Jump to content

Trojan Infections - DDS.TXT Failed


Recommended Posts

Good Evening,

I recently discovered that I had far more than a simple virus. I have multiple Trojans showing on my computer. I thought I had contained it with AVG and MalwareBytes but when I rebooted it seemed to active the sleeping beast and escalate it.

I did click the DDS.COM link and downloaded the program to my desktop but unfortunately I've tried three times now letting the program run for over an hour each time and the program just remains at please wait. I'm assuming one of the trojans I have is blocking the program.

Any advice to move forward would be great! I really hope you can help and point me in the right direction to produce a log and clean this horrible issue up.

Thank you.

Link to post
Share on other sites

  • Staff

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Link to post
Share on other sites

So sorry that took so long, here is the report:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012

Ran by SYSTEM at 15-12-2012 19:06:28

Running from G:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3666800 2011-01-21] (Dell Inc.)

HKLM\...\Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2010-12-17] (Intel® Corporation)

HKLM\...\Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10228224 2010-11-03] (Intel Corporation)

HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [765952 2010-04-01] ()

HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [135168 2009-06-22] ()

HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207845 2011-05-30] ()

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [487562 2010-08-19] (Creative Technology Ltd)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-02-04] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35768 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2825741 2011-05-30] ()

HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273528 2011-08-24] (RealNetworks, Inc.)

HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)

HKLM-x32\...\Run: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1443080 2010-09-27] (Intuit Inc. All rights reserved.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [997320 2012-12-04] ()

HKLM-x32\...\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [1020512 2012-12-03] ()

HKU\Josh\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)

HKU\Josh\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1354736 2012-12-03] (Valve Corporation)

HKU\Josh\...\Run: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h [x]

HKU\Josh\...\Run: [Google Update] "C:\Users\Josh\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-05-25] (Google Inc.)

HKU\Josh\...\Run: [iCQ] "C:\Program Files (x86)\ICQ7.7\ICQ.exe" silent loginmode=4 [127040 2012-01-23] (ICQ, LLC.)

HKU\Josh\...\Run: [Facebook Update] "C:\Users\Josh\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-10-23] (Facebook Inc.)

HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-13] (Dell)

HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk

ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk

ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE (Intuit Inc.)

Startup: C:\Users\Josh\Start Menu\Programs\Startup\MagicDisc.lnk

ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)

2 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [40448 2010-04-01] ()

2 dlea_device; C:\Windows\system32\dleacoms.exe -service [1047552 2009-12-09] ( )

2 dlea_device; C:\Windows\SysWow64\dleacoms.exe -service [593920 2009-12-09] ( )

2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-17] ()

2 QBVSS; "C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe" [1251840 2010-09-17] ()

2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-12-03] ()

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )

0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )

1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)

0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)

0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-05] (AVG Technologies CZ, s.r.o.)

0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)

1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)

1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-12-03] (AVG Technologies)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-15 18:49 - 2012-12-15 18:49 - 00000000 ____D C:\FRST

2012-12-15 18:41 - 2012-12-15 18:41 - 01461033 ____A (Farbar) C:\Users\Josh\Downloads\FRST64.exe

2012-12-15 11:05 - 2012-12-15 11:06 - 00688992 ____R (Swearware) C:\Users\Josh\Desktop\dds.com

2012-12-15 10:51 - 2012-12-15 10:52 - 00755712 ____A C:\Users\Josh\Downloads\RogueKiller.exe

2012-12-13 23:18 - 2012-12-13 23:18 - 00067852 ____A C:\Users\Josh\Downloads\daily_picdump_88_pics-86.jpeg

2012-12-13 23:04 - 2012-12-13 23:04 - 00050365 ____A C:\Users\Josh\Downloads\veMEsWZCWEifOKawXH2bRg2.jpeg

2012-12-11 15:56 - 2012-12-11 15:56 - 16363960 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2012-12-10 18:26 - 2012-12-10 18:50 - 00031232 ____A C:\Users\Josh\Desktop\Partnership Project rev.xls

