gideon2386
Members-
Posts
4 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by gideon2386
-
FBI MoneyPak Virus..Require Removal Assistance
gideon2386 replied to gideon2386's topic in Resolved Malware Removal Logs
Yes I am still here. -
FBI MoneyPak Virus..Require Removal Assistance
gideon2386 replied to gideon2386's topic in Resolved Malware Removal Logs
New CF log ComboFix 13-07-11.03 - Tino 07/14/2013 20:22:50.3.2 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1387 [GMT -4:00] Running from: c:\users\Tino.BHIRenovationsL.001\Desktop\ComboFix.exe Command switches used :: c:\users\Tino.BHIRenovationsL.001\Desktop\CFScript.txt.txt AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2013-06-15 to 2013-07-15 ))))))))))))))))))))))))))))))) . . 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Tino\AppData\Local\temp 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Tino.BHIRenovationsL\AppData\Local\temp 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Tino.BHIRenovationsL.000\AppData\Local\temp 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\BHI Renovations LLC\AppData\Local\temp 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Alyssa\AppData\Local\temp 2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp 2013-07-12 13:18 . 2013-07-12 13:18 -------- d-----w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific 2013-07-12 04:08 . 2013-07-12 04:08 -------- d-----w- C:\FRST 2013-07-11 21:36 . 2013-07-11 21:36 -------- d-----w- C:\3475043e4c5f81a47541accf5d 2013-07-04 07:57 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll 2013-07-04 07:57 . 2013-04-17 06:24 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-05-31 15:31 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll 2013-05-31 15:31 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll 2013-05-16 01:00 . 2010-06-24 19:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2013-05-13 05:51 . 2013-06-11 20:15 184320 ----a-w- c:\windows\system32\cryptsvc.dll 2013-05-13 05:51 . 2013-06-11 20:15 1464320 ----a-w- c:\windows\system32\crypt32.dll 2013-05-13 05:51 . 2013-06-11 20:15 139776 ----a-w- c:\windows\system32\cryptnet.dll 2013-05-13 05:50 . 2013-06-11 20:15 52224 ----a-w- c:\windows\system32\certenc.dll 2013-05-13 04:45 . 2013-06-11 20:15 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2013-05-13 04:45 . 2013-06-11 20:15 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll 2013-05-13 04:45 . 2013-06-11 20:15 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2013-05-13 03:43 . 2013-06-11 20:15 1192448 ----a-w- c:\windows\system32\certutil.exe 2013-05-13 03:08 . 2013-06-11 20:15 903168 ----a-w- c:\windows\SysWow64\certutil.exe 2013-05-13 03:08 . 2013-06-11 20:15 43008 ----a-w- c:\windows\SysWow64\certenc.dll 2013-05-10 05:49 . 2013-06-11 20:15 30720 ----a-w- c:\windows\system32\cryptdlg.dll 2013-05-10 03:20 . 2013-06-11 20:15 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll 2013-05-08 06:39 . 2013-06-11 20:15 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-04-26 05:51 . 2013-06-11 20:15 751104 ----a-w- c:\windows\system32\win32spl.dll 2013-04-26 04:55 . 2013-06-11 20:15 492544 ----a-w- c:\windows\SysWow64\win32spl.dll 2013-04-25 23:30 . 2013-06-11 20:15 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific ---- . 2013-07-12 13:18 . 2013-07-12 13:19 11562 ----a-w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\Environment.tfc 2013-07-12 13:18 . 2013-07-12 13:19 11562 ----a-w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\tificocs.symantec.com.tfc . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}] c:\program files (x86)\StartNow Toolbar\Toolbar32.dll [bU] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{5911488E-9D1E-40ec-8CBB-06B231CC153F}"= "c:\program files (x86)\StartNow Toolbar\Toolbar32.dll" [bU] . [HKEY_CLASSES_ROOT\clsid\{5911488e-9d1e-40ec-8cbb-06b231cc153f}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-15 336384] "Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280] "HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960] "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768] QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440] Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2010-11-18 1040952] Wireless Connection Manager.lnk - c:\program files (x86)\D-Link\DWA-131 revA\wirelesscm.exe [2011-12-16 517440] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x] R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192su.sys [x] R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x] R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x] R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x] S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMDS64.SYS [x] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMEFA64.SYS [x] S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [x] S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [x] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\Ironx64.SYS [x] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1207020.003\SYMNETS.SYS [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x] S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x] S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x] S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x] S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x] S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x] S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x] S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x] S2 WlanWpsSvc;WlanWpsSvc;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [x] S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x] S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2010-11-22 22:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2013-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003Core.job - c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15] . 