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient.dll

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-04 39408]

    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]

    "Facebook Update"="c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-22 138096]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

    "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]

    "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]

    .

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

    NAC Assessment Agent.lnk - c:\program files (x86)\Enterasys Networks\NAC Agent\NacAgent.exe [2011-5-24 18162552]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "ConsentPromptBehaviorAdmin"= 5 (0x5)

    "ConsentPromptBehaviorUser"= 3 (0x3)

    "EnableUIADesktopToggle"= 0 (0x0)

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

    @=""

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

    @=""

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

    2011-03-30 04:59 937920 ----a-w- c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

    2011-09-07 22:58 37296 ----a-w- c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EgisTecPMMUpdate]

    2009-12-09 02:35 401192 ----a-w- c:\program files (x86)\EgisTec IPS\PmmUpdate.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EgisUpdate]

    2009-12-09 02:35 201512 ----a-w- c:\program files (x86)\EgisTec IPS\EgisUpdate.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

    2008-12-08 21:50 54576 ----a-w- c:\program files (x86)\Hp\HP Software Update\hpwuschd2.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VitaKeyTSR]

    2010-02-04 21:39 379248 ----a-w- c:\program files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe

    .

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]

    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]

    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

    R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2012-09-28 51712]

    R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-01-21 32152]

    R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-05 346144]

    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]

    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-28 1255736]

    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

    S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [2009-11-11 20056]

    S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2012-09-25 77184]

    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-03-03 89600]

    S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]

    S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-02-26 127984]

    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-04-01 338168]

    S2 EgisTec Service;EgisTec Service;c:\program files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe [2010-02-04 689008]

    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 30520]

    S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]

    S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]

    S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-08-25 2320920]

    S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-23 2192176]

    S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-08-25 158976]

    S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-01-25 287232]

    .

    .

    --- Other Services/Drivers In Memory ---

    .

    *NewlyCreated* - WS2IFSL

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2013-01-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3673983807-3235450318-3143369733-1000Core.job

    - c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-06 05:03]

    .

    2013-01-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3673983807-3235450318-3143369733-1000UA.job

    - c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-06 05:03]

    .

    2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-04 05:42]

    .

    2013-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-04 05:42]

    .

    2013-01-19 c:\windows\Tasks\HPCeeScheduleForOwner.job

    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]

    .

    .

    --------- X64 Entries -----------

    .

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-03 525312]

    "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-09-08 1304824]

    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]

    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]

    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]

    "AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2012-09-28 324096]

    "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 213824]

    .

    ------- Supplementary Scan -------

    .

    uLocal Page = c:\windows\system32\blank.htm

    mLocal Page = c:\windows\SysWOW64\blank.htm

    uInternet Settings,ProxyOverride = <local>;*.local

    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

    IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

    TCP: DhcpNameServer = 192.168.1.254

    .

    - - - - ORPHANS REMOVED - - - -

    .

    BHO-{6E13D095-45C3-4271-9475-F3B48227DD9F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll

    Toolbar-{5911488E-9D1E-40ec-8CBB-06B231CC153F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll

    Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe

    Wow6432Node-HKLM-Run-StartNowToolbarHelper - c:\program files (x86)\StartNow Toolbar\ToolbarHelper.exe

    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

    AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe

    AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe

    AddRemove-Game Organizer - c:\programdata\Easybits GO\EasyBitsGO.exe

    .

    .

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

    @Denied: (A 2) (Everyone)

    @="FlashBroker"

    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

    "Enabled"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

    @Denied: (A 2) (Everyone)

    @="Shockwave Flash Object"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

    "ThreadingModel"="Apartment"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

    @="0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

    @="ShockwaveFlash.ShockwaveFlash.10"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

    @="1.0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

    @="ShockwaveFlash.ShockwaveFlash"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

    @Denied: (A 2) (Everyone)

    @="Macromedia Flash Factory Object"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

    "ThreadingModel"="Apartment"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

    @="FlashFactory.FlashFactory.1"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

    @="1.0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

    @="FlashFactory.FlashFactory"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

    @Denied: (A 2) (Everyone)

    @="IFlashBroker4"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

    @="{00020424-0000-0000-C000-000000000046}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    "Version"="1.0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

    @Denied: (A) (Everyone)

    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

    @Denied: (A) (Everyone)

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

    "Key"="ActionsPane3"

    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

    @Denied: (Full) (Everyone)

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

    .

