4DBBK

My apologies for the delay in responding. I wanted to report the results of the various cleaning app's I have run per your instructions. I am happy to report that it appears the Google redirect virus has in fact been eradicated. My browsers are all running faster and there is no redirecting occuring at all. I have run the last app you recommended, SecurityCheck.exe, and the results are below: Results of screen317's Security Check version 0.99.60 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! Lavasoft Ad-Aware Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100 CCleaner Java 6 Update 30 Java version out of Date! Adobe Flash Player 11.6.602.171 Mozilla Firefox (19.0) Google Chrome 24.0.1312.57 Google Chrome 25.0.1364.97 ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 35% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````

Here's the log. Nothing here I wish to keep. Delete? # AdwCleaner v2.112 - Logfile created 02/18/2013 at 20:36:21 # Updated 10/02/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : XXXXXXX - XX-XXXXXXX # Boot Mode : Normal # Running from : C:\Documents and Settings\XXXXXXX.LAPTOP2\Desktop\adwcleaner0.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\DOCUME~1\XXXXX~1.LAP\LOCALS~1\Temp\AskSearch Folder Found : C:\Documents and Settings\All Users\Application Data\Ask ***** [Registry] ***** Key Found : HKCU\Software\APN PIP Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 Key Found : HKLM\Software\PIP ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=101706 -\\ Mozilla Firefox v18.0.2 (en-US) -\\ Google Chrome v24.0.1312.57 ************************* AdwCleaner[R1].txt - [1469 octets] - [20/01/2013 05:51:16] AdwCleaner[R2].txt - [6501 octets] - [18/02/2013 20:27:30] AdwCleaner[R3].txt - [1153 octets] - [18/02/2013 20:36:21] AdwCleaner[s1].txt - [1543 octets] - [20/01/2013 05:52:00] ########## EOF - C:\AdwCleaner[R3].txt - [1273 octets] ##########

so far, so good. No redirecting occuring with any browsers as yet. Am I out of the woods?

Done. ComboFix log attached. ComboFix.txt

Okay, I downloaded and launched it from my desktop. Within about 30 seconds of launching, the following error comes up: "You cannot rename ComboFix as ComboFix. Please use another name, preferably made up of alphanumeric characters." I hit Okay and it appears to shut down the application. I re-downloaded again and re-launched....same error message. I am renaming anything. I am simply downloading and launching.

While I am most appreciative of your time to help me eradicate this Google Redirect Virus, I do not trust the ComboFix download. From what I found, the author (sUBs) went offline in 2009 and the download from BC intentionally misleads visitors into downloading "Reimage" (a completely different product) when the visitor thinks they are downloading ComboFix. Even getting past that, the actual ComboFix download's publisher cannot be verified. Do you have another solution or have we hit a brick wall at this point?

I can't find a ComboFix download that doesn't come from a third party. I simply cannot trust any of these sources. I don't even download from CNET any more because they introduced a "downloader" that introduces ads - precisely what I am trying to REMOVE ! Even the download from BleepingComputer comes from a publisher that cannot be verified. Where can I get a trusted download?

The link you provided to download ComboFix only results in taking me from one page to another page to another page, all of which point to an app called "Reimage". Where can I get a straight download of ComboFix?

I completed everything exactly as explained and although the scan indicates no infections were found, my browsers remain hijacked and are still redirecting to various ad pages. I am attaching the mbar-log and system-log as instructed. mbar-log-2013-02-16 (17-35-28).txt system-log.txt

I unplugged my LAN connection during the scan, so your app did not access your blog, but I re-ran the scan and it connected to this URL: http://tigzyrk.blogspot.com/2011/09/rootkit-zeroaccess-max.html

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : XXXXXXX [Admin rights] Mode : Scan -- Date : 02/16/2013 14:47:00 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤ [RUN][sUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : ATIData (rundll32.exe "C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\ATI\ATIData\ATIdata.dll",DllRegisterServer) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : Downloaded Installations (rundll32 "C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\Identities\Downloaded Installations\lzjzkf.dll",CompressBufferMJPEGInternalW) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : ATIData (rundll32.exe "C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\ATI\ATIData\ATIdata.dll",DllRegisterServer) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : Downloaded Installations (rundll32 "C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\Identities\Downloaded Installations\lzjzkf.dll",CompressBufferMJPEGInternalW) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-2295851767-1415002382-3503021061-1008_Classes[...]\Run : ATIData (rundll32.exe "C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\ATI\ATIData\ATIdata.dll",DllRegisterServer) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-2295851767-1415002382-3503021061-1008_Classes[...]\Run : Downloaded Installations (rundll32 "C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\Identities\Downloaded Installations\lzjzkf.dll",CompressBufferMJPEGInternalW) [x] -> FOUND [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{C4DDE2AD-5686-4A76-8409-5A17E0593A11} : NameServer (10.5.1.10,10.4.1.9) -> FOUND [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@ [-] --> FOUND [ZeroAccess][FILE] @ : C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@ [-] --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\@ [-] --> FOUND [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-2295851767-1415002382-3503021061-1008\$ff24043d55f85ce9a20a8337d9b4b888\@ [-] --> FOUND [ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U --> FOUND [ZeroAccess][FOLDER] U : C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U --> FOUND [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-2295851767-1415002382-3503021061-1008\$ff24043d55f85ce9a20a8337d9b4b888\U --> FOUND [ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L --> FOUND [ZeroAccess][FOLDER] L : C:\Documents and Settings\XXXXXXX.LAPTOP2\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\L --> FOUND [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-2295851767-1415002382-3503021061-1008\$ff24043d55f85ce9a20a8337d9b4b888\L --> FOUND [ZeroAccess][FOLDER] $NtUninstallKB3255$ : C:\WINDOWS\$NtUninstallKB3255$ --> FOUND ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: FUJITSU MHW2100BH +++++ --- User --- [MBR] be20d092e11c497133d7e94c4921f2cb [bSP] c23de17a2374970d61b8b2e3b119ba08 : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 88497 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 181243440 | Size: 6895 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST330083 1A USB Device +++++ --- User --- [MBR] b5ee22b5a45690c7a53c5f0f9db25116 [bSP] 4cab11ce843286191aabf74e99b276ea : Windows XP MBR Code Partition table: 0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 286165 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1]_S_02162013_02d1447.txt >> RKreport[1]_S_02162013_02d1447.txt

