Jump to content

ZeroAcces.hi backdoor trojan


Recommended Posts

Hello and thank you for taking the time to read my post. I have been infected with several trojans and viruses with the Biggie being ZeroAcces.hi. My saga goes like this:

As soon as I noticed that my laptop was significantly slower than normal I ran a full scan using the anti-virus program already installed on my system, McAfee AntiVirus Plus, and it found nothing. The next time I used my laptop I was redirected to sites I did not search for or had ever been to so I ran Stinger. It reported the following:

C:\\Windows/Assembly\GAC_64\Desktop.ini

Found the ZeroAccess.hi trojan !!!

C:\\Windows\assembly\GAC_64\Desktop.ini is infected with the ZeroAccess.hi virus !!!

File could not be repaired.

Since it could not fix the problem and the same symptoms as mentioned before were still happening I ran Microsoft’s Safety Scanner and it reported the following:

Trojan:Win32/Medfos.B Partially removed

Trojan:Win32/Sirefef.AB Partially removed

Trojan:Win64/Sirefef.P Partially removed

Virus:Win64/Sirefef.A Partially removed

Trojan:JS/Medfos.B Partially removed

Exploit:Java/CVE-2012-1723.DIJ Removed

Exploit:Java/CVE-2012-1723.DIL Removed

Exploit:Java/CVE-2012-1723.DIP Removed

Trojan:Win32/Medfos.gen!A Removed

Trojan:Win32/Tracur.AV Removed

Because the results showed the items as only partially removed I went ahead and downloaded RougeKiller and it created the following report:

RogueKiller V8.3.1 [Dec 2 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 ) 64 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Scan -- Date : 12/05/2012 02:34:01

¤¤¤ Bad processes : 4 ¤¤¤

[][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll -> KILLED [TermProc]

[][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll -> KILLED [TermProc]

[sUSP PATH] GoogleCrashHandler.exe -- C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler.exe -> KILLED [TermProc]

[sUSP PATH] GoogleCrashHandler64.exe -- C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler64.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 22 ¤¤¤

[RUN][NOTFOUND] HKCU\[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][NOTFOUND] HKUS\.DEFAULT[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][NOTFOUND] HKUS\S-1-5-19[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][NOTFOUND] HKUS\S-1-5-20[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][NOTFOUND] HKUS\S-1-5-21-2170086169-1298789358-1058010604-500[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][NOTFOUND] HKUS\S-1-5-21-2170086169-1298789358-1058010604-500_Classes[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][NOTFOUND] HKUS\S-1-5-18[...]\Run : 3DVIA (rundll32.exe "C:\Users\Administrator\AppData\Local\Adobe\3DVIA\lqfzuebd.dll",svn_lock_createW) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\Run : ShopAtHomeWatcher (C:\Users\Administrator\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe) -> FOUND

[TASK][RESIDUE] SpeedyPC Registration3.job : C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\Common Files\SpeedyPC Software\UUS3\UUS3.dll" RunUns -> FOUND

[TASK][RESIDUE] SpeedyPC Registration3 : C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\Common Files\SpeedyPC Software\UUS3\UUS3.dll" RunUns -> FOUND

[TASK][RESIDUE] ProgramDataUpdater : C:\Windows\System32\rundll32.exe aepdu.dll,AePduRunUpdate -> FOUND

[TASK][RESIDUE] Proxy : C:\Windows\System32\rundll32.exe /d acproxy.dll,PerformAutochkOperations -> FOUND

[TASK][RESIDUE] SR : C:\Windows\System32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation -> FOUND

[TASK][RESIDUE] IpAddressConflict1 : C:\Windows\System32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem -> FOUND

[TASK][RESIDUE] IpAddressConflict2 : C:\Windows\System32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{d39a077a-0fd1-8d59-16d6-4aea672bad8e}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{d39a077a-0fd1-8d59-16d6-4aea672bad8e}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVT-75ZCT2 +++++