    **************************************************************************

    .

    Completion time: 2013-01-20 23:46:11 - machine was rebooted

    ComboFix-quarantined-files.txt 2013-01-21 05:46

    .

    Pre-Run: 387,769,528,320 bytes free

    Post-Run: 390,775,033,856 bytes free

    .

    - - End Of File - - 80F016918C4044E9CC6F7FDBD20673B3

    MoneyPak virus, frst64 logs in first post

    in Resolved Malware Removal Logs

    Posted

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-01-2013

    Ran by SYSTEM at 2013-01-20 23:13:09 Run:1

    Running from H:\

    ==============================================

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Services Host Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\scasim Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\rtnmdn Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows\CurrentVersion\Run\\rlads Value deleted successfully.

    HKEY_USERS\Owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

    C:\Users\Owner\AppData\Roaming\skype.ini moved successfully.

    C:\Users\Owner\AppData\Local\6b358416-a8df-49ee-aa2c-12f27a870976.crx moved successfully.

    C:\Users\Owner\AppData\Roaming\rtnmdn.dll moved successfully.

    C:\Users\Owner\AppData\Roaming\rlads.dll moved successfully.

    C:\Users\Owner\AppData\Roaming\scasim.dll moved successfully.

    C:\$Recycle.Bin\S-1-5-21-3673983807-3235450318-3143369733-1000\$945a142a35f2173872f4953050c7916d moved successfully.

    C:\$Recycle.Bin\S-1-5-18\$945a142a35f2173872f4953050c7916d moved successfully.

    ==== End of Fixlog ====

    MoneyPak virus, frst64 logs in first post

    in Resolved Malware Removal Logs

    Posted

    Farbar Recovery Scan Tool (x64) Version: 21-01-2013

    Ran by SYSTEM at 2013-01-20 22:54:00

    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe

    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======

    MoneyPak virus, frst64 logs in first post

    in Resolved Malware Removal Logs

    Posted

    I have a friends laptop at the moment that has one of the money pak viruses. when i boot in safe mode the computer reboots itself after about 30 seconds. After doing some research i decided to go ahead and prepare a log. Thanks in advance for the help.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013

    Ran by SYSTEM at 20-01-2013 22:31:11

    Running from H:\

    Windows 7 Home Premium (X64) OS Language: English(US)

    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)

    HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-03-02] (IDT, Inc.)

    HKLM\...\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" [1304824 2012-09-08] (Trend Micro Inc.)

    HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2012-09-27] (Alcor Micro Corp.)

    HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [213824 2012-02-27] (Trend Micro Inc.)

    HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)

    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)

    HKLM-x32\...\Run: [startNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe" [x]

    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

    HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

    HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [587320 2011-06-14] (Hewlett-Packard Development Company, L.P.)

    HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)

    HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)

    HKU\Mallory\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)

    HKU\Mallory\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-03] (Google Inc.)

    HKU\Owner\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-03] (Google Inc.)

    HKU\Owner\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17418928 2012-07-13] (Skype Technologies S.A.)

    HKU\Owner\...\Run: [Facebook Update] "C:\Users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-21] (Facebook Inc.)

    HKU\Owner\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]

    HKU\Owner\...\Run: [Windows Services Host] "C:\Users\Owner\AppData\Roaming\System\svchost.exe" 3 [x]

    HKU\Owner\...\Run: [scasim] rundll32.exe "C:\Users\Owner\AppData\Roaming\scasim.dll",GetHtmlCharset [187392 2013-01-18] (CPUID)

    HKU\Owner\...\Run: [rtnmdn] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\rtnmdn.dll",SimpleParseStringFlags [637952 2013-01-18] (ALPS Electric Co., Ltd.)