2013-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003UA.job - c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15] . 2013-06-27 c:\windows\Tasks\HPCeeScheduleForTino.job - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter] @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}" [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter] @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}" [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter] @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}" [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter] @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}" [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter] @="{855156F0-2A0F-11DE-8C30-0800200C9A66}" [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU] "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-12-02 524800] "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . - - - - ORPHANS REMOVED - - - - . AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS] "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-07-14 20:42:35 ComboFix-quarantined-files.txt 2013-07-15 00:42 ComboFix2.txt 2013-07-12 19:07 . Pre-Run: 226,301,812,736 bytes free Post-Run: 225,873,248,256 bytes free . - - End Of File - - 86AD39069D2B28FF3A393BAF73DEE064 A36C5E4F47E84449FF07ED3517B43A31 -
FBI MoneyPak Virus..Require Removal Assistance
gideon2386 replied to gideon2386's topic in Resolved Malware Removal Logs
Here the Fix Log Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-07-2013 01 Ran by SYSTEM at 2013-07-12 09:01:36 Run:1 Running from H:\ Boot Mode: Recovery ============================================== HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\{0FD10AED-2B1A-2F4F-1F99-56963D4BA3DE} => Value deleted successfully. HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\150.exe => Value deleted successfully. HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\dP17724LfLkE17724 => Value deleted successfully. HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\charient => Value deleted successfully. HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\dccwview => Value deleted successfully. HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\ATI => Value deleted successfully. HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\Netscape => Value deleted successfully. HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully. HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value deleted successfully. HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. HKLM\System\ControlSet001\Control\Session Manager\SubSystems\\Windows => Value was restored successfully. HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\TimeServer => Value deleted successfully. C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job => Moved successfully. C:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173} => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\notepad.exe => No running process found C:\Users\Tino.BHIRenovationsL.001\rundll32.exe => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\opera.exe => Moved successfully. C:\Users\BHI Renovations LLC\AppData\Roaming\Wasyaw => Moved successfully. C:\Users\BHI Renovations LLC\AppData\Roaming\Microsoft\98DA => Moved successfully. C:\ProgramData\dP17724LfLkE17724\ => Moved successfully. C:\Users\BHIREN~1\AppData\Local\Temp\drivlace.dll => Moved successfully. C:\Users\BHIREN~1\AppData\Local\Temp\drivlace64.dll => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit\ATI => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape\ => Moved successfully. "C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad" => File/Directory not found. C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8 => Moved successfully. "C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape" => File/Directory not found. C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini => Moved successfully. C:\Windows\Tasks\At* => Moved successfully. C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002UA.job => Moved successfully. C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 => Moved successfully. C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully. C:\Windows\System32\consrv.dll => Moved successfully. C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully. C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully. C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769} => Moved successfully. C:\ProgramData\w2SKWedwdkDaG2.exe => Moved successfully. C:\ProgramData\YPfdbKQmYWnOqAL.exe => Moved successfully. C:\ProgramData\I45akNWE.dat => Moved successfully. "C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job" => File/Directory not found. C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\ => Moved successfully. Error: DeleteJunctionsIndirectory: C:\Windows\system64 => entry should be fixed outside recovery mode. ==== End of Fixlog ==== Here is ComboFix Log ComboFix 13-07-11.03 - Tino 07/12/2013 11:43:47.2.2 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1178 [GMT -4:00] Running from: c:\users\Tino.BHIRenovationsL.001\Desktop\ComboFix.exe AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files (x86)\StartNow Toolbar c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png c:\program files (x86)\StartNow Toolbar\Resources\installer.xml c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml c:\program files (x86)\StartNow Toolbar\Resources\update.xml c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe c:\program files (x86)\StartNow Toolbar\Toolbar32.dll c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe c:\program files (x86)\StartNow Toolbar\uninstall.dat c:\program files (x86)\StartNow Toolbar\verify\Reactivate.exe c:\program files (x86)\StartNow Toolbar\verify\ReactivateFF.exe c:\program files (x86)\StartNow Toolbar\verify\StartNowToolbarUninstall.exe c:\program files (x86)\StartNow Toolbar\verify\Toolbar32.dll c:\program files (x86)\StartNow Toolbar\verify\ToolbarBroker.exe c:\program files (x86)\StartNow Toolbar\verify\ToolbarUpdaterService.exe c:\program files (x86)\StartNow Toolbar\verify\XBrowser.dll c:\users\Tino.BHIRenovationsL.001\notepad.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_Updater Service for StartNow Toolbar -------\Service_Updater Service for StartNow Toolbar . . ((((((((((((((((((((((((( Files Created from 2013-06-12 to 2013-07-12 ))))))))))))))))))))))))))))))) . . 2013-07-12 18:53 . 2013-07-12 18:53 -------- d-----w- c:\users\Tino.BHIRenovationsL\AppData\Local\temp 2013-07-12 13:18 . 2013-07-12 13:18 -------- d-----w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific 2013-07-12 04:08 . 2013-07-12 04:08 -------- d-----w- C:\FRST 2013-07-11 21:36 . 2013-07-11 21:36 -------- d-----w- C:\3475043e4c5f81a47541accf5d 2013-07-04 07:57 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll 2013-07-04 07:57 . 2013-04-17 06:24 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-05-31 15:31 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll 2013-05-31 15:31 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll 2013-05-16 01:00 . 2010-06-24 19:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2013-05-13 05:51 . 2013-06-11 20:15 184320 ----a-w- c:\windows\system32\cryptsvc.dll 2013-05-13 05:51 . 2013-06-11 20:15 1464320 ----a-w- c:\windows\system32\crypt32.dll 2013-05-13 05:51 . 2013-06-11 20:15 139776 ----a-w- c:\windows\system32\cryptnet.dll 2013-05-13 05:50 . 2013-06-11 20:15 52224 ----a-w- c:\windows\system32\certenc.dll 2013-05-13 04:45 . 2013-06-11 20:15 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2013-05-13 04:45 . 2013-06-11 20:15 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll 2013-05-13 04:45 . 2013-06-11 20:15 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2013-05-13 03:43 . 2013-06-11 20:15 1192448 ----a-w- c:\windows\system32\certutil.exe 2013-05-13 03:08 . 2013-06-11 20:15 903168 ----a-w- c:\windows\SysWow64\certutil.exe 2013-05-13 03:08 . 2013-06-11 20:15 43008 ----a-w- c:\windows\SysWow64\certenc.dll 2013-05-10 05:49 . 2013-06-11 20:15 30720 ----a-w- c:\windows\system32\cryptdlg.dll 2013-05-10 03:20 . 2013-06-11 20:15 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll 2013-05-08 06:39 . 2013-06-11 20:15 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-04-26 05:51 . 2013-06-11 20:15 751104 ----a-w- c:\windows\system32\win32spl.dll 2013-04-26 04:55 . 2013-06-11 20:15 492544 ----a-w- c:\windows\SysWow64\win32spl.dll 2013-04-25 23:30 . 2013-06-11 20:15 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-15 336384] "Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280] "HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960] "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768] QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440] Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2010-11-18 1040952] Wireless Connection Manager.lnk - c:\program files (x86)\D-Link\DWA-131 revA\wirelesscm.exe [2011-12-16 517440] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x] R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192su.sys [x] R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x] R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x] R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x] S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMDS64.SYS [x] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMEFA64.SYS [x] S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [x] S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [x] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\Ironx64.SYS [x] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1207020.003\SYMNETS.SYS [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x] S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x] S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x] S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x] S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x] S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x] S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x] S2 WlanWpsSvc;WlanWpsSvc;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [x] S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x] S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2010-11-22 22:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2013-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003Core.job - c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15] . 2013-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003UA.job - c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15] . 