--- User ---

[MBR] a9d24cc24af147429f92da9963e0c465

[bSP] 1db652dbc0982cf5e0dabd7b3d918a01 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12052012_02d0234.txt >>

RKreport[1]_S_12052012_02d0234.text

At that point my internet service or the virus wouldn’t let me back on RK’s site to continue steps to cleaning this issue up. So then, after a little research I found your website and followed your very easy steps. Your reports are as follows:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-12-2012

Ran by SYSTEM at 05-12-2012 08:15:48

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKU\Administrator\...\Run: [511B7BFA57FFDDA3237BCB20C97AD1AAFC91A731._service_run] "C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service [1242728 2012-11-27] (Google Inc.)

HKU\Lea\...\Run: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart [x]

HKU\Lea\...\Run: [Google Update] "C:\Users\Lea\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-12-31] (Google Inc.)

HKU\Lea\...\Run: [iSUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\11\ISUSPM.exe" -scheduler [210208 2008-09-26] (Acresso Corporation)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

Tcpip\..\Interfaces\{A84920BE-50D7-40C1-83C2-EA011B2C6CBA}: [NameServer]208.67.222.222,208.67.220.220

==================== Services (Whitelisted) ===================

3 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [1026432 2012-10-12] (IObit)

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)

2 AffinegyService; "C:\Program Files (x86)\TWC\DigiDo\AffinegyService.exe" [580464 2011-10-17] (Affinegy, Inc.)

2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-05-31] (Microsoft Corporation)

2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)

2 iprip; C:\Windows\System32\iprip.dll [35328 2009-07-13] (Microsoft Corporation)

2 LPDSVC; C:\Windows\System32\lpdsvc.dll [45568 2009-07-13] (Microsoft Corporation)

2 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe" [237008 2011-06-17] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [383608 2012-09-10] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [237920 2012-07-17] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-07-17] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [177144 2012-06-22] (McAfee, Inc.)

2 MSMQ; C:\Windows\System32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)

2 MSMQTriggers; C:\Windows\System32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)

2 simptcp; C:\Windows\SysWow64\tcpsvcs.exe [9216 2009-07-13] (Microsoft Corporation)

2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Corporation)

2 SNMP; C:\Windows\SysWow64\snmp.exe [47616 2010-11-20] (Microsoft Corporation)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe [244736 2010-02-26] (IDT, Inc.)

2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)

2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)

3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)

2 AbsoluteNotifier; "C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifierService.exe" [x]

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [x]

3 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [x]

3 CACLEARWIRE; "C:\Program Files (x86)\Connection Manager\ConAppsSvc.exe" /n "CACLEARWIRE" [x]

3 CLEARWIRERcAppSvc; "C:\Program Files (x86)\Connection Manager\RcAppSvc.exe" /n "CLEARWIRERcAppSvc" [x]

2 fsssvc; "C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe" [x]

3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [x]

3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [x]

3 IHA_MessageCenter; "C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [x]

2 McciCMService; "C:\Program Files (x86)\Common Files\Motive\McciCMService.exe" [x]

2 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [x]

4 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\SymcPCCULaunchSvc.exe /s [x]

2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\diMaster.dll" /prefetch:1 [x]

2 RapportMgmtService; "C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe" [x]

2 ServicepointService; "C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe" [x]

2 wlidsvc; "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" [x]

==================== Drivers (Whitelisted) =====================

3 bcm; C:\Windows\System32\DRIVERS\drxvi314_64.sys [389664 2011-06-07] (Beceem communications pvt ltd.)

3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr_64.sys [67360 2011-06-07] (Beceem communications pvt ltd.)

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-07-17] (McAfee, Inc.)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [169320 2012-06-22] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [300392 2012-07-17] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [513456 2012-07-17] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [752672 2012-06-22] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-07-17] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [335784 2012-06-22] (McAfee, Inc.)