    HKU\Owner\...\Run: [rlads] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\rlads.dll",_InPlaceRepeat [350208 2013-01-18] (SiliconMotion)

    HKU\Owner\...\Winlogon: [shell] explorer.exe,C:\Users\Owner\AppData\Roaming\skype.dat [152064 2011-11-16] ()

    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$945a142a35f2173872f4953050c7916d\n. ATTENTION! ====> ZeroAccess

    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

    Lsa: [Notification Packages] EgisPwdFilter EgisDSPwdFilter

    Startup: C:\Users\All Users\Start Menu\Programs\Startup\NAC Assessment Agent.lnk

    ShortcutTarget: NAC Assessment Agent.lnk -> C:\Program Files (x86)\Enterasys Networks\NAC Agent\NacAgent.exe (Enterasys Networks, Inc)

    ==================== Services (Whitelisted) ===================

    2 DvmMDES; "C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe" [338168 2010-03-31] (DeviceVM, Inc.)

    2 EgisTec Service; "C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe" [689008 2010-02-04] (Egis Technology Inc. )

    2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [265952 2012-06-22] ()

    2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]

    ==================== Drivers (Whitelisted) =====================

    1 DVMIO; C:\Windows\System32\Drivers\DVMIO.sys [20056 2009-11-11] (DeviceVM, Inc.)

    3 hitmanpro37; C:\Windows\System32\Drivers\hitmanpro37.sys [32152 2013-01-20] ()

    1 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [107048 2012-09-24] (Trend Micro Inc.)

    1 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [173504 2012-09-24] (Trend Micro Inc.)

    1 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [77184 2012-09-24] (Trend Micro Inc.)

    1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [105744 2011-08-02] (Trend Micro Inc.)

    ==================== NetSvcs (Whitelisted) ====================

    ==================== One Month Created Files and Folders ========

    2013-01-20 20:06 - 2013-01-20 20:06 - 00032152 ____A C:\Windows\System32\Drivers\hitmanpro37.sys

    2013-01-20 20:06 - 2013-01-20 20:06 - 00000000 ____D C:\Users\All Users\HitmanPro

    2013-01-20 20:06 - 2013-01-20 20:06 - 00000000 ____D C:\Program Files\HitmanPro

    2013-01-18 18:32 - 2013-01-20 20:14 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

    2013-01-18 18:27 - 2013-01-20 20:13 - 00006527 ____A C:\Users\Owner\AppData\Local\6b358416-a8df-49ee-aa2c-12f27a870976.crx

    2013-01-18 18:27 - 2013-01-18 18:27 - 00637952 ____A (ALPS Electric Co., Ltd.) C:\Users\Owner\AppData\Roaming\rtnmdn.dll

    2013-01-18 18:27 - 2013-01-18 18:27 - 00350208 ____A (SiliconMotion) C:\Users\Owner\AppData\Roaming\rlads.dll

    2013-01-18 18:26 - 2013-01-18 18:26 - 00187392 ____A (CPUID) C:\Users\Owner\AppData\Roaming\scasim.dll

    2013-01-08 20:16 - 2013-01-08 20:16 - 00000118 ____A C:\Windows\System32\MRT.INI

    2013-01-08 16:54 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

    2013-01-08 16:54 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

    2013-01-08 16:54 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll

    2013-01-08 16:54 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll

    2013-01-08 16:54 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

    2013-01-08 16:54 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

    2013-01-08 16:54 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

    2013-01-08 16:54 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

    2013-01-08 16:54 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

    2013-01-08 16:54 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

    2013-01-08 16:54 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

    2013-01-08 16:54 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs

    2013-01-08 16:54 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs

    2013-01-08 16:54 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

    2013-01-08 16:54 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

    2013-01-08 16:54 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

    2013-01-08 16:54 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

    2013-01-08 16:54 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

    2013-01-08 16:54 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

    2013-01-08 16:54 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

    2013-01-08 16:54 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

    2013-01-08 16:54 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

    2013-01-08 16:54 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

    2013-01-08 16:53 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

    2013-01-08 16:53 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

    2013-01-08 16:53 - 2012-11-29 21:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

    2013-01-08 16:53 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

    2013-01-08 16:53 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

    2013-01-08 16:53 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

    2013-01-08 16:53 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

    2013-01-08 16:53 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

    2013-01-08 16:53 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

    2013-01-08 16:53 - 2012-11-29 18:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

    2013-01-08 16:53 - 2012-11-29 18:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

    2013-01-08 16:53 - 2012-11-29 18:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

    2013-01-08 16:53 - 2012-11-29 18:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