I have run in installed version of Lavasoft AdAware as well as an online scan of Dr Web Cure-it, and I just ran the Malwarebytes scan (which found some trojans) to remove a nasty redirect infection in all my browsers (FF, IE, Chrome). The infection remains and all Google SERPs only redirect to ads. I have run DDS and the two logs are saved to my desktop. As per the "Attach" text file instructions, I am NOT including that report below until directed to do so. Below is the dds.txt report (personal info redacted). Can you please help? Thanks in advance! DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30 Run by XXXXXXX at 12:56:02 on 2013-02-16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1269 [GMT -8:00] . AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C} FW: Lavasoft Ad-Aware *Disabled* . ============== Running Processes ================ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\IFXTCS.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe C:\WINDOWS\system32\IFXSPMGT.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\WINDOWS\system32\locator.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office14\WINWORD.EXE C:\Documents and Settings\XXXXXXX\My Documents\Firefox\firefox.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\SearchFilterHost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k Cognizance C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\svchost.exe -k HTTPFilter . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ mSearchAssistant = hxxp://www.google.com/ie dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned> BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll BHO: Advertising Cookie Opt-out: {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - c:\program files\google\advertising cookie opt-out\opt_out.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1 mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoDriveTypeAutoRun = dword:255 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoWelcomeScreen = dword:1 mPolicies-System: dontdisplaylastusername = dword:1 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe LSP: mswsock.dll DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: NameServer = 209.18.47.61 209.18.47.62 TCP: Interfaces\{C4DDE2AD-5686-4A76-8409-5A17E0593A11} : DHCPNameServer = 209.18.47.61 209.18.47.62 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: IfxWlxEN - <no file> Notify: OneCard - <no file> SSODL: CDBurn - <orphaned> SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli AsWlnPkg mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\XXXXXX.laptop2\application data\mozilla\firefox\profiles\te4pn09h.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\documents and settings\XXXXXX.laptop2\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\documents and settings\XXXXXX\my documents\firefox\plugins\npdeployJava1.dll FF - plugin: c:\documents and settings\XXXXXX\my documents\firefox\plugins\npicaN.dll FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll FF - plugin: c:\windows\npMSDM.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll FF - ExtSQL: !HIDDEN! 2010-03-25 08:58; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ============= SERVICES / DRIVERS =============== . R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488] R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-9-26 87936] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-6-10 35968] S0 aarmi;aarmi;c:\windows\system32\drivers\xtrf.sys --> c:\windows\system32\drivers\xtrf.sys [?] S1 MpKsldd393293;MpKsldd393293;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a641c263-a8b7-4a57-9ca5-b8b4cf5dd263}\mpksldd393293.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a641c263-a8b7-4a57-9ca5-b8b4cf5dd263}\MpKsldd393293.sys [?] S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?] S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?] S3 pflt;Shrew Soft Miniport Filter;c:\windows\system32\drivers\vfilter.sys --> c:\windows\system32\drivers\vfilter.sys [?] S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-2-28 9472] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-2-28 827488] S3 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-8-12 1213728] S3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\drivers\virtualnet.sys --> c:\windows\system32\drivers\virtualnet.sys [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] . =============== Created Last 30 ================ . 2013-02-16 15:17:02 -------- dc----w- c:\documents and settings\XXXXXX.laptop2\application data\Malwarebytes 2013-02-16 15:16:43 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes 2013-02-16 15:16:42 21104 -c--a-w- c:\windows\system32\drivers\mbam.sys 2013-02-16 15:16:42 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware 2013-02-07 13:03:51 -------- dc----w- c:\program files\Pointstone 2013-01-20 13:59:51 -------- dc----w- c:\documents and settings\all users\application data\GFI Software 2013-01-20 13:41:11 -------- dc----w- c:\windows\ERUNT . ==================== Find3M ==================== . 2013-02-09 20:50:18 74096 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-09 20:50:18 697712 -c--a-w- c:\windows\system32\FlashPlayerApp.exe 2008-01-31 20:43:34 90112 -c--a-w- c:\program files\RegCleaner.exe . ============= FINISH: 12:57:07.51 ===============