3 MQAC; C:\Windows\System32\Drivers\MQAC.sys [189440 2009-07-13] (Microsoft Corporation)

0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)

3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()

3 fssfltr; C:\Windows\System32\DRIVERS\fssfltr.sys [x]

3 GEARAspiWDM; C:\Windows\System32\DRIVERS\GEARAspiWDM.sys [x]

3 mfeavfk01; [x]

1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [x]

3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [x]

3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [x]

3 PcdrNdisuio; C:\Windows\SysWow64\drivers\pcdrndisuio.sys [x]

3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]

1 plazqzva; \??\C:\Windows\system32\drivers\plazqzva.sys [x]

1 RapportEI64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [x]

0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [x]

1 RapportPG64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [x]

3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]

3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [x]

3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-05 06:28 - 2012-12-05 06:28 - 00005166 ____A C:\Users\Administrator\Desktop\RKreport[3]_D_12052012_02d0628.txt

2012-12-05 05:52 - 2012-12-05 05:52 - 00005471 ____A C:\Users\Administrator\Desktop\RKreport[2]_S_12052012_02d0552.txt

2012-12-05 05:38 - 2012-12-05 05:38 - 00001034 ____A C:\Users\Administrator\Desktop\Install RogueKiller.lnk

2012-12-05 05:37 - 2012-12-05 05:37 - 00731136 ____A C:\Users\Administrator\Downloads\RogueKiller.exe

2012-12-05 05:31 - 2012-12-05 05:31 - 00000276 ____A C:\Users\Administrator\Downloads\A238.tmp

2012-12-05 02:46 - 2012-12-05 02:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.IEPerformance.FISC.132278131319619975.1.2.Run.exe

2012-12-05 02:42 - 2012-12-05 02:42 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.AudioPlayback.FISC.132278131319619975.1.1.Run.exe

2012-12-05 02:34 - 2012-12-05 02:34 - 00004761 ____A C:\Users\Administrator\Desktop\RKreport[1]_S_12052012_02d0234.txt

2012-12-05 02:08 - 2012-12-05 06:28 - 00000000 ____D C:\Users\Administrator\Desktop\RK_Quarantine

2012-12-04 01:52 - 2012-12-04 01:59 - 00000000 ____D C:\Windows\System32\MpEngineStore

2012-12-03 14:36 - 2012-12-03 14:47 - 00000000 ___RD C:\Users\Administrator\Desktop\Frequently used doc's

2012-12-01 15:08 - 2012-12-04 01:59 - 00000000 ___RD C:\Users\Administrator\Desktop\Print Screen files

2012-12-01 15:01 - 2012-12-02 04:27 - 00000041 ___RH C:\Program Files\stinger.opt

2012-12-01 13:37 - 2012-12-01 13:37 - 00000795 ____A C:\Program Files\stinger.txt

2012-12-01 13:22 - 2012-12-02 04:27 - 00000000 ____D C:\Program Files (x86)\stinger

2012-12-01 13:22 - 2012-12-01 13:22 - 10531944 ____A (McAfee Inc.) C:\Program Files\stinger.exe

2012-11-29 13:21 - 2012-11-29 13:21 - 13529576 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\mseinstall (3).exe

2012-11-29 06:47 - 2012-11-29 06:47 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.wu.FISC.134277627196787060.1.1.Run.exe

2012-11-29 06:41 - 2012-11-29 06:41 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.WinUSB.RNP.134277627196787060.2.1.Run.exe

2012-11-29 06:13 - 2012-11-29 06:13 - 00008221 ____A C:\Windows\System32\Internet connection log.log

2012-11-28 15:49 - 2012-12-03 18:06 - 00000000 ____D C:\Users\Administrator\AppData\Local\Conduit

2012-11-28 15:49 - 2012-11-28 15:49 - 00000009 ____A C:\END

2012-11-28 15:49 - 2012-11-28 15:49 - 00000000 ____D C:\Program Files (x86)\Conduit

2012-11-28 15:48 - 2012-11-28 15:48 - 00000000 ____D C:\Program Files (x86)\UnfriendApp