    2013-01-08 16:53 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

    2013-01-08 16:53 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls

    2013-01-08 16:53 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls

    2013-01-08 16:53 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    2013-01-08 16:53 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\Documents\Vegas Movie Studio HD 11.0 Projects

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\AppData\Roaming\Sony

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\AppData\Roaming\Publish Providers

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\AppData\Local\Sony

    2012-12-26 21:27 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

    2012-12-26 21:27 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

    2012-12-26 21:27 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

    2012-12-26 21:27 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

    ==================== One Month Modified Files and Folders =======

    2013-01-20 22:30 - 2013-01-20 22:30 - 00000000 ____D C:\FRST

    2013-01-20 20:14 - 2013-01-18 18:32 - 00000004 ____A C:\Users\Owner\AppData\Roaming\skype.ini

    2013-01-20 20:13 - 2013-01-18 18:27 - 00006527 ____A C:\Users\Owner\AppData\Local\6b358416-a8df-49ee-aa2c-12f27a870976.crx

    2013-01-20 20:13 - 2010-10-03 21:42 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

    2013-01-20 20:13 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

    2013-01-20 20:13 - 2009-07-13 20:51 - 00132911 ____A C:\Windows\setupact.log

    2013-01-20 20:06 - 2013-01-20 20:06 - 00032152 ____A C:\Windows\System32\Drivers\hitmanpro37.sys

    2013-01-20 20:06 - 2013-01-20 20:06 - 00000000 ____D C:\Users\All Users\HitmanPro

    2013-01-20 20:06 - 2013-01-20 20:06 - 00000000 ____D C:\Program Files\HitmanPro

    2013-01-20 20:00 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

    2013-01-20 20:00 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

    2013-01-18 18:43 - 2010-05-04 04:30 - 01645547 ____A C:\Windows\WindowsUpdate.log

    2013-01-18 18:33 - 2010-10-03 21:42 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype

    2013-01-18 18:27 - 2013-01-18 18:27 - 00637952 ____A (ALPS Electric Co., Ltd.) C:\Users\Owner\AppData\Roaming\rtnmdn.dll

    2013-01-18 18:27 - 2013-01-18 18:27 - 00350208 ____A (SiliconMotion) C:\Users\Owner\AppData\Roaming\rlads.dll

    2013-01-18 18:26 - 2013-01-18 18:26 - 00187392 ____A (CPUID) C:\Users\Owner\AppData\Roaming\scasim.dll

    2013-01-18 18:07 - 2010-10-03 21:42 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

    2013-01-18 17:48 - 2010-12-22 16:08 - 00000332 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job

    2013-01-16 22:08 - 2011-09-05 16:50 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3673983807-3235450318-3143369733-1000UA.job

    2013-01-16 22:08 - 2011-09-05 16:50 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3673983807-3235450318-3143369733-1000Core.job

    2013-01-16 20:07 - 2012-03-07 18:22 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt

    2013-01-16 20:07 - 2010-08-02 10:17 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log

    2013-01-16 20:07 - 2010-04-21 10:59 - 00000000 ____D C:\Users\All Users\Hewlett-Packard

    2013-01-16 19:56 - 2010-05-04 04:37 - 01694792 ____A C:\Windows\PFRO.log

    2013-01-15 19:50 - 2010-10-03 21:42 - 00000000 ____D C:\Users\Owner\AppData\Local\Google

    2013-01-10 20:42 - 2010-07-27 16:57 - 00000000 ____D C:\users\Owner

    2013-01-10 20:41 - 2010-04-21 10:23 - 00000000 ____D C:\Program Files\Hewlett-Packard

    2013-01-10 20:41 - 2010-04-21 10:23 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard

    2013-01-10 20:41 - 2009-09-06 16:40 - 00000000 ____D C:\SwSetup

    2013-01-09 12:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

    2013-01-08 20:32 - 2009-07-13 21:13 - 00787692 ____A C:\Windows\System32\PerfStringBackup.INI

    2013-01-08 20:26 - 2009-07-13 20:45 - 00394392 ____A C:\Windows\System32\FNTCACHE.DAT

    2013-01-08 20:16 - 2013-01-08 20:16 - 00000118 ____A C:\Windows\System32\MRT.INI

    2013-01-08 20:14 - 2010-07-27 18:25 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

