Jump to content

zaccess - Think its clean but not sure

fkaren
 Share

Recommended Posts

fkaren

fkaren

Posted
Posted

Hi all

Clicked a weblink the other day, and the corporate (updated daily) AV picked up and quarantined an infection immediately. A "Adobe Flash" installer popped up, wanting me to install. Clicked No, it popped up again immediately, and repeat. I shut down the computer, restarted, and ran AV and Malwarebytes. Malwarebytes reported and cleaned two - BVXgen and also ZAccess, which then led me to here when I read through some of the reports.

Malwarebytes now reports clean though - I've run it twice since on separate days, and so does the AV - and when I look at the other reports, they include an Installer & root kit, where as my report only contains the original files...

I also follwed the first few threads through on here, and tried the FRST tool, which reports back the ZAccess files, but again, no Installer, and reports my services files as legit (i've seen in other posts that it warns at that point...).

So in effect, I think the corporate AV did the job it was supposed to, along with Malwarebytes, but I don't know if you would all recommend anything further to clean/repair the system? If you can't tell I'm just a little paranoid!!

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

Can you also post the FRST log, MrC

Link to post
Share on other sites
fkaren

fkaren

Posted
  • Author
Posted

Log from RogueKiller

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\users\fkaren\appdata\local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\fkaren\appdata\local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\L --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[70] : NtCreateKey @ 0x8341DF22 -> HOOKED (Unknown @ 0x88E0AD64)

SSDT[74] : NtCreateMutant @ 0x8342D28E -> HOOKED (Unknown @ 0x88E0AA1C)

SSDT[79] : NtCreateProcess @ 0x834F90CF -> HOOKED (Unknown @ 0x88E0A104)

SSDT[80] : NtCreateProcessEx @ 0x834F911A -> HOOKED (Unknown @ 0x88E0A0C4)

SSDT[86] : NtCreateSymbolicLinkObject @ 0x8341E8ED -> HOOKED (Unknown @ 0x88E0A99C)

SSDT[87] : NtCreateThread @ 0x834F8ED6 -> HOOKED (Unknown @ 0x88E0AB64)

SSDT[88] : NtCreateThreadEx @ 0x8348D34B -> HOOKED (Unknown @ 0x88E0AB24)

SSDT[93] : NtCreateUserProcess @ 0x8348B27D -> HOOKED (Unknown @ 0x88E0AEA4)

SSDT[96] : NtDebugActiveProcess @ 0x834CADB0 -> HOOKED (Unknown @ 0x88E0A91C)

SSDT[103] : NtDeleteKey @ 0x83408A03 -> HOOKED (Unknown @ 0x88E0ACE4)

SSDT[106] : NtDeleteValueKey @ 0x833FA41A -> HOOKED (Unknown @ 0x88E0AC24)

SSDT[111] : NtDuplicateObject @ 0x8344E65A -> HOOKED (Unknown @ 0x88E0A95C)

SSDT[155] : NtLoadDriver @ 0x833E2BFC -> HOOKED (Unknown @ 0x88E0AA5C)

SSDT[190] : NtOpenProcess @ 0x8342EAD4 -> HOOKED (Unknown @ 0x88E0AE64)

SSDT[194] : NtOpenSection @ 0x8348689B -> HOOKED (Unknown @ 0x88E0ABE4)

SSDT[198] : NtOpenThread @ 0x8347AF95 -> HOOKED (Unknown @ 0x88E0ADA4)

SSDT[290] : NtRenameKey @ 0x834B8FCB -> HOOKED (Unknown @ 0x88E0ACA4)

SSDT[302] : NtRestoreKey @ 0x834AEB5C -> HOOKED (Unknown @ 0x88E0AC64)

SSDT[350] : NtSetSystemInformation @ 0x8346B26C -> HOOKED (Unknown @ 0x88E0A9DC)

SSDT[358] : NtSetValueKey @ 0x8342751F -> HOOKED (Unknown @ 0x88E0AD24)

SSDT[370] : NtTerminateProcess @ 0x83477BCD -> HOOKED (Unknown @ 0x88E0AE24)

SSDT[371] : NtTerminateThread @ 0x83495584 -> HOOKED (Unknown @ 0x88E0ADE4)

SSDT[399] : NtWriteVirtualMemory @ 0x8347C92A -> HOOKED (Unknown @ 0x88E0ABA4)

S_SSDT[584] : Unknown -> HOOKED (Unknown @ 0x892CE78C)

S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x897B63D4)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEKT-60V5T1 +++++

--- User ---

[MBR] 46516215b32f4ae42b4d263a8d405e0a

[bSP] 3fd1b2be7e9d69e23f667bbd80476610 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 101 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208896 | Size: 303093 Mo

2 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 620943360 | Size: 2049 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Ricoh SD Disk Device +++++

--- User ---

[MBR] 26b25b821114bab4213b18998ca9c64a

[bSP] 647aad14e0a7039a89258c2bbcb060ee : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo

Error reading LL1 MBR!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites
fkaren

fkaren

Posted
  • Author
Posted

And this is the FRST

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01

Ran by fkaren at 20-07-2012 11:56:30

Running from I:\

Service Pack 1 (X86) OS Language: English(US)

Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

============ One Month Created Files and Folders ==============

2012-07-20 11:56 - 2012-07-20 11:56 - 00000000 ____D C:\FRST

2012-07-20 08:05 - 2012-07-20 08:05 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2012-07-19 14:12 - 2012-07-19 14:12 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Malwarebytes

2012-07-19 14:11 - 2012-07-19 14:11 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\fkaren\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-19 14:11 - 2012-07-19 14:11 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-07-19 14:11 - 2012-07-19 14:11 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-07-19 14:11 - 2012-07-03 13:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-19 14:03 - 2012-07-19 14:03 - 00102400 ____A C:\Windows\RegBootClean.exe

2012-07-19 12:11 - 2012-07-19 12:11 - 00000000 ____D C:\Users\fkaren\Documents\Bugs

2012-07-19 12:10 - 2012-07-19 12:11 - 00000000 ____D C:\Users\fkaren\Documents\Projects

2012-07-17 16:30 - 2012-07-17 16:31 - 00007248 ____A C:\Users\fkaren\Desktop\for current cr.txt

2012-07-17 12:22 - 2012-07-20 11:20 - 00001698 ____A C:\Users\Public\Desktop\Pilatmedia Applications.lnk