2012-12-10 17:59 - 2012-12-10 17:59 - 00015966 ____A C:\Users\Josh\Downloads\Partnership Project rev.xlsx

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

2012-12-06 19:43 - 2012-12-06 19:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\My Documents\Tax Conference.ppt

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\Documents\Tax Conference.ppt

2012-12-04 19:51 - 2012-12-04 19:51 - 03845120 ____A C:\Users\Josh\Downloads\Pure Michigan Travel Template.ppt

2012-12-03 18:23 - 2012-12-03 18:23 - 00000000 ____D C:\Users\Josh\Desktop\RESCUE

2012-12-03 18:22 - 2012-12-03 18:22 - 00000000 ____D C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411

2012-12-03 18:17 - 2012-12-03 18:18 - 102010580 ____A C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411.zip

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\Application Data\AVG2013

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\AppData\Roaming\AVG2013

2012-12-03 15:53 - 2012-12-09 08:20 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk

2012-12-03 15:53 - 2012-12-09 08:20 - 00000967 ____A C:\Users\All Users\Desktop\AVG 2013.lnk

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Application Data\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Roaming\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Local\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search

2012-12-03 15:52 - 2012-12-04 17:16 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2012-12-03 15:52 - 2012-12-03 15:52 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2012-12-03 15:50 - 2012-12-03 18:38 - 00000000 ____D C:\Users\All Users\AVG2013

2012-12-03 15:50 - 2012-12-03 18:38 - 00000000 ____D C:\Users\All Users\Application Data\AVG2013

2012-12-03 15:50 - 2012-12-03 15:50 - 00000000 ___HD C:\$AVG

2012-12-03 15:48 - 2012-12-03 15:48 - 00000000 ____D C:\Program Files (x86)\AVG

2012-12-03 15:42 - 2012-12-15 17:25 - 00000000 ____D C:\Users\All Users\MFAData

2012-12-03 15:42 - 2012-12-15 17:25 - 00000000 ____D C:\Users\All Users\Application Data\MFAData

2012-12-03 15:42 - 2012-12-03 15:58 - 00000000 ____D C:\Users\Josh\Local Settings\Avg2013

2012-12-03 15:42 - 2012-12-03 15:58 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\Avg2013

2012-12-03 15:42 - 2012-12-03 15:58 - 00000000 ____D C:\Users\Josh\AppData\Local\Avg2013

2012-12-03 15:42 - 2012-12-03 15:42 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\avg_free_stb_all_2013_2793_cnet (1).exe

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\AppData\Local\MFAData

2012-12-03 15:41 - 2012-12-03 15:41 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\Unconfirmed 787124.crdownload

2012-12-02 20:52 - 2012-12-02 20:52 - 00262144 ____A C:\Windows\Minidump\120212-29218-01.dmp

2012-12-02 13:13 - 2012-12-02 13:13 - 00262144 ____A C:\Windows\Minidump\120212-55598-01.dmp

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\Application Data\Yahoo!

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\AppData\Roaming\Yahoo!

2012-12-01 21:33 - 2009-07-13 19:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-12-01 21:31 - 2012-12-01 21:31 - 00000000 ____A C:\Windows\SysWOW64\sho644C.tmp

2012-12-01 21:25 - 2012-12-15 17:56 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-28 06:12 - 2012-11-28 06:11 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-11-28 06:10 - 2012-11-28 06:10 - 31160808 ____A (Oracle Corporation) C:\Users\Josh\Downloads\jre-7u9-windows-i586.exe

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB83.tmp

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB82.tmp

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA437.tmp

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA436.tmp

2012-11-28 06:07 - 2012-11-28 06:09 - 00000139 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log

2012-11-28 06:06 - 2012-11-28 06:06 - 00895464 ____A (Oracle Corporation) C:\Users\Josh\Downloads\chromeinstall-7u9.exe

2012-11-26 15:56 - 2012-11-26 15:56 - 00146432 ____A C:\Users\Josh\Downloads\Chapter 5 Workbook.xls