2013-06-27 c:\windows\Tasks\HPCeeScheduleForTino.job - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter] @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}" [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter] @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}" [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter] @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}" [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter] @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}" [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter] @="{855156F0-2A0F-11DE-8C30-0800200C9A66}" [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}] 2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-12-02 524800] "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.3 . - - - - ORPHANS REMOVED - - - - . BHO-{6E13D095-45C3-4271-9475-F3B48227DD9F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll Toolbar-{5911488E-9D1E-40ec-8CBB-06B231CC153F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll Wow6432Node-HKCU-Run-atiUtilLibs8 - c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8\atiUtilLibs8.dll Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS] "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe . ************************************************************************** . Completion time: 2013-07-12 15:07:24 - machine was rebooted ComboFix-quarantined-files.txt 2013-07-12 19:07 . Pre-Run: 225,769,791,488 bytes free Post-Run: 225,629,081,600 bytes free . - - End Of File - - 812779C46517ADEE3D669ABA6BF57EF8 A36C5E4F47E84449FF07ED3517B43A31 -
Hello All, I humbly require assistance in removing this FBI MoneyPak Virus that has my laptop on lockdown. I would highly appreciate any and all assistance. Thank you. Here are the frst.txt log and Service.txt log Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-07-2013 Ran by SYSTEM on 11-07-2013 20:09:32 Running from H:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [synTPEnh] - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-16] (Synaptics Incorporated) HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [524800 2010-12-01] (IDT, Inc.) HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-07-21] (Hewlett-Packard Company) HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation) HKLM-x32\...\Run: [startCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-12-15] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Microsoft Default Manager] - "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation) HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [976832 2010-06-09] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-06-19] (Adobe Systems Incorporated) HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard) HKLM-x32\...\Run: [intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1497352 2011-02-21] (Intuit Inc. All rights reserved.) HKLM-x32\...\Run: [sunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.) HKLM-x32\...\Run: [HPOSD] - C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.) HKU\Alyssa\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company) HKU\Alyssa\...\Run: [Google Update] - "C:\Users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-23] (Google Inc.) HKU\Alyssa\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex [247968 2011-12-11] (Adobe Systems, Inc.) HKU\BHI Renovations LLC\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company) HKU\BHI Renovations LLC\...\Run: [skype] - "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [19550344 2011-10-13] (Skype Technologies S.A.) HKU\BHI Renovations LLC\...\Run: [{0FD10AED-2B1A-2F4F-1F99-56963D4BA3DE}] - "C:\Users\BHI Renovations LLC\AppData\Roaming\Wasyaw\ewguac.exe" [196096 2011-05-22] () HKU\BHI Renovations LLC\...\Run: [150.exe] - C:\Users\BHI Renovations LLC\AppData\Roaming\Microsoft\98DA\150.exe [291840 2011-12-22] () HKU\BHI Renovations LLC\...\Run: [dP17724LfLkE17724] - C:\ProgramData\dP17724LfLkE17724\dP17724LfLkE17724.exe [372224 2011-12-22] () HKU\BHI Renovations LLC\...\Run: [charient] - rundll32 "C:\Users\BHIREN~1\AppData\Local\Temp\drivlace.dll",CreateProcessNotify [47616 2011-12-22] (Kaspersky Lab) <===== ATTENTION HKU\BHI Renovations LLC\...\Run: [dccwview] - rundll32 "C:\Users\BHIREN~1\AppData\Local\Temp\drivlace64.dll",CreateProcessNotify [52224 2011-12-22] (Kaspersky Lab) <===== ATTENTION HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation) HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation) HKU\Tino.BHIRenovationsL\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company) HKU\Tino.BHIRenovationsL.001\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company) HKU\Tino.BHIRenovationsL.001\...\Run: [ATI] - rundll32 "C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit\ATI\ghgmojmg.dll",DllRegisterServer [320000 2013-07-05] (Microsoft Corporation) <===== ATTENTION HKU\Tino.BHIRenovationsL.001\...\Run: [Netscape] - regsvr32.exe C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape\gsroesug.dll [891904 2013-07-05] (Autodesk, Inc.) <===== ATTENTION HKU\Tino.BHIRenovationsL.001\...\Run: [atiUtilLibs8] - rundll32.exe "C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8\atiUtilLibs8.dll",fxMobileIo Bassmapcprt [31232 2013-07-06] () HKU\Tino.BHIRenovationsL.001\...\Run: [TimeServer] - "C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\WIN199E.exe" [133120 2013-07-07] () HKU\Tino.BHIRenovationsL.001\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad\cbfacead.exe [172544 2013-07-11] () <===== ATTENTION HKU\Tino.BHIRenovationsL.001\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad\cbfacead.exe [172544 2013-07-11] () <===== ATTENTION HKU\Tino.BHIRenovationsL.001\...