2012-07-17 12:22 - 2012-07-17 12:22 - 00000000 ____D C:\Windows\wlansvc

2012-07-17 12:22 - 2012-07-17 12:22 - 00000000 ____D C:\Users\All Users\GroupPolicy

2012-07-15 17:46 - 2012-07-15 17:46 - 00000000 ____D C:\Users\Public\Documents\Sports Interactive

2012-07-15 17:46 - 2012-07-15 17:46 - 00000000 ____D C:\Users\fkaren\Documents\Sports Interactive

2012-07-15 17:46 - 2012-07-15 17:46 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Sports Interactive

2012-07-15 17:46 - 2012-07-15 17:46 - 00000000 ____D C:\Users\fkaren\AppData\Local\Sports Interactive

2012-07-15 17:45 - 2009-03-16 14:18 - 00517448 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_4.dll

2012-07-15 17:45 - 2009-03-16 14:18 - 00235352 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_4.dll

2012-07-15 17:45 - 2009-03-16 14:18 - 00022360 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_6.dll

2012-07-15 17:45 - 2009-03-09 15:27 - 04178264 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_41.dll

2012-07-15 17:45 - 2008-10-15 07:03 - 00514384 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll

2012-07-15 17:45 - 2008-10-15 07:03 - 00235856 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll

2012-07-15 17:45 - 2008-10-15 07:03 - 00070992 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll

2012-07-15 17:45 - 2008-10-15 07:03 - 00023376 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll

2012-07-15 17:45 - 2008-10-15 06:22 - 04379984 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll

2012-07-15 17:45 - 2008-10-15 06:22 - 02036576 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll

2012-07-15 17:45 - 2008-10-15 06:22 - 00452440 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_40.dll

2012-07-15 17:45 - 2008-07-30 06:20 - 00509448 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_2.dll

2012-07-15 17:45 - 2008-07-30 06:20 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_2.dll

2012-07-15 17:45 - 2008-07-30 06:20 - 00068616 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_1.dll

2012-07-15 17:45 - 2008-07-10 11:01 - 00467984 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_39.dll

2012-07-15 17:45 - 2008-07-10 11:00 - 03851784 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_39.dll

2012-07-15 17:45 - 2008-07-10 11:00 - 01493528 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_39.dll

2012-07-15 17:45 - 2008-05-30 14:19 - 00507400 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_1.dll

2012-07-15 17:45 - 2008-05-30 14:18 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_1.dll

2012-07-15 17:45 - 2008-05-30 14:17 - 00065032 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_0.dll

2012-07-15 17:45 - 2008-05-30 14:17 - 00025608 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_4.dll

2012-07-15 17:45 - 2008-05-30 14:11 - 03850760 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_38.dll

2012-07-15 17:45 - 2008-05-30 14:11 - 01491992 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_38.dll

2012-07-15 17:45 - 2008-05-30 14:11 - 00467984 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_38.dll

2012-07-15 17:45 - 2008-03-05 16:03 - 00479752 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_0.dll

2012-07-15 17:45 - 2008-03-05 16:03 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_0.dll

2012-07-15 17:45 - 2008-03-05 16:00 - 00025608 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_3.dll

2012-07-15 17:45 - 2008-03-05 15:56 - 03786760 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_37.dll

2012-07-15 17:45 - 2008-03-05 15:56 - 01420824 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_37.dll

2012-07-15 17:45 - 2008-02-05 23:07 - 00462864 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_37.dll

2012-07-15 13:44 - 2012-07-15 13:44 - 00000000 ____D C:\Users\fkaren\AppData\Local\Macromedia

2012-07-15 13:43 - 2012-07-15 13:43 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-07-15 13:01 - 2012-07-17 08:03 - 00000000 ____D C:\Program Files\Steam

2012-07-15 13:01 - 2012-07-16 05:59 - 00000000 ____D C:\Program Files\Common Files\Steam

2012-07-15 13:01 - 2012-07-15 13:01 - 00000875 ____A C:\Users\Public\Desktop\Steam.lnk

2012-07-13 08:23 - 2012-07-13 08:23 - 00000000 ___RD C:\Program Files\Skype

2012-07-13 08:23 - 2012-07-13 08:23 - 00000000 ____D C:\Program Files\Common Files\Skype

2012-07-12 18:43 - 2012-07-12 18:43 - 00000000 ____D C:\Users\fkaren\AppData\Local\{C6C514B8-3845-4C1F-A668-6A8CF0ED4AAD}

2012-07-12 18:43 - 2012-07-12 18:43 - 00000000 ____D C:\Users\fkaren\AppData\Local\{9CCE7581-5DA3-4F87-B84A-17A64A3C887E}

2012-07-12 18:32 - 2012-07-20 08:02 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Mikogo 4

2012-07-12 18:32 - 2012-07-12 18:32 - 00000000 ____D C:\Users\fkaren\Documents\Mikogo4

2012-07-12 16:23 - 2012-07-12 16:29 - 00000000 ____D C:\Users\fkaren\Desktop\xampp

2012-07-12 15:55 - 2012-07-18 16:54 - 00002006 ___AH C:\Users\fkaren\Documents\Default.rdp

2012-07-12 15:55 - 2011-01-27 17:04 - 00001573 ____A C:\Users\fkaren\Desktop\Remote Desktop Connection.lnk

2012-07-12 15:48 - 2012-07-12 15:48 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2012-07-12 15:33 - 2012-07-12 15:33 - 00000000 ____D C:\Users\fkaren\AppData\Local\{819D850E-D579-4C28-89FC-E4E01B68E84E}

2012-07-12 15:33 - 2012-07-12 15:33 - 00000000 ____D C:\Users\fkaren\AppData\Local\{2E61BD8D-0B43-4C29-960C-FC454AD47683}

2012-07-12 15:29 - 2012-07-12 15:29 - 00000020 ____A C:\Windows\Øú»

2012-07-12 15:29 - 2012-07-12 15:29 - 00000000 ____D C:\Program Files\Windows Live

2012-07-12 15:28 - 2009-09-04 17:44 - 00515416 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll

2012-07-12 15:28 - 2009-09-04 17:44 - 00069464 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll

2012-07-12 15:28 - 2009-09-04 17:29 - 00453456 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_42.dll

2012-07-12 15:26 - 2012-07-19 14:46 - 00000000 ____D C:\Users\fkaren\AppData\Local\Windows Live

2012-07-12 15:26 - 2012-07-12 15:26 - 00000000 ____D C:\Program Files\Common Files\Windows Live