2012-11-26 14:43 - 2012-11-26 14:43 - 00122368 ____A C:\Users\Josh\Downloads\Chapter 6 workbook (1).xls

2012-11-25 19:57 - 2012-11-25 19:57 - 00126976 ____A C:\Users\Josh\Downloads\Chapter 6 workbook.xls

2012-11-23 21:16 - 2012-11-23 21:16 - 00071168 ____A C:\Users\Josh\Downloads\FilasWeek4Problem4.xls

2012-11-20 07:40 - 2012-11-20 07:40 - 00262144 ____A C:\Windows\Minidump\112012-23790-01.dmp

2012-11-19 15:08 - 2012-11-19 16:22 - 00140800 ____A C:\Users\Josh\Downloads\chapter 5 workbook rev.xls

==================== One Month Modified Files and Folders =======

2012-12-15 19:00 - 2009-07-13 22:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-15 19:00 - 2009-07-13 22:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-15 18:58 - 2012-06-05 19:04 - 00000000 ____D C:\Users\Josh\Application Data\ICQ

2012-12-15 18:58 - 2012-06-05 19:04 - 00000000 ____D C:\Users\Josh\AppData\Roaming\ICQ

2012-12-15 18:57 - 2011-07-02 16:51 - 00000000 ____D C:\Program Files (x86)\Steam

2012-12-15 18:57 - 2011-06-08 18:16 - 00017309 ____A C:\Users\All Users\dleascan.log

2012-12-15 18:57 - 2011-06-08 18:16 - 00017309 ____A C:\Users\All Users\Application Data\dleascan.log

2012-12-15 18:56 - 2012-10-27 13:20 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-15 18:56 - 2011-06-08 10:49 - 00000000 ____D C:\Users\Josh\Local Settings\SoftThinks

2012-12-15 18:56 - 2011-06-08 10:49 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\SoftThinks

2012-12-15 18:56 - 2011-06-08 10:49 - 00000000 ____D C:\Users\Josh\AppData\Local\SoftThinks

2012-12-15 18:56 - 2011-06-03 06:44 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2012-12-15 18:56 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-15 18:56 - 2009-07-13 22:51 - 00056738 ____A C:\Windows\setupact.log

2012-12-15 18:52 - 2009-07-13 23:13 - 00798642 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-15 18:49 - 2012-12-15 18:49 - 00000000 ____D C:\FRST

2012-12-15 18:46 - 2011-06-03 06:33 - 00000000 ____D C:\Users\All Users\Sonic

2012-12-15 18:46 - 2011-06-03 06:33 - 00000000 ____D C:\Users\All Users\Application Data\Sonic

2012-12-15 18:41 - 2012-12-15 18:41 - 01461033 ____A (Farbar) C:\Users\Josh\Downloads\FRST64.exe

2012-12-15 18:25 - 2012-10-27 13:20 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-15 18:25 - 2012-05-25 09:19 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000UA.job

2012-12-15 18:08 - 2012-10-23 20:03 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000UA.job

2012-12-15 17:56 - 2012-12-01 21:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-15 17:25 - 2012-12-03 15:42 - 00000000 ____D C:\Users\All Users\MFAData

2012-12-15 17:25 - 2012-12-03 15:42 - 00000000 ____D C:\Users\All Users\Application Data\MFAData

2012-12-15 13:25 - 2012-05-25 09:19 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000Core.job

2012-12-15 11:06 - 2012-12-15 11:05 - 00688992 ____R (Swearware) C:\Users\Josh\Desktop\dds.com

2012-12-15 10:52 - 2012-12-15 10:51 - 00755712 ____A C:\Users\Josh\Downloads\RogueKiller.exe

2012-12-15 10:25 - 2011-06-03 06:07 - 01875073 ____A C:\Windows\WindowsUpdate.log

2012-12-14 21:08 - 2012-10-23 20:03 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000Core.job

2012-12-14 07:48 - 2012-05-04 18:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-12-13 23:18 - 2012-12-13 23:18 - 00067852 ____A C:\Users\Josh\Downloads\daily_picdump_88_pics-86.jpeg