\Winlogon: [shell] explorer.exe,C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat [142848 2011-11-16] (Intro-Software Lab.) <==== ATTENTION SubSystems: [Windows] ATTENTION! ====> ZeroAccess Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.) Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.) Startup: C:\ProgramData\Start Menu\Programs\Startup\Snapfish PictureMover.lnk ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company) Startup: C:\ProgramData\Start Menu\Programs\Startup\Wireless Connection Manager.lnk ShortcutTarget: Wireless Connection Manager.lnk -> C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe (D-Link Corp.) ==================== Services (Whitelisted) ================= S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [354304 2010-12-15] (Advanced Micro Devices, Inc.) S2 AMD Reservation Manager; C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [194496 2010-06-17] (Advanced Micro Devices) S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [130008 2011-04-16] (Symantec Corporation) S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] () S2 WlanWpsSvc; C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [167936 2008-06-26] () ==================== Drivers (Whitelisted) ==================== S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation) S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation) S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation) S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [136824 2011-06-01] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [488056 2011-06-02] (Symantec Corporation) S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [488056 2011-06-02] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\ENG64.SYS [117880 2011-06-01] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\ENG64.SYS [117880 2011-06-01] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\EX64.SYS [2011768 2011-06-01] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\EX64.SYS [2011768 2011-06-01] (Symantec Corporation) S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation) S3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [141384 2010-11-10] (MCCI Corporation) S0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation) S0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-11] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation) S1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-11 20:08 - 2013-07-11 20:08 - 00000000 ____D C:\FRST 2013-07-11 14:19 - 2013-07-11 15:31 - 00000004 ____A C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini 2013-07-11 14:16 - 2013-07-11 15:00 - 00000352 ___AH C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job 2013-07-11 14:16 - 2013-07-11 14:16 - 00003092 ____A C:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173} 2013-07-11 14:16 - 2013-07-11 14:16 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad 2013-07-11 14:15 - 2013-07-11 14:15 - 00142848 ____A (Intro-Software Lab.) C:\Users\Tino.BHIRenovationsL.001\notepad.exe 2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\rundll32.exe 2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\opera.exe 2013-07-11 13:36 - 2013-07-11 13:36 - 00000000 ____D C:\3475043e4c5f81a47541accf5d 2013-07-09 23:33 - 2013-06-04 19:34 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-07-09 23:33 - 2013-06-03 22:00 - 00624128 ____A (Microsoft Corporation) C:\Windows\System32\qedit.dll 2013-07-09 23:33 - 2013-06-03 20:53 - 00509440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll 2013-07-09 23:33 - 2013-05-05 22:03 - 01887744 ____A (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL 2013-07-09 23:33 - 2013-05-05 20:56 - 01620480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL 2013-07-09 23:33 - 2013-04-09 15:34 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll 2013-07-09 23:33 - 2013-04-02 14:51 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll 2013-07-06 23:48 - 2013-07-06 23:48 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8 2013-07-05 10:41 - 2013-07-05 22:19 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape 2013-07-03 23:57 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2013-07-03 23:57 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-07-02 23:01 - 2013-07-11 13:35 - 00068420 ____A C:\Windows\IE10_main.log 2013-06-13 17:43 - 2013-06-13 17:43 - 00262144 ____A C:\Windows\Minidump\061313-36145-01.dmp 2013-06-11 12:15 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2013-06-11 12:15 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2013-06-11 12:15 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2013-06-11 12:15 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll 2013-06-11 12:15 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2013-06-11 12:15 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2013-06-11 12:15 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll 2013-06-11 12:15 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe 2013-06-11 12:15 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe 2013-06-11 12:15 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll 2013-06-11 12:15 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll 2013-06-11 12:15 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll 2013-06-11 12:15 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2013-06-11 