2012-07-12 13:51 - 2012-07-19 12:09 - 00000000 ____D C:\Users\fkaren\Desktop\Code spares

2012-07-12 13:51 - 2012-07-12 15:28 - 00000000 ____D C:\Users\fkaren\Desktop\Exes

2012-07-12 13:51 - 2012-07-12 13:53 - 00000000 ____D C:\Users\fkaren\Desktop\Pilat docs

2012-07-12 13:51 - 2007-08-24 09:54 - 00000185 ____A C:\Users\fkaren\Desktop\Concur -- Login.url

2012-07-12 12:13 - 2012-07-12 12:13 - 00000000 ____D C:\Users\fkaren\AppData\Local\TechSmith

2012-07-12 12:02 - 2012-07-12 12:02 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\ATI

2012-07-12 12:02 - 2012-07-12 12:02 - 00000000 ____D C:\Users\fkaren\AppData\Local\ATI

2012-07-12 12:00 - 2012-07-20 11:52 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Skype

2012-07-12 12:00 - 2012-07-15 13:01 - 00000000 ____D C:\users\fkaren

2012-07-12 12:00 - 2012-07-12 14:03 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\PLSQL Developer

2012-07-12 12:00 - 2012-07-12 13:58 - 00000000 ____D C:\Users\fkaren\Oracle

2012-07-12 12:00 - 2012-07-12 12:00 - 00015686 _RASH C:\Users\fkaren\ntuser.pol

2012-07-12 12:00 - 2012-07-12 12:00 - 00000000 ____D C:\Users\fkaren\AppData\Local\VirtualStore

2012-07-12 12:00 - 2012-06-01 15:17 - 00000000 ____D C:\Users\fkaren\Documents\Visual Studio 2010

2012-07-12 12:00 - 2012-06-01 13:50 - 00000000 ____D C:\Users\fkaren\Documents\plsqldoc

2012-07-12 12:00 - 2012-06-01 11:29 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Apple Computer

2012-07-12 12:00 - 2012-05-27 09:49 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\ICAClient

2012-07-12 12:00 - 2012-05-27 09:48 - 00000000 ____D C:\Users\fkaren\Documents\2XPDFStore

2012-07-12 12:00 - 2012-05-27 09:47 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\2XClient

2012-07-12 12:00 - 2012-05-27 09:42 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Adobe

2012-07-12 12:00 - 2012-05-27 09:42 - 00000000 ____D C:\Users\fkaren\AppData\Local\Adobe

2012-07-12 12:00 - 2011-05-31 15:21 - 00000000 ____D C:\Users\fkaren\Documents\Visual Studio 2005

2012-07-12 12:00 - 2011-05-31 15:03 - 00000000 ____D C:\Users\fkaren\Desktop\SVNCheckOut

2012-07-12 12:00 - 2011-05-31 15:00 - 00000000 ____D C:\Users\fkaren\Documents\DevExpress

2012-07-12 12:00 - 2011-05-31 14:54 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\TortoiseSVN

2012-07-12 12:00 - 2011-05-31 14:54 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Subversion

2012-07-12 12:00 - 2011-05-31 14:46 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Scooter Software

2012-07-12 12:00 - 2011-05-31 14:37 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\CodeRush for VS .NET

2012-07-12 12:00 - 2011-05-31 13:09 - 00000000 ____D C:\Users\fkaren\Documents\Visual Studio 2008

2012-07-12 12:00 - 2011-05-31 13:05 - 00080664 ____A C:\Users\fkaren\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-12 12:00 - 2011-05-27 10:51 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Roxio Log Files

2012-07-12 12:00 - 2011-05-26 17:51 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\hpqLog

2012-07-12 12:00 - 2011-05-26 17:44 - 00000000 ____D C:\Users\fkaren\Documents\Bluetooth Exchange Folder

2012-07-12 12:00 - 2011-05-26 17:44 - 00000000 ____D C:\Users\fkaren\AppData\Local\Broadcom

2012-07-12 12:00 - 2011-05-20 17:27 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Mozilla

2012-07-12 12:00 - 2011-05-20 17:27 - 00000000 ____D C:\Users\fkaren\AppData\Local\Mozilla

2012-07-12 12:00 - 2011-05-20 17:26 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\ZipGenius

2012-07-12 12:00 - 2011-05-20 16:51 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\FileZilla

2012-07-12 12:00 - 2011-05-20 16:47 - 00000000 ____D C:\Users\fkaren\AppData\Local\Apple Computer

2012-07-12 12:00 - 2011-05-20 16:45 - 00000000 ____D C:\Users\fkaren\AppData\Local\Apple

2012-07-12 12:00 - 2011-05-20 16:10 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\Macromedia

2012-07-12 12:00 - 2011-05-20 16:09 - 00000000 ____D C:\Users\fkaren\AppData\Roaming\InstallShield

2012-07-12 12:00 - 2011-05-20 14:56 - 00000000 ____D C:\Users\fkaren\AppData\Local\Microsoft Help

2012-07-12 12:00 - 2011-05-20 14:54 - 00000000 ____A C:\Users\fkaren\AppData\Local\QSwitch.txt

2012-07-12 12:00 - 2011-05-20 14:54 - 00000000 ____A C:\Users\fkaren\AppData\Local\DSwitch.txt

2012-07-12 12:00 - 2011-05-20 14:54 - 00000000 ____A C:\Users\fkaren\AppData\Local\AtStart.txt

2012-07-12 12:00 - 2011-05-20 14:53 - 00000020 ___SH C:\Users\fkaren\ntuser.ini

2012-07-12 12:00 - 2008-07-30 13:01 - 00000762 ____A C:\Users\fkaren\Desktop\PilatMedia Applications.lnk

2012-07-12 11:55 - 2012-06-02 10:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-07-12 11:55 - 2012-06-02 09:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-07-12 11:55 - 2012-06-02 09:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-07-12 11:55 - 2012-06-02 09:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-07-12 11:55 - 2012-06-02 09:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-07-12 11:55 - 2012-06-02 09:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-07-12 11:55 - 2012-06-02 09:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-07-12 11:55 - 2012-06-02 09:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-07-12 11:55 - 2012-06-02 09:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-07-12 11:55 - 2012-06-02 09:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-07-12 11:55 - 2012-06-02 09:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-07-12 11:55 - 2012-06-02 09:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-07-12 11:55 - 2012-06-02 09:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-07-12 11:55 - 2012-06-02 09:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-07-12 11:53 - 2011-03-25 03:58 - 00284672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbport.sys