2012-11-26 22:56 - 2012-12-03 21:11 - 00006510 ____A C:\Users\Administrator\AppData\Local\1d727b45-8ce6-46d5-b56f-ede1723e1a29.crx

2012-11-26 22:55 - 2012-11-26 22:55 - 00000000 ____D C:\Windows\Sun

2012-11-26 21:56 - 2012-11-26 21:56 - 77934592 ____A C:\Windows\System32\config\SOFTWARE.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 22532096 ____A C:\Windows\System32\config\SYSTEM.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 00180224 ____A C:\Windows\System32\config\DEFAULT.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 00167936 ____A C:\Windows\System32\config\SAM.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 00028672 ____A C:\Windows\System32\config\SECURITY.iobit

2012-11-25 14:45 - 2012-11-25 14:45 - 00000020 __ASH C:\Users\Lea_2\ntuser.ini

2012-11-25 14:45 - 2012-11-25 14:45 - 00000000 ____D C:\Users\Lea_2\AppData\Roaming\Real

2012-11-25 14:45 - 2012-11-25 14:45 - 00000000 ____D C:\Users\Lea_2\AppData\Local\VirtualStore

2012-11-25 14:45 - 2012-11-25 14:45 - 00000000 ____D C:\users\Lea_2

2012-11-25 14:45 - 2011-11-16 00:01 - 00000000 ____D C:\Users\Lea_2\AppData\Roaming\Mozilla

2012-11-25 14:45 - 2011-10-14 02:01 - 00000000 ____D C:\Users\Lea_2\AppData\Local\Microsoft Help

2012-11-21 20:38 - 2012-11-21 20:38 - 00001112 ____A C:\Users\Administrator\Desktop\Windows Update Troubleshooting Info.lnk

2012-11-21 20:37 - 2012-11-21 20:37 - 00079686 ____A C:\Users\Administrator\Downloads\windowsupdate.diagcab

2012-11-21 09:03 - 2012-11-21 09:03 - 00000443 ____A C:\Users\Administrator\Desktop\Administrative Tools.lnk

2012-11-20 15:06 - 2012-11-20 15:08 - 08519423 ____A C:\Users\Administrator\Desktop\Nutrition book

2012-11-20 14:00 - 2012-11-20 14:00 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2012-11-20 13:59 - 2012-11-20 13:59 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2012-11-19 20:49 - 2012-11-25 00:54 - 00000000 ____D C:\Users\Administrator\AppData\Local\Smartbar

2012-11-19 20:42 - 2012-11-19 20:48 - 00000964 ____A C:\Users\Public\Desktop\7-zip.lnk

2012-11-19 20:42 - 2012-11-19 20:42 - 00000000 ____D C:\Program Files (x86)\7-zip

2012-11-16 07:47 - 2012-11-16 07:47 - 00001796 ____A C:\Users\Administrator\Desktop\DellTPad.exe.lnk

2012-11-15 15:57 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-15 15:57 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-15 15:57 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-15 15:57 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-15 15:48 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-15 15:48 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-15 15:48 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-15 15:48 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-15 15:48 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-15 15:48 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-15 15:48 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-15 15:48 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-15 15:48 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-15 15:48 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-15 15:48 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-15 15:48 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-15 15:48 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-15 15:48 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-15 15:48 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-15 15:48 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-15 15:48 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-15 15:48 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-15 15:48 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-15 15:48 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-15 15:48 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-15 15:48 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-15 15:48 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-15 15:48 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-15 15:48 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-15 15:48 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-15 15:48 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-15 15:48 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-15 15:48 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-15 15:48 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-15 15:48 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-15 15:48 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-15 15:43 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-15 15:43 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-15 15:43 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-15 15:43 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-15 15:43 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-15 15:43 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-15 15:43 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-15 15:43 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-11-15 13:49 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll

2012-11-15 13:49 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll

2012-11-15 13:49 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll

2012-11-15 13:49 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll

2012-11-15 13:48 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-11-15 13:48 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-11-15 13:48 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll

2012-11-15 13:48 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll

2012-11-15 13:48 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll

2012-11-15 13:48 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll

2012-11-15 13:48 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll

2012-11-15 13:48 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll

2012-11-15 13:48 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll

2012-11-15 13:48 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll

2012-11-15 13:48 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll

2012-11-15 13:48 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-11-15 13:48 - 2012-05-31 21:39 - 00014848 ____A (Microsoft Corporation) C:\Windows\System32\wamregps.dll

2012-11-15 13:48 - 2012-05-31 21:36 - 00192000 ____A (Microsoft Corporation) C:\Windows\System32\iisRtl.dll

2012-11-15 13:48 - 2012-05-31 21:36 - 00011264 ____A (Microsoft Corporation) C:\Windows\System32\iisrstap.dll

2012-11-15 13:48 - 2012-05-31 21:35 - 00060928 ____A (Microsoft Corporation) C:\Windows\System32\ahadmin.dll

2012-11-15 13:48 - 2012-05-31 21:34 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\admwprox.dll

2012-11-15 13:48 - 2012-05-31 21:33 - 00016896 ____A (Microsoft Corporation) C:\Windows\System32\iisreset.exe

2012-11-15 13:48 - 2012-05-31 20:40 - 00010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wamregps.dll

2012-11-15 13:48 - 2012-05-31 20:37 - 00154624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iisRtl.dll

2012-11-15 13:48 - 2012-05-31 20:37 - 00008192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iisrstap.dll

2012-11-15 13:48 - 2012-05-31 20:35 - 00050688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admwprox.dll

2012-11-15 13:48 - 2012-05-31 20:35 - 00026624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ahadmin.dll

2012-11-15 13:48 - 2012-05-31 20:34 - 00015360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iisreset.exe

2012-11-15 13:48 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

2012-11-15 13:47 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll

2012-11-15 13:47 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll

2012-11-14 03:25 - 2012-11-15 04:04 - 00000000 ___RD C:\Program Files (x86)\Skype

==================== One Month Modified Files and Folders =======

2012-12-05 08:15 - 2012-12-05 08:15 - 00000000 ____D C:\FRST

2012-12-05 07:55 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-05 07:55 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-05 07:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv

2012-12-05 07:53 - 2012-10-20 04:16 - 00069502 ____A C:\Windows\setupact.log

2012-12-05 07:53 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-05 07:51 - 2011-10-08 01:55 - 01298148 ____A C:\Windows\WindowsUpdate.log

2012-12-05 07:48 - 2009-07-13 21:13 - 00891890 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-05 07:41 - 2011-10-21 00:36 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-05 06:51 - 2011-10-21 00:36 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-05 06:28 - 2012-12-05 06:28 - 00005166 ____A C:\Users\Administrator\Desktop\RKreport[3]_D_12052012_02d0628.txt

2012-12-05 06:28 - 2012-12-05 02:08 - 00000000 ____D C:\Users\Administrator\Desktop\RK_Quarantine

2012-12-05 06:19 - 2011-11-23 06:10 - 00000000 ____D C:\Users\Administrator\Documents\System

2012-12-05 05:52 - 2012-12-05 05:52 - 00005471 ____A C:\Users\Administrator\Desktop\RKreport[2]_S_12052012_02d0552.txt

2012-12-05 05:38 - 2012-12-05 05:38 - 00001034 ____A C:\Users\Administrator\Desktop\Install RogueKiller.lnk

2012-12-05 05:37 - 2012-12-05 05:37 - 00731136 ____A C:\Users\Administrator\Downloads\RogueKiller.exe

2012-12-05 05:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources

2012-12-05 05:31 - 2012-12-05 05:31 - 00000276 ____A C:\Users\Administrator\Downloads\A238.tmp

2012-12-05 05:28 - 2012-01-20 19:35 - 00000000 ____D C:\Users\Administrator\Documents\Shopping

2012-12-05 03:50 - 2011-12-13 18:29 - 00000480 ____A C:\Windows\Tasks\SpeedyPC Update Version3.job