12:15 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-06-11 12:15 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-06-11 12:15 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll 2013-06-11 12:15 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll ==================== One Month Modified Files and Folders ======= 2013-07-11 20:08 - 2013-07-11 20:08 - 00000000 ____D C:\FRST 2013-07-11 15:59 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-07-11 15:58 - 2009-07-13 20:51 - 00054411 ____A C:\Windows\setupact.log 2013-07-11 15:31 - 2013-07-11 14:19 - 00000004 ____A C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini 2013-07-11 15:16 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At40.job 2013-07-11 15:16 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At39.job 2013-07-11 15:16 - 2011-08-16 11:58 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002UA.job 2013-07-11 15:16 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-07-11 15:16 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-07-11 15:10 - 2011-03-10 23:04 - 01840270 ____A C:\Windows\WindowsUpdate.log 2013-07-11 15:09 - 2011-12-31 06:51 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\CrashDumps 2013-07-11 15:02 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI 2013-07-11 15:00 - 2013-07-11 14:16 - 00000352 ___AH C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job 2013-07-11 14:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At24.job 2013-07-11 14:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At29.job 2013-07-11 14:22 - 2009-07-13 20:45 - 00378824 ____A C:\Windows\System32\FNTCACHE.DAT 2013-07-11 14:21 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender 2013-07-11 14:21 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender 2013-07-11 14:18 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At38.job 2013-07-11 14:18 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At37.job 2013-07-11 14:17 - 2011-12-22 19:14 - 00000000 ____D C:\users\Tino.BHIRenovationsL.001 2013-07-11 14:17 - 2011-08-16 11:58 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002Core.job 2013-07-11 14:16 - 2013-07-11 14:16 - 00003092 ____A C:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173} 2013-07-11 14:16 - 2013-07-11 14:16 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad 2013-07-11 14:15 - 2013-07-11 14:15 - 00142848 ____A (Intro-Software Lab.) C:\Users\Tino.BHIRenovationsL.001\notepad.exe 2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\rundll32.exe 2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\opera.exe 2013-07-11 13:54 - 2011-11-23 07:15 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003UA.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At36.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At34.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At32.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At30.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At28.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At26.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At22.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At20.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At18.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At16.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At14.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At12.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At35.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At33.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At31.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At27.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At25.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At23.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At21.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At19.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At17.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At15.job 2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At13.job 2013-07-11 13:36 - 2013-07-11 13:36 - 00000000 ____D C:\3475043e4c5f81a47541accf5d 2013-07-11 13:36 - 2011-11-23 07:15 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003Core.job 2013-07-11 13:35 - 2013-07-02 23:01 - 00068420 ____A C:\Windows\IE10_main.log 2013-07-11 13:33 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At11.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At48.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At46.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At44.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At42.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At47.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At45.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At43.job 2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At41.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At8.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At6.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At4.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At2.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At10.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At9.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At7.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At5.