2012-07-12 11:53 - 2011-03-25 03:58 - 00258560 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbhub.sys

2012-07-12 11:53 - 2011-03-25 03:58 - 00075776 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbccgp.sys

2012-07-12 11:53 - 2011-03-25 03:57 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbehci.sys

2012-07-12 11:53 - 2011-03-25 03:57 - 00024064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbuhci.sys

2012-07-12 11:53 - 2011-03-25 03:57 - 00020480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbohci.sys

2012-07-12 11:53 - 2011-03-25 03:57 - 00005888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbd.sys

2012-07-12 11:45 - 2011-03-11 06:39 - 01211264 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2012-07-12 11:45 - 2011-03-11 06:39 - 00148864 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys

2012-07-12 11:45 - 2011-03-11 06:39 - 00143744 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvstor.sys

2012-07-12 11:45 - 2011-03-11 06:39 - 00117120 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvraid.sys

2012-07-12 11:45 - 2011-03-11 06:38 - 00332160 ____A (Intel Corporation) C:\Windows\System32\Drivers\iaStorV.sys

2012-07-12 11:45 - 2011-03-11 06:38 - 00080256 ____A (Advanced Micro Devices) C:\Windows\System32\Drivers\amdsata.sys

2012-07-12 11:45 - 2011-03-11 06:38 - 00022400 ____A (Advanced Micro Devices) C:\Windows\System32\Drivers\amdxata.sys

2012-07-12 11:45 - 2011-03-11 06:33 - 01699328 ____A (Microsoft Corporation) C:\Windows\System32\esent.dll

2012-07-12 11:45 - 2011-03-11 06:31 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\fsutil.exe

2012-07-12 11:45 - 2011-03-11 05:01 - 00076288 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\USBSTOR.SYS

2012-07-12 11:43 - 2012-06-02 05:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-07-12 11:43 - 2012-06-02 05:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-07-12 11:43 - 2012-06-02 05:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-07-12 11:43 - 2012-06-02 05:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-07-12 11:43 - 2012-06-02 05:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-07-12 11:43 - 2012-04-28 04:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-07-12 11:43 - 2011-04-28 04:15 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys

2012-07-12 11:43 - 2011-04-28 04:15 - 00060416 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\BTHUSB.SYS

2012-07-12 11:42 - 2012-06-06 06:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-07-12 11:42 - 2012-06-06 06:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-07-12 11:42 - 2010-06-26 04:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

2012-07-12 11:39 - 2012-06-06 06:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-07-12 11:31 - 2012-06-12 03:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-07-12 11:31 - 2012-04-07 12:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll

2012-07-12 11:26 - 2012-05-01 05:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-07-12 11:26 - 2012-04-26 05:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-07-12 11:26 - 2012-04-26 05:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-07-12 11:26 - 2012-04-26 05:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-07-12 11:26 - 2010-02-11 08:10 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\browserchoice.exe

2012-07-12 11:25 - 2012-06-09 05:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-07-12 11:25 - 2012-04-24 05:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-07-12 11:25 - 2012-04-24 05:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-07-12 11:25 - 2012-04-24 05:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-07-12 11:24 - 2012-07-12 11:24 - 00000000 ____D C:\Users\administrator\AppData\Roaming\ATI

2012-07-12 11:24 - 2012-07-12 11:24 - 00000000 ____D C:\Users\administrator\AppData\Local\ATI

2012-07-12 11:02 - 2012-07-12 11:03 - 00000000 ____D C:\Program Files\iTunes

2012-07-12 11:02 - 2012-07-12 11:02 - 00000000 ____D C:\Program Files\iPod

2012-07-12 11:01 - 2012-07-12 11:01 - 00000000 ____D C:\Users\admin\AppData\Local\Apple Computer

2012-07-12 10:59 - 2012-07-12 10:59 - 00000000 ____D C:\Program Files\Bonjour

2012-07-12 10:54 - 2012-07-12 10:54 - 00000000 ____D C:\Users\admin\AppData\Local\Apple

2012-07-12 10:35 - 2012-07-12 10:35 - 00000000 ____D C:\Users\All Users\ATI

2012-07-12 10:35 - 2012-07-12 10:35 - 00000000 ____D C:\Users\admin\AppData\Roaming\ATI

2012-07-12 10:35 - 2012-07-12 10:35 - 00000000 ____D C:\Users\admin\AppData\Local\ATI

2012-07-12 10:33 - 2012-07-12 10:35 - 00000000 ____D C:\Program Files\ATI Technologies

2012-07-12 10:33 - 2012-07-12 10:33 - 00000000 ____D C:\Program Files\ATI

2012-07-12 10:32 - 2012-07-12 10:32 - 00000000 ____D C:\Program Files\ATI Video Driver and Control Panel

2012-07-12 10:31 - 2011-05-04 17:18 - 00266408 ____A (Intel Corporation) C:\Windows\System32\Drivers\e1k6232.sys

2012-07-12 10:31 - 2011-04-08 01:27 - 00078016 ____A (Intel Corporation) C:\Windows\System32\NicInstK.dll

2012-07-12 10:31 - 2011-04-08 01:14 - 00068264 ____A (Intel Corporation) C:\Windows\System32\e1kmsg.dll

2012-07-12 10:27 - 2012-07-12 10:27 - 00000000 ____D C:\Users\admin\AppData\Roaming\Macromedia

2012-07-12 10:27 - 2012-07-12 10:27 - 00000000 ____D C:\Users\admin\AppData\Roaming\Adobe

2012-07-12 10:17 - 2012-07-12 11:04 - 00000000 ____D C:\Users\admin\AppData\Local\TSVNCache

2012-07-12 10:17 - 2012-07-12 11:01 - 00000000 ____D C:\Users\admin\AppData\Roaming\Apple Computer

2012-07-12 10:17 - 2012-07-12 10:17 - 00000000 ____D C:\Users\admin\AppData\Roaming\Subversion

2012-07-12 10:10 - 2012-06-01 16:14 - 00000000 ____D C:\Users\Default\AppData\Roaming\Skype

2012-07-12 10:10 - 2012-06-01 16:14 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Skype

2012-07-12 10:10 - 2012-06-01 15:17 - 00000000 ____D C:\Users\Default\Documents\Visual Studio 2010

2012-07-12 10:10 - 2012-06-01 15:17 - 00000000 ____D C:\Users\Default User\Documents\Visual Studio 2010