    2013-01-08 20:13 - 2010-04-21 11:43 - 00000000 ____D C:\Users\All Users\Microsoft Help

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\Documents\Vegas Movie Studio HD 11.0 Projects

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\AppData\Roaming\Sony

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\AppData\Roaming\Publish Providers

    2013-01-08 16:42 - 2013-01-08 16:42 - 00000000 ____D C:\Users\Mallory\AppData\Local\Sony

    2013-01-08 16:42 - 2011-06-13 21:41 - 00000000 ____D C:\Users\Mallory\AppData\Local\VirtualStore

    2013-01-05 14:38 - 2011-06-13 21:41 - 00102912 ____A C:\Users\Mallory\AppData\Local\GDIPFONTCACHEV1.DAT

    ZeroAccess:

    C:\$Recycle.Bin\S-1-5-21-3673983807-3235450318-3143369733-1000\$945a142a35f2173872f4953050c7916d

    ZeroAccess:

    C:\$Recycle.Bin\S-1-5-18\$945a142a35f2173872f4953050c7916d

    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\SysWOW64\wininit.exe => MD5 is legit

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\SysWOW64\explorer.exe => MD5 is legit

    C:\Windows\System32\svchost.exe => MD5 is legit

    C:\Windows\SysWOW64\svchost.exe => MD5 is legit

    C:\Windows\System32\services.exe => MD5 is legit

    C:\Windows\System32\User32.dll => MD5 is legit

    C:\Windows\SysWOW64\User32.dll => MD5 is legit

    C:\Windows\System32\userinit.exe => MD5 is legit

    C:\Windows\SysWOW64\userinit.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK

    HKLM\...\exefile\DefaultIcon: %1 => OK

    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-27 21:38:48

    Restore point made on: 2012-12-07 21:34:54

    Restore point made on: 2012-12-13 20:32:57

    Restore point made on: 2012-12-13 20:42:58

    Restore point made on: 2012-12-26 21:27:12

    Restore point made on: 2013-01-08 20:11:56

    Restore point made on: 2013-01-10 20:39:17

    Restore point made on: 2013-01-10 20:39:54

    Restore point made on: 2013-01-10 20:41:10

    Restore point made on: 2013-01-10 20:41:46

    ==================== Memory info ===========================

    Percentage of memory in use: 18%

    Total physical RAM: 3893.86 MB

    Available physical RAM: 3184.31 MB

    Total Pagefile: 3892.01 MB

    Available Pagefile: 3170.38 MB

    Total Virtual: 8192 MB

    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:447.54 GB) (Free:359.35 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    2 Drive e: (RECOVERY) (Fixed) (Total:17.92 GB) (Free:2.6 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32

    5 Drive h: (MY DRIVE) (Removable) (Total:0.23 GB) (Free:0.23 GB) FAT32

    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt

    -------- ------------- ------- ------- --- ---

    Disk 0 Online 465 GB 0 B

    Disk 1 Online 245 MB 0 B

    Partitions of Disk 0:

    ===============

    Disk ID: D702A12F

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 Primary 199 MB 1024 KB

    Partition 2 Primary 447 GB 200 MB

    Partition 3 Primary 17 GB 447 GB

    Partition 4 Primary 103 MB 465 GB

    ==================================================================================

    Disk: 0

    Partition 1

    Type : 07

    Hidden: No

    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

    =========================================================

    Disk: 0

    Partition 2

    Type : 07

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 2 C NTFS Partition 447 GB Healthy

    =========================================================

    Disk: 0

    Partition 3

    Type : 07

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 3 E RECOVERY NTFS Partition 17 GB Healthy

    =========================================================

    Disk: 0

    Partition 4

    Type : 0C

    Hidden: No

    Active: No

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

    =========================================================

    Partitions of Disk 1:

    ===============

    Disk ID: C9E00415

    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 Primary 243 MB 31 KB

    ==================================================================================

    Disk: 1

    Partition 1

    Type : 0B

    Hidden: No

    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 5 H MY DRIVE FAT32 Removable 243 MB Healthy

    =========================================================

    Last Boot: 2013-01-15 10:03

    ==================== End Of Log =============================

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.