2012-12-05 02:46 - 2012-12-05 02:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.IEPerformance.FISC.132278131319619975.1.2.Run.exe

2012-12-05 02:42 - 2012-12-05 02:42 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.AudioPlayback.FISC.132278131319619975.1.1.Run.exe

2012-12-05 02:34 - 2012-12-05 02:34 - 00004761 ____A C:\Users\Administrator\Desktop\RKreport[1]_S_12052012_02d0234.txt

2012-12-04 23:48 - 2012-11-03 13:42 - 00008698 ____A C:\Users\Administrator\Documents\Measurements.xlsx

2012-12-04 18:00 - 2011-12-13 18:29 - 00000508 ____A C:\Windows\Tasks\SpeedyPC Registration3.job

2012-12-04 14:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2012-12-04 01:59 - 2012-12-04 01:52 - 00000000 ____D C:\Windows\System32\MpEngineStore

2012-12-04 01:59 - 2012-12-01 15:08 - 00000000 ___RD C:\Users\Administrator\Desktop\Print Screen files

2012-12-04 01:52 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-12-03 21:14 - 2011-12-05 21:56 - 00254222 ____A C:\Windows\PFRO.log

2012-12-03 21:11 - 2012-11-26 22:56 - 00006510 ____A C:\Users\Administrator\AppData\Local\1d727b45-8ce6-46d5-b56f-ede1723e1a29.crx

2012-12-03 18:06 - 2012-11-28 15:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Conduit

2012-12-03 14:47 - 2012-12-03 14:36 - 00000000 ___RD C:\Users\Administrator\Desktop\Frequently used doc's

2012-12-03 14:39 - 2012-09-29 06:21 - 00000000 ___RD C:\Users\Administrator\Desktop\Misc. Desktop Doc's

2012-12-03 14:31 - 2011-10-22 10:57 - 00000000 ____D C:\users\Administrator

2012-12-03 13:52 - 2012-06-29 12:18 - 00000454 ____A C:\Windows\Tasks\PC Optimizer Pro Updates.job

2012-12-02 04:27 - 2012-12-01 15:01 - 00000041 ___RH C:\Program Files\stinger.opt

2012-12-02 04:27 - 2012-12-01 13:22 - 00000000 ____D C:\Program Files (x86)\stinger

2012-12-01 13:37 - 2012-12-01 13:37 - 00000795 ____A C:\Program Files\stinger.txt

2012-12-01 13:22 - 2012-12-01 13:22 - 10531944 ____A (McAfee Inc.) C:\Program Files\stinger.exe

2012-12-01 02:44 - 2011-12-24 13:37 - 00000000 ____D C:\Users\Administrator\Documents\Finances

2012-11-30 10:11 - 2012-04-21 20:44 - 00000000 ____D C:\Users\Administrator\Documents\Gardening

2012-11-29 22:10 - 2011-12-07 11:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe

2012-11-29 13:33 - 2012-01-27 08:45 - 00000000 ____D C:\Windows\pss

2012-11-29 13:21 - 2012-11-29 13:21 - 13529576 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\mseinstall (3).exe

2012-11-29 08:01 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2012-11-29 06:47 - 2012-11-29 06:47 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.wu.FISC.134277627196787060.1.1.Run.exe

2012-11-29 06:41 - 2012-11-29 06:41 - 00347424 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\MicrosoftFixit.WinUSB.RNP.134277627196787060.2.1.Run.exe

2012-11-29 06:13 - 2012-11-29 06:13 - 00008221 ____A C:\Windows\System32\Internet connection log.log

2012-11-28 15:49 - 2012-11-28 15:49 - 00000009 ____A C:\END

2012-11-28 15:49 - 2012-11-28 15:49 - 00000000 ____D C:\Program Files (x86)\Conduit

2012-11-28 15:48 - 2012-11-28 15:48 - 00000000 ____D C:\Program Files (x86)\UnfriendApp

2012-11-27 22:31 - 2012-08-24 11:55 - 00000000 ____D C:\Program Files\Common Files\McAfee