2012-07-12 10:10 - 2012-06-01 14:29 - 00000000 ____D C:\Users\Default\Oracle

2012-07-12 10:10 - 2012-06-01 13:50 - 00000000 ____D C:\Users\Default\Documents\plsqldoc

2012-07-12 10:10 - 2012-06-01 13:50 - 00000000 ____D C:\Users\Default\AppData\Roaming\PLSQL Developer

2012-07-12 10:10 - 2012-06-01 13:50 - 00000000 ____D C:\Users\Default User\Documents\plsqldoc

2012-07-12 10:10 - 2012-06-01 13:50 - 00000000 ____D C:\Users\Default User\AppData\Roaming\PLSQL Developer

2012-07-12 10:10 - 2012-06-01 11:29 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer

2012-07-12 10:10 - 2012-06-01 11:29 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer

2012-07-12 10:10 - 2012-05-27 09:49 - 00000000 ____D C:\Users\Default\AppData\Roaming\ICAClient

2012-07-12 10:10 - 2012-05-27 09:49 - 00000000 ____D C:\Users\Default User\AppData\Roaming\ICAClient

2012-07-12 10:10 - 2012-05-27 09:48 - 00000000 ____D C:\Users\Default\Documents\2XPDFStore

2012-07-12 10:10 - 2012-05-27 09:48 - 00000000 ____D C:\Users\Default User\Documents\2XPDFStore

2012-07-12 10:10 - 2012-05-27 09:47 - 00000000 ____D C:\Users\Default\AppData\Roaming\2XClient

2012-07-12 10:10 - 2012-05-27 09:47 - 00000000 ____D C:\Users\Default User\AppData\Roaming\2XClient

2012-07-12 10:10 - 2012-05-27 09:42 - 00000000 ____D C:\Users\Default\AppData\Roaming\Adobe

2012-07-12 10:10 - 2012-05-27 09:42 - 00000000 ____D C:\Users\Default\AppData\Local\Adobe

2012-07-12 10:10 - 2012-05-27 09:42 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Adobe

2012-07-12 10:10 - 2012-05-27 09:42 - 00000000 ____D C:\Users\Default User\AppData\Local\Adobe

2012-07-12 10:10 - 2011-05-31 15:21 - 00000000 ____D C:\Users\Default\Documents\Visual Studio 2005

2012-07-12 10:10 - 2011-05-31 15:21 - 00000000 ____D C:\Users\Default User\Documents\Visual Studio 2005

2012-07-12 10:10 - 2011-05-31 15:03 - 00000000 ____D C:\Users\Default\Desktop\SVNCheckOut

2012-07-12 10:10 - 2011-05-31 15:03 - 00000000 ____D C:\Users\Default User\Desktop\SVNCheckOut

2012-07-12 10:10 - 2011-05-31 15:00 - 00000000 ____D C:\Users\Default\Documents\DevExpress

2012-07-12 10:10 - 2011-05-31 15:00 - 00000000 ____D C:\Users\Default User\Documents\DevExpress

2012-07-12 10:10 - 2011-05-31 14:54 - 00000000 ____D C:\Users\Default\AppData\Roaming\TortoiseSVN

2012-07-12 10:10 - 2011-05-31 14:54 - 00000000 ____D C:\Users\Default\AppData\Roaming\Subversion

2012-07-12 10:10 - 2011-05-31 14:54 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TortoiseSVN

2012-07-12 10:10 - 2011-05-31 14:54 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Subversion

2012-07-12 10:10 - 2011-05-31 14:46 - 00000000 ____D C:\Users\Default\AppData\Roaming\Scooter Software

2012-07-12 10:10 - 2011-05-31 14:46 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Scooter Software

2012-07-12 10:10 - 2011-05-31 14:37 - 00000000 ____D C:\Users\Default\AppData\Roaming\CodeRush for VS .NET

2012-07-12 10:10 - 2011-05-31 14:37 - 00000000 ____D C:\Users\Default User\AppData\Roaming\CodeRush for VS .NET

2012-07-12 10:10 - 2011-05-31 13:09 - 00000000 ____D C:\Users\Default\Documents\Visual Studio 2008

2012-07-12 10:10 - 2011-05-31 13:09 - 00000000 ____D C:\Users\Default User\Documents\Visual Studio 2008

2012-07-12 10:10 - 2011-05-31 13:05 - 00080664 ____A C:\Users\Default\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-12 10:10 - 2011-05-31 13:05 - 00080664 ____A C:\Users\Default User\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-12 10:10 - 2011-05-27 10:51 - 00000000 ____D C:\Users\Default\AppData\Roaming\Roxio Log Files

2012-07-12 10:10 - 2011-05-27 10:51 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Roxio Log Files

2012-07-12 10:10 - 2011-05-26 17:51 - 00000000 ____D C:\Users\Default\AppData\Roaming\hpqLog

2012-07-12 10:10 - 2011-05-26 17:51 - 00000000 ____D C:\Users\Default User\AppData\Roaming\hpqLog

2012-07-12 10:10 - 2011-05-26 17:44 - 00000000 ____D C:\Users\Default\Documents\Bluetooth Exchange Folder

2012-07-12 10:10 - 2011-05-26 17:44 - 00000000 ____D C:\Users\Default\AppData\Local\Broadcom

2012-07-12 10:10 - 2011-05-26 17:44 - 00000000 ____D C:\Users\Default User\Documents\Bluetooth Exchange Folder

2012-07-12 10:10 - 2011-05-26 17:44 - 00000000 ____D C:\Users\Default User\AppData\Local\Broadcom

2012-07-12 10:10 - 2011-05-20 17:27 - 00000000 ____D C:\Users\Default\AppData\Roaming\Mozilla

2012-07-12 10:10 - 2011-05-20 17:27 - 00000000 ____D C:\Users\Default\AppData\Local\Mozilla

2012-07-12 10:10 - 2011-05-20 17:27 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Mozilla

2012-07-12 10:10 - 2011-05-20 17:27 - 00000000 ____D C:\Users\Default User\AppData\Local\Mozilla

2012-07-12 10:10 - 2011-05-20 17:26 - 00000000 ____D C:\Users\Default\AppData\Roaming\ZipGenius

2012-07-12 10:10 - 2011-05-20 17:26 - 00000000 ____D C:\Users\Default User\AppData\Roaming\ZipGenius

2012-07-12 10:10 - 2011-05-20 16:51 - 00000000 ____D C:\Users\Default\AppData\Roaming\FileZilla