2012-12-13 23:04 - 2012-12-13 23:04 - 00050365 ____A C:\Users\Josh\Downloads\veMEsWZCWEifOKawXH2bRg2.jpeg

2012-12-12 14:50 - 2011-06-08 18:17 - 00000000 ____D C:\Users\All Users\Dl_cats

2012-12-12 14:50 - 2011-06-08 18:17 - 00000000 ____D C:\Users\All Users\Application Data\Dl_cats

2012-12-12 14:47 - 2011-09-15 09:00 - 00000000 ____D C:\Users\All Users\pdf995

2012-12-12 14:47 - 2011-09-15 09:00 - 00000000 ____D C:\Users\All Users\Application Data\pdf995

2012-12-11 15:56 - 2012-12-11 15:56 - 16363960 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2012-12-11 15:56 - 2012-07-24 05:30 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-11 15:56 - 2011-06-17 06:40 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-11 07:27 - 2011-06-30 11:19 - 00000000 ____D C:\Users\Josh\Desktop\Character and Fitness

2012-12-10 18:50 - 2012-12-10 18:26 - 00031232 ____A C:\Users\Josh\Desktop\Partnership Project rev.xls

2012-12-10 17:59 - 2012-12-10 17:59 - 00015966 ____A C:\Users\Josh\Downloads\Partnership Project rev.xlsx

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

2012-12-09 08:20 - 2012-12-03 15:53 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk

2012-12-09 08:20 - 2012-12-03 15:53 - 00000967 ____A C:\Users\All Users\Desktop\AVG 2013.lnk

2012-12-06 19:43 - 2012-12-06 19:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\My Documents\Tax Conference.ppt

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\Documents\Tax Conference.ppt

2012-12-04 19:51 - 2012-12-04 19:51 - 03845120 ____A C:\Users\Josh\Downloads\Pure Michigan Travel Template.ppt

2012-12-04 17:48 - 2011-06-09 07:29 - 00000000 ____D C:\Users\All Users\PCDr

2012-12-04 17:48 - 2011-06-09 07:29 - 00000000 ____D C:\Users\All Users\Application Data\PCDr

2012-12-04 17:48 - 2011-06-03 06:40 - 00000000 ____D C:\Program Files\Dell Support Center

2012-12-04 17:16 - 2012-12-03 15:52 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2012-12-03 18:41 - 2010-11-20 21:47 - 00032356 ____A C:\Windows\PFRO.log

2012-12-03 18:38 - 2012-12-03 15:50 - 00000000 ____D C:\Users\All Users\AVG2013

2012-12-03 18:38 - 2012-12-03 15:50 - 00000000 ____D C:\Users\All Users\Application Data\AVG2013

2012-12-03 18:23 - 2012-12-03 18:23 - 00000000 ____D C:\Users\Josh\Desktop\RESCUE

2012-12-03 18:22 - 2012-12-03 18:22 - 00000000 ____D C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411

2012-12-03 18:18 - 2012-12-03 18:17 - 102010580 ____A C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411.zip

2012-12-03 15:59 - 2012-03-27 12:59 - 00000000 ____D C:\Users\All Users\CodecC

2012-12-03 15:59 - 2012-03-27 12:59 - 00000000 ____D C:\Users\All Users\Application Data\CodecC

2012-12-03 15:58 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Avg2013

2012-12-03 15:58 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\Avg2013

2012-12-03 15:58 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\AppData\Local\Avg2013

2012-12-03 15:58 - 2012-09-21 22:34 - 00000000 ____D C:\Users\Josh\Local Settings\JavaSoft

2012-12-03 15:58 - 2012-09-21 22:34 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\JavaSoft

2012-12-03 15:58 - 2012-09-21 22:34 - 00000000 ____D C:\Users\Josh\AppData\Local\JavaSoft

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\Application Data\AVG2013

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\AppData\Roaming\AVG2013

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Application Data\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Roaming\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Local\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search