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At3.job 2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At1.job 2013-07-09 23:49 - 2011-05-10 03:24 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log 2013-07-09 23:48 - 2011-12-20 16:36 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt 2013-07-07 19:54 - 2011-12-22 20:08 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific 2013-07-06 23:48 - 2013-07-06 23:48 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8 2013-07-05 22:19 - 2013-07-05 10:41 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape 2013-07-05 22:18 - 2013-05-19 13:36 - 423270142 ____A C:\Windows\MEMORY.DMP 2013-07-05 22:18 - 2011-07-03 22:51 - 00000000 ____D C:\Windows\Minidump 2013-07-05 10:41 - 2012-03-15 16:23 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit 2013-07-05 10:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF 2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK 2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR 2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK 2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR 2013-07-02 23:07 - 2013-07-02 23:07 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-06-26 23:55 - 2013-02-26 12:21 - 00003180 ____A C:\Windows\System32\Tasks\HPCeeScheduleForTino 2013-06-26 23:55 - 2013-02-26 12:21 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForTino.job 2013-06-13 17:43 - 2013-06-13 17:43 - 00262144 ____A C:\Windows\Minidump\061313-36145-01.dmp ZeroAccess: C:\Windows\System32\consrv.dll ZeroAccess: C:\Windows\assembly\GAC_32\Desktop.ini ZeroAccess: C:\Windows\assembly\GAC_64\Desktop.ini ZeroAccess: C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769} C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\L C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\n C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\L\00000004.@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\L\4cce1f70 C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\00000004.@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\00000008.@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\000000cb.@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\80000000.@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\80000032.@ C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\80000064.@ Files to move or delete: ==================== C:\ProgramData\w2SKWedwdkDaG2.exe C:\ProgramData\YPfdbKQmYWnOqAL.exe C:\Users\Tino.BHIRenovationsL.001\notepad.exe C:\Users\Tino.BHIRenovationsL.001\opera.exe C:\Users\Tino.BHIRenovationsL.001\rundll32.exe C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini C:\ProgramData\I45akNWE.dat C:\Windows\Tasks\At1.job C:\Windows\Tasks\At10.job C:\Windows\Tasks\At11.job C:\Windows\Tasks\At12.job C:\Windows\Tasks\At13.job C:\Windows\Tasks\At14.job C:\Windows\Tasks\At15.job C:\Windows\Tasks\At16.job C:\Windows\Tasks\At17.job C:\Windows\Tasks\At18.job C:\Windows\Tasks\At19.job C:\Windows\Tasks\At2.job C:\Windows\Tasks\At20.job C:\Windows\Tasks\At21.job C:\Windows\Tasks\At22.job C:\Windows\Tasks\At23.job C:\Windows\Tasks\At24.job C:\Windows\Tasks\At25.job C:\Windows\Tasks\At26.job C:\Windows\Tasks\At27.job C:\Windows\Tasks\At28.job C:\Windows\Tasks\At29.job C:\Windows\Tasks\At3.job C:\Windows\Tasks\At30.job C:\Windows\Tasks\At31.job C:\Windows\Tasks\At32.job C:\Windows\Tasks\At33.job C:\Windows\Tasks\At34.job C:\Windows\Tasks\At35.job C:\Windows\Tasks\At36.job C:\Windows\Tasks\At37.job C:\Windows\Tasks\At38.job C:\Windows\Tasks\At39.job C:\Windows\Tasks\At4.job C:\Windows\Tasks\At40.job C:\Windows\Tasks\At41.job C:\Windows\Tasks\At42.job C:\Windows\Tasks\At43.job C:\Windows\Tasks\At44.job C:\Windows\Tasks\At45.job C:\Windows\Tasks\At46.job C:\Windows\Tasks\At47.job C:\Windows\Tasks\At48.job C:\Windows\Tasks\At5.job C:\Windows\Tasks\At6.job C:\Windows\Tasks\At7.job C:\Windows\Tasks\At8.job C:\Windows\Tasks\At9.job C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Windows\system64 ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-07-04 05:48:21 Restore point made on: 2013-07-05 10:30:18 Restore point made on: 2013-07-05 23:00:59 Restore point made on: 2013-07-06 23:43:43 Restore point made on: 2013-07-07 23:00:40 Restore point made on: 2013-07-08 23:15:09 Restore point made on: 2013-07-09 23:22:28 Restore point made on: 2013-07-10 23:58:13 ==================== Memory info =========================== Percentage of memory in use: 23% Total physical RAM: 2810.9 MB Available physical RAM: 2142.89 MB Total Pagefile: 2809.05 MB Available Pagefile: 2137.85 MB Total Virtual: 8192 MB Available Virtual: 8191.86 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:282.82 GB) (Free:202.86 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)] Drive e: (RECOVERY) (Fixed) (Total:14.98 GB) (Free:1.87 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)] Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4) Drive h: () (Removable) (Total:7.45 GB) (Free:1.88 GB) FAT32 (Disk=1 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: CB3F4DE8) Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=283 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=103 MB) - (Type=0C) ======================================================== Disk: 1 (Size: 7 GB) (Disk ID: 00000000) Partition 1: (Not Active) - (Size=7 GB) - (Type=0B) LastRegBack: 2012-12-26 14:36 ==================== End Of Log ============================ Farbar Recovery Scan Tool (x64) Version: 12-07-2013 Ran by SYSTEM at 2013-07-11 20:13:02 Running from H:\ Boot Mode: Recovery ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\system64\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB ====== End Of Search ======