2012-07-12 10:10 - 2011-05-20 16:51 - 00000000 ____D C:\Users\Default User\AppData\Roaming\FileZilla

2012-07-12 10:10 - 2011-05-20 16:47 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer

2012-07-12 10:10 - 2011-05-20 16:47 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer

2012-07-12 10:10 - 2011-05-20 16:45 - 00000000 ____D C:\Users\Default\AppData\Local\Apple

2012-07-12 10:10 - 2011-05-20 16:45 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple

2012-07-12 10:10 - 2011-05-20 16:09 - 00000000 ____D C:\Users\Default\AppData\Roaming\InstallShield

2012-07-12 10:10 - 2011-05-20 16:09 - 00000000 ____D C:\Users\Default User\AppData\Roaming\InstallShield

2012-07-12 10:10 - 2011-05-20 16:06 - 00000678 _RASH C:\Users\Default\ntuser.pol

2012-07-12 10:10 - 2011-05-20 14:56 - 00000000 ____D C:\Users\Default\AppData\Local\Microsoft Help

2012-07-12 10:10 - 2011-05-20 14:56 - 00000000 ____D C:\Users\Default User\AppData\Local\Microsoft Help

2012-07-12 10:10 - 2011-05-20 14:54 - 00000000 ____A C:\Users\Default\AppData\Local\QSwitch.txt

2012-07-12 10:10 - 2011-05-20 14:54 - 00000000 ____A C:\Users\Default\AppData\Local\DSwitch.txt

2012-07-12 10:10 - 2011-05-20 14:54 - 00000000 ____A C:\Users\Default\AppData\Local\AtStart.txt

2012-07-12 10:10 - 2011-05-20 14:54 - 00000000 ____A C:\Users\Default User\AppData\Local\QSwitch.txt

2012-07-12 10:10 - 2011-05-20 14:54 - 00000000 ____A C:\Users\Default User\AppData\Local\DSwitch.txt

2012-07-12 10:10 - 2011-05-20 14:54 - 00000000 ____A C:\Users\Default User\AppData\Local\AtStart.txt

2012-07-12 10:10 - 2011-05-20 14:53 - 00000020 __ASH C:\Users\Default\ntuser.ini

2012-07-12 10:10 - 2008-07-30 13:01 - 00000762 ____A C:\Users\Default\Desktop\PilatMedia Applications.lnk

2012-07-12 10:10 - 2008-07-30 13:01 - 00000762 ____A C:\Users\Default User\Desktop\PilatMedia Applications.lnk

2012-07-12 10:07 - 2010-09-08 00:05 - 00531968 ____N (IDT, Inc.) C:\Windows\System32\stapi32.dll

2012-07-12 10:06 - 2012-06-02 23:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-07-12 10:06 - 2012-06-02 23:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-07-12 10:06 - 2012-06-02 23:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-07-12 10:06 - 2012-06-02 23:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-07-12 10:06 - 2012-06-02 23:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-07-12 10:06 - 2012-06-02 23:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-07-12 10:06 - 2012-06-02 23:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-07-12 10:06 - 2012-06-02 15:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-07-12 10:06 - 2012-06-02 15:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-07-12 10:05 - 2012-07-20 08:14 - 00868678 ____A C:\Windows\WindowsUpdate.log

2012-07-12 10:04 - 2010-09-08 00:05 - 12705884 ____A (IDT, Inc.) C:\Windows\System32\idtcpl.cpl

2012-07-12 10:04 - 2010-09-08 00:05 - 01953792 ____A (IDT, Inc.) C:\Windows\System32\stlang.dll

2012-07-12 10:04 - 2010-09-08 00:05 - 00495708 ____A (IDT, Inc.) C:\Windows\sttray.exe

2012-07-12 10:04 - 2010-01-26 00:28 - 00140288 ____A (Andrea Electronics Corporation) C:\Windows\System32\aestacap.dll

2012-07-12 10:04 - 2009-10-08 22:45 - 00380928 ____A (Andrea Electronics Corporation) C:\Windows\System32\aestecap.dll

2012-07-12 10:04 - 2009-03-01 23:47 - 00086016 ____A (Andrea Electronics Corporation) C:\Windows\System32\AESTCom.dll

2012-07-12 10:03 - 2012-07-12 10:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

============ 3 Months Modified Files ========================

2012-07-20 11:55 - 2012-06-01 18:05 - 03950685 ____A C:\Windows\setupact.log

2012-07-20 11:55 - 2009-07-14 05:34 - 00022416 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-07-20 11:55 - 2009-07-14 05:34 - 00022416 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-07-20 11:44 - 2011-05-20 14:45 - 00000136 ____A C:\Windows\System32\config\netlogon.ftl

2012-07-20 11:20 - 2012-07-17 12:22 - 00001698 ____A C:\Users\Public\Desktop\Pilatmedia Applications.lnk

2012-07-20 11:04 - 2011-05-20 16:16 - 00009013 ____A C:\Windows\cfgall.ini

2012-07-20 11:04 - 2011-05-20 16:15 - 00699732 ____A C:\Windows\System32\TmInstall.log

2012-07-20 08:14 - 2012-07-12 10:05 - 00868678 ____A C:\Windows\WindowsUpdate.log

2012-07-20 08:05 - 2012-07-20 08:05 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2012-07-20 08:02 - 2010-11-20 22:48 - 00203706 ____A C:\Windows\PFRO.log

2012-07-20 08:02 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-07-19 14:11 - 2012-07-19 14:11 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\fkaren\Downloads\mbam-setup-1.62.0.1300.exe

2012-07-19 14:03 - 2012-07-19 14:03 - 00102400 ____A C:\Windows\RegBootClean.exe

2012-07-18 16:54 - 2012-07-12 15:55 - 00002006 ___AH C:\Users\fkaren\Documents\Default.rdp

2012-07-17 16:31 - 2012-07-17 16:30 - 00007248 ____A C:\Users\fkaren\Desktop\for current cr.txt

2012-07-17 12:22 - 2011-05-20 14:46 - 00024440 _RASH C:\Users\All Users\ntuser.pol

2012-07-15 13:43 - 2012-07-15 13:43 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-07-15 13:43 - 2011-05-20 16:16 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-07-15 13:01 - 2012-07-15 13:01 - 00000875 ____A C:\Users\Public\Desktop\Steam.lnk