2012-11-27 22:04 - 2011-10-08 14:58 - 00000000 ____D C:\Users\All Users\McAfee

2012-11-27 17:34 - 2011-12-24 13:38 - 00000000 ____D C:\Users\Administrator\Documents\Tools

2012-11-27 15:20 - 2011-12-24 13:37 - 00000000 ____D C:\Users\Administrator\Documents\House

2012-11-26 22:55 - 2012-11-26 22:55 - 00000000 ____D C:\Windows\Sun

2012-11-26 21:56 - 2012-11-26 21:56 - 77934592 ____A C:\Windows\System32\config\SOFTWARE.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 22532096 ____A C:\Windows\System32\config\SYSTEM.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 00180224 ____A C:\Windows\System32\config\DEFAULT.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 00167936 ____A C:\Windows\System32\config\SAM.iobit

2012-11-26 21:56 - 2012-11-26 21:56 - 00028672 ____A C:\Windows\System32\config\SECURITY.iobit

2012-11-25 15:32 - 2011-10-27 08:28 - 00000000 ____D C:\Users\Lea\AppData\Local\Deployment

2012-11-25 15:28 - 2011-10-08 15:51 - 00068328 ____A C:\Users\Lea\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-25 14:52 - 2011-11-16 00:01 - 00000000 ____D C:\Users\Lea\AppData\Roaming\Mozilla

2012-11-25 14:51 - 2011-12-31 14:08 - 00002624 ____A C:\Users\Lea\Desktop\Google Chrome.lnk

2012-11-25 14:49 - 2011-12-24 13:37 - 00000000 ____D C:\Users\Administrator\Documents\Lida

2012-11-25 14:45 - 2012-11-25 14:45 - 00000020 __ASH C:\Users\Lea_2\ntuser.ini

2012-11-25 14:45 - 2012-11-25 14:45 - 00000000 ____D C:\Users\Lea_2\AppData\Roaming\Real

2012-11-25 14:45 - 2012-11-25 14:45 - 00000000 ____D C:\Users\Lea_2\AppData\Local\VirtualStore

2012-11-25 14:45 - 2012-11-25 14:45 - 00000000 ____D C:\users\Lea_2

2012-11-25 14:43 - 2011-10-27 20:56 - 00000000 ____D C:\Program Files (x86)\Adobe

2012-11-25 14:33 - 2011-10-22 11:10 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe

2012-11-25 04:30 - 2011-10-22 15:26 - 00007627 ____A C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg

2012-11-25 00:54 - 2012-11-19 20:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Smartbar

2012-11-25 00:46 - 2012-06-29 12:07 - 00000000 ____D C:\Program Files (x86)\Shop To Win

2012-11-24 14:20 - 2011-10-08 02:20 - 00000000 ____D C:\users\Lea

2012-11-21 20:38 - 2012-11-21 20:38 - 00001112 ____A C:\Users\Administrator\Desktop\Windows Update Troubleshooting Info.lnk

2012-11-21 20:37 - 2012-11-21 20:37 - 00079686 ____A C:\Users\Administrator\Downloads\windowsupdate.diagcab

2012-11-21 09:03 - 2012-11-21 09:03 - 00000443 ____A C:\Users\Administrator\Desktop\Administrative Tools.lnk

2012-11-20 15:08 - 2012-11-20 15:06 - 08519423 ____A C:\Users\Administrator\Desktop\Nutrition book

2012-11-20 14:01 - 2012-01-09 02:08 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Real

2012-11-20 14:00 - 2012-11-20 14:00 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2012-11-20 14:00 - 2012-01-09 02:08 - 00000000 ____D C:\Users\All Users\Real

2012-11-20 14:00 - 2012-01-09 02:08 - 00000000 ____D C:\Program Files (x86)\Real

2012-11-20 13:59 - 2012-11-20 13:59 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2012-11-20 13:59 - 2012-11-20 13:59 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2012-11-19 20:48 - 2012-11-19 20:42 - 00000964 ____A C:\Users\Public\Desktop\7-zip.lnk