2012-07-15 12:40 - 2010-11-20 22:01 - 00914848 ____A C:\Windows\System32\PerfStringBackup.INI

2012-07-13 08:23 - 2012-06-01 13:58 - 00002503 ____A C:\Users\Public\Desktop\Skype.lnk

2012-07-12 15:48 - 2012-07-12 15:48 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2012-07-12 15:29 - 2012-07-12 15:29 - 00000020 ____A C:\Windows\Øú»

2012-07-12 12:00 - 2012-07-12 12:00 - 00015686 _RASH C:\Users\fkaren\ntuser.pol

2012-07-12 11:58 - 2009-07-14 05:33 - 00341464 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-12 11:46 - 2009-07-14 03:04 - 00000478 ____A C:\Windows\win.ini

2012-07-12 11:23 - 2011-05-20 14:53 - 00000678 _RASH C:\Users\administrator\ntuser.pol

2012-07-12 10:18 - 2011-05-20 14:27 - 00080664 ____A C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT

2012-07-12 10:10 - 2011-05-20 13:10 - 00003591 ____A C:\Windows\TSSysprep.log

2012-07-12 10:03 - 2012-07-12 10:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2012-07-12 09:59 - 2009-07-14 05:34 - 00003806 ____A C:\Windows\DtcInstall.log

2012-07-03 13:46 - 2012-07-19 14:11 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-03 03:13 - 2011-05-20 16:16 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-06-12 03:40 - 2012-07-12 11:31 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-09 05:41 - 2012-07-12 11:25 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-06 06:05 - 2012-07-12 11:42 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-06 06:05 - 2012-07-12 11:42 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-06 06:03 - 2012-07-12 11:39 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-02 23:19 - 2012-07-12 10:06 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 23:19 - 2012-07-12 10:06 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 23:19 - 2012-07-12 10:06 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 23:19 - 2012-07-12 10:06 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 23:19 - 2012-07-12 10:06 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 23:12 - 2012-07-12 10:06 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 23:12 - 2012-07-12 10:06 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 15:19 - 2012-07-12 10:06 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 15:12 - 2012-07-12 10:06 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 10:07 - 2012-07-12 11:55 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 09:43 - 2012-07-12 11:55 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 09:33 - 2012-07-12 11:55 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 09:26 - 2012-07-12 11:55 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 09:25 - 2012-07-12 11:55 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 09:25 - 2012-07-12 11:55 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 09:23 - 2012-07-12 11:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 09:21 - 2012-07-12 11:55 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 09:20 - 2012-07-12 11:55 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 09:19 - 2012-07-12 11:55 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 09:19 - 2012-07-12 11:55 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 09:17 - 2012-07-12 11:55 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 09:16 - 2012-07-12 11:55 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 09:14 - 2012-07-12 11:55 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 05:45 - 2012-07-12 11:43 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-02 05:45 - 2012-07-12 11:43 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-02 05:40 - 2012-07-12 11:43 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-02 05:40 - 2012-07-12 11:43 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-02 05:39 - 2012-07-12 11:43 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 18:05 - 2012-06-01 18:05 - 00000135 ____A C:\Windows\setuperr.log

2012-06-01 16:29 - 2012-06-01 16:28 - 00003249 ____A C:\Windows\IE9_main.log

2012-06-01 16:28 - 2012-06-01 16:28 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat

2012-06-01 16:28 - 2012-06-01 16:28 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2012-06-01 16:28 - 2012-06-01 16:28 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe

2012-06-01 16:28 - 2012-06-01 16:28 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe

2012-06-01 16:28 - 2012-06-01 16:28 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe

2012-06-01 16:28 - 2012-06-01 16:28 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2012-06-01 16:28 - 2012-06-01 16:28 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2012-06-01 16:28 - 2012-06-01 16:28 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx

2012-06-01 16:28 - 2012-06-01 16:28 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2012-06-01 16:28 - 2012-06-01 16:28 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe

2012-06-01 16:28 - 2012-06-01 16:28 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2012-06-01 14:48 - 2012-06-01 14:49 - 00772552 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll

2012-06-01 14:48 - 2012-06-01 14:49 - 00227784 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe

2012-06-01 14:48 - 2011-05-20 15:05 - 00687560 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll

2012-06-01 14:48 - 2011-05-20 15:05 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe

2012-06-01 14:48 - 2011-05-20 15:05 - 00174024 ____A (Oracle Corporation) C:\Windows\System32\java.exe

2012-06-01 13:50 - 2012-06-01 13:50 - 00001044 ____A C:\Users\Public\Desktop\PLSQL Developer.lnk

2012-06-01 13:48 - 2012-06-01 13:48 - 00001989 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

2012-06-01 11:25 - 2012-06-01 11:25 - 00000997 ____A C:\Users\Public\Desktop\2X Client.lnk

2012-06-01 11:24 - 2012-06-01 11:24 - 00000021 ____A C:\tmuninst.ini

2012-05-31 12:25 - 2011-05-20 13:57 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2012-05-27 11:28 - 2012-05-27 11:28 - 00295056 ____A C:\Windows\msxml4-KB973688-enu.LOG

2012-05-27 11:28 - 2012-05-27 11:28 - 00292004 ____A C:\Windows\msxml4-KB954430-enu.LOG

2012-05-01 05:44 - 2012-07-12 11:26 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2012-04-28 04:17 - 2012-07-12 11:43 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-04-26 05:45 - 2012-07-12 11:26 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll

2012-04-26 05:45 - 2012-07-12 11:26 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll

2012-04-26 05:41 - 2012-07-12 11:26 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

2012-04-24 05:36 - 2012-07-12 11:25 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-04-24 05:36 - 2012-07-12 11:25 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-04-24 05:36 - 2012-07-12 11:25 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

ZeroAccess:

C:\Users\fkaren\AppData\Local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}

C:\Users\fkaren\AppData\Local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\L

C:\Users\fkaren\AppData\Local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\U

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 68%

Total physical RAM: 3055.43 MB

Available physical RAM: 966.53 MB

Total Pagefile: 6109.14 MB

Available Pagefile: 3436.64 MB

Total Virtual: 2047.88 MB

Available Virtual: 1937.69 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:295.99 GB) (Free:131.08 GB) NTFS

2 Drive d: (HP_TOOLS) (Fixed) (Total:2 GB) (Free:1.99 GB) FAT32

4 Drive f: () (Removable) (Total:7.39 GB) (Free:7.01 GB) FAT32

5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

6 Drive i: () (Removable) (Total:3.74 GB) (Free:3.6 GB) FAT32

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7576 MB 0 B

Disk 2 Online 3836 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 101 MB 1024 KB