2012-11-19 20:42 - 2012-11-19 20:42 - 00000000 ____D C:\Program Files (x86)\7-zip

2012-11-19 05:06 - 2011-12-24 13:37 - 00000000 ____D C:\Users\Administrator\Documents\Labels

2012-11-19 03:36 - 2011-10-08 07:03 - 00000514 ____A C:\Windows\BRWMARK.INI

2012-11-17 02:32 - 2012-10-20 19:31 - 00000000 ____D C:\Users\Administrator\Documents\Entertainment

2012-11-16 07:47 - 2012-11-16 07:47 - 00001796 ____A C:\Users\Administrator\Desktop\DellTPad.exe.lnk

2012-11-16 02:30 - 2012-08-23 12:25 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar

2012-11-16 02:30 - 2011-10-12 17:42 - 00000000 ____D C:\Program Files (x86)\Dell

2012-11-16 02:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar

2012-11-16 02:30 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2012-11-16 02:21 - 2011-12-24 13:37 - 00000000 ____D C:\Users\Administrator\Documents\References, manuals & notes

2012-11-16 02:09 - 2011-12-20 16:40 - 00000000 ____D C:\Program Files\Friegers Open With-Enhanced

2012-11-15 23:44 - 2011-10-23 01:50 - 00068328 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-15 17:26 - 2011-12-13 22:43 - 00096235 ____A C:\Windows\iis7.log

2012-11-15 17:24 - 2009-07-13 20:45 - 00309624 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-15 17:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv

2012-11-15 15:57 - 2011-10-13 07:39 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-11-15 15:44 - 2011-10-08 10:21 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-11-15 07:24 - 2012-08-16 08:36 - 00000000 ____D C:\Users\Guest\.gcompris

2012-11-15 07:24 - 2012-07-24 10:01 - 00000000 ____D C:\Users\Administrator\.gcompris

2012-11-15 07:24 - 2012-01-17 02:48 - 00000000 ____D C:\Program Files\SetPoint

2012-11-15 07:24 - 2011-12-03 03:10 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\uTorrent

2012-11-15 04:53 - 2012-01-12 01:04 - 00000000 ____D C:\Program Files (x86)\AllDupPortable

2012-11-15 04:04 - 2012-11-14 03:25 - 00000000 ___RD C:\Program Files (x86)\Skype

2012-11-15 04:04 - 2011-12-21 04:51 - 00000000 ____D C:\Users\All Users\Skype

2012-11-15 04:03 - 2011-12-22 12:55 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Skype

2012-11-08 22:17 - 2011-10-27 20:56 - 00000000 ____D C:\Users\All Users\Adobe

2012-11-08 22:16 - 2012-07-21 14:56 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-11-08 22:16 - 2011-10-08 14:50 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-04 05:38:37

Restore point made on: 2012-12-05 06:11:31

==================== Memory info ===========================

Percentage of memory in use: 26%

Total physical RAM: 3032.36 MB

Available physical RAM: 2221.9 MB

Total Pagefile: 3030.51 MB

Available Pagefile: 2204.84 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS Sys) (Fixed) (Total:218.2 GB) (Free:148.63 GB) NTFS

4 Drive g: (KINGSTON) (Removable) (Total:7.47 GB) (Free:7.32 GB) NTFS

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:3.12 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 Online 7650 MB 0 B

Disk 3 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 218 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS Sys NTFS Partition 218 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7646 MB 4032 KB

==================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G KINGSTON NTFS Removable 7646 MB Healthy

=========================================================

Last Boot: 2012-12-05 05:07

==================== End Of Log =============================

Please tell me what I can do to remedy this situation. I have spent days on this, my life is buried under print outs, my house and housework have been completely neglected and it shows, I am almost bald now and I have crows feet. Please advise. Thank you!

Link to post
Share on other sites

Hello Leaofhb and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please follow the instructions here and post the log files in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.