Partition 2 Primary 295 GB 102 MB

Partition 3 Primary 2049 MB 296 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 System Rese NTFS Partition 101 MB Healthy System (partition with boot components)

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C NTFS Partition 295 GB Healthy Boot

==================================================================================

Disk: 0

Partition 3

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 D HP_TOOLS FAT32 Partition 2049 MB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7576 MB 4096 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 F FAT32 Removable 7576 MB Healthy

==================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3827 MB 19 KB

==================================================================================

Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 I FAT32 Removable 3827 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-19 17:57

======================= End Of Log ==========================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

You should be able to use RogueKiller to delete these:

¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\users\fkaren\appdata\local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\fkaren\appdata\local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\L --> FOUND

OK, run RogueKiller again and click Scan

When the scan completes > click on the Files tab

Put a check next to all of these and uncheck the rest:

¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\users\fkaren\appdata\local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\fkaren\appdata\local\{85bc7388-a0ce-07e4-ee65-7d231391eba4}\L --> FOUND

Now click Delete on the right hand column under Options

Reboot and.....

Rescan with RK and see if they're gone, MrC

Link to post
Share on other sites
fkaren

fkaren

Posted
  • Author
Posted

Many thanks for all of your assistance so far.

Followed your instructions - the scan doesn't report those files anymore.

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User: fkaren [Admin rights]

Mode: Scan -- Date: 07/21/2012 20:20:45

¤¤¤ Bad processes: 3 ¤¤¤

[sUSP PATH] M4-Service.exe -- C:\Users\fkaren\AppData\Roaming\Mikogo 4\M4-Service.exe -> KILLED [TermProc]

[sUSP PATH] M4-Capture.exe -- C:\Users\fkaren\AppData\Roaming\Mikogo 4\M4-Capture.exe -> KILLED [TermProc]

[sUSP PATH] mikogo-host.exe -- C:\Users\fkaren\AppData\Roaming\Mikogo 4\mikogo-host.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 5 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Mikogo ("C:\Users\fkaren\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-82467560-1874274038-1210191635-8295[...]\Run : Mikogo ("C:\Users\fkaren\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[70] : NtCreateKey @ 0x83408F22 -> HOOKED (Unknown @ 0x88D7AE04)

SSDT[74] : NtCreateMutant @ 0x8341828E -> HOOKED (Unknown @ 0x88D8236C)

SSDT[79] : NtCreateProcess @ 0x834E40CF -> HOOKED (Unknown @ 0x88D7A18C)

SSDT[80] : NtCreateProcessEx @ 0x834E411A -> HOOKED (Unknown @ 0x88D9871C)

SSDT[86] : NtCreateSymbolicLinkObject @ 0x834098ED -> HOOKED (Unknown @ 0x88D822EC)

SSDT[87] : NtCreateThread @ 0x834E3ED6 -> HOOKED (Unknown @ 0x88D824B4)

SSDT[88] : NtCreateThreadEx @ 0x8347834B -> HOOKED (Unknown @ 0x88D82474)

SSDT[93] : NtCreateUserProcess @ 0x8347627D -> HOOKED (Unknown @ 0x88D986DC)

SSDT[96] : NtDebugActiveProcess @ 0x834B5DB0 -> HOOKED (Unknown @ 0x88D8222C)

SSDT[103] : NtDeleteKey @ 0x833F3A03 -> HOOKED (Unknown @ 0x88D97ADC)

SSDT[106] : NtDeleteValueKey @ 0x833E541A -> HOOKED (Unknown @ 0x88D82B74)

SSDT[111] : NtDuplicateObject @ 0x8343965A -> HOOKED (Unknown @ 0x88D8226C)

SSDT[155] : NtLoadDriver @ 0x833CDBFC -> HOOKED (Unknown @ 0x88D823AC)

SSDT[190] : NtOpenProcess @ 0x83419AD4 -> HOOKED (Unknown @ 0x88D7661C)

SSDT[194] : NtOpenSection @ 0x8347189B -> HOOKED (Unknown @ 0x88D82B34)

SSDT[198] : NtOpenThread @ 0x83465F95 -> HOOKED (Unknown @ 0x88D82DC4)

SSDT[290] : NtRenameKey @ 0x834A3FCB -> HOOKED (Unknown @ 0x88D97A9C)

SSDT[302] : NtRestoreKey @ 0x83499B5C -> HOOKED (Unknown @ 0x88D97A5C)

SSDT[350] : NtSetSystemInformation @ 0x8345626C -> HOOKED (Unknown @ 0x88D8232C)

SSDT[358] : NtSetValueKey @ 0x8341251F -> HOOKED (Unknown @ 0x88D7ADC4)

SSDT[370] : NtTerminateProcess @ 0x83462BCD -> HOOKED (Unknown @ 0x88D765DC)

SSDT[371] : NtTerminateThread @ 0x83480584 -> HOOKED (Unknown @ 0x88D82E04)

SSDT[399] : NtWriteVirtualMemory @ 0x8346792A -> HOOKED (Unknown @ 0x88D824F4)

S_SSDT[584] : Unknown -> HOOKED (Unknown @ 0x875109F4)

S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x895E70A4)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEKT-60V5T1 +++++

--- User ---

[MBR] 46516215b32f4ae42b4d263a8d405e0a

[bSP] 3fd1b2be7e9d69e23f667bbd80476610 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 101 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208896 | Size: 303093 Mo

2 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 620943360 | Size: 2049 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: Ricoh SD Disk Device +++++

--- User ---

[MBR] 26b25b821114bab4213b18998ca9c64a

[bSP] 647aad14e0a7039a89258c2bbcb060ee : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo

Error reading LL1 MBR!

Error reading LL2 MBR!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Get these one too!

¤¤¤ Registry Entries: 5 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Mikogo ("C:\Users\fkaren\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-82467560-1874274038-1210191635-8295[...]\Run : Mikogo ("C:\Users\fkaren\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND

MrC

Link to post
Share on other sites
fkaren

fkaren

Posted
  • Author
Posted

Sorry -may I understand - is Mikogo generally not safe, or has it been infected. I know they report as suspicious but we use mikogo to webex on the fly at work? I don't want to stop mikogo from working, but I do want mt computer to be safe. Thanks.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

I'm sorry...my mistake.

You can leave them.

-----------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.