2012-12-03 15:52 - 2012-12-03 15:52 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2012-12-03 15:50 - 2012-12-03 15:50 - 00000000 ___HD C:\$AVG

2012-12-03 15:48 - 2012-12-03 15:48 - 00000000 ____D C:\Program Files (x86)\AVG

2012-12-03 15:42 - 2012-12-03 15:42 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\avg_free_stb_all_2013_2793_cnet (1).exe

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\AppData\Local\MFAData

2012-12-03 15:41 - 2012-12-03 15:41 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\Unconfirmed 787124.crdownload

2012-12-02 20:52 - 2012-12-02 20:52 - 00262144 ____A C:\Windows\Minidump\120212-29218-01.dmp

2012-12-02 20:52 - 2011-07-05 20:44 - 568580334 ____A C:\Windows\MEMORY.DMP

2012-12-02 20:52 - 2011-07-05 20:44 - 00000000 ____D C:\Windows\Minidump

2012-12-02 13:13 - 2012-12-02 13:13 - 00262144 ____A C:\Windows\Minidump\120212-55598-01.dmp

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\Application Data\Yahoo!

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\AppData\Roaming\Yahoo!

2012-12-02 12:54 - 2011-07-05 18:10 - 00000000 ____D C:\Program Files (x86)\Pando Networks

2012-12-02 12:54 - 2011-06-20 10:13 - 00000000 ____D C:\Program Files (x86)\Yahoo!

2012-12-02 12:54 - 2009-07-13 22:45 - 00488424 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-02 08:44 - 2011-06-08 10:49 - 00134840 ____A C:\Users\Josh\Local Settings\GDIPFONTCACHEV1.DAT

2012-12-02 08:44 - 2011-06-08 10:49 - 00134840 ____A C:\Users\Josh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2012-12-02 08:44 - 2011-06-08 10:49 - 00134840 ____A C:\Users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT

2012-12-01 22:05 - 2012-02-23 10:27 - 00000000 ____D C:\Users\Josh\Desktop\accounting 2012

2012-12-01 21:52 - 2011-09-15 08:26 - 00000000 ____D C:\Program Files (x86)\PDF995

2012-12-01 21:45 - 2012-07-16 16:48 - 00000000 ____D C:\Program Files\DivX

2012-12-01 21:45 - 2012-07-16 16:47 - 00000000 ____D C:\Program Files (x86)\DivX

2012-12-01 21:45 - 2012-07-16 16:46 - 00000000 ____D C:\Users\All Users\DivX

2012-12-01 21:45 - 2012-07-16 16:46 - 00000000 ____D C:\Users\All Users\Application Data\DivX

2012-12-01 21:31 - 2012-12-01 21:31 - 00000000 ____A C:\Windows\SysWOW64\sho644C.tmp

2012-12-01 21:24 - 2011-06-03 06:43 - 00000000 ____D C:\Users\All Users\Application Data\Adobe

2012-12-01 21:24 - 2011-06-03 06:43 - 00000000 ____D C:\Users\All Users\Adobe

2012-11-28 06:11 - 2012-11-28 06:12 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-11-28 06:11 - 2012-06-04 15:37 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll

2012-11-28 06:11 - 2011-09-18 16:51 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

2012-11-28 06:10 - 2012-11-28 06:10 - 31160808 ____A (Oracle Corporation) C:\Users\Josh\Downloads\jre-7u9-windows-i586.exe

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB83.tmp

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB82.tmp

2012-11-28 06:09 - 2012-11-28 06:07 - 00000139 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log

2012-11-28 06:09 - 2011-09-18 16:51 - 00000000 ____D C:\Program Files (x86)\Java

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA437.tmp

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA436.tmp

2012-11-28 06:06 - 2012-11-28 06:06 - 00895464 ____A (Oracle Corporation) C:\Users\Josh\Downloads\chromeinstall-7u9.exe

2012-11-26 15:56 - 2012-11-26 15:56 - 00146432 ____A C:\Users\Josh\Downloads\Chapter 5 Workbook.xls

2012-11-26 14:43 - 2012-11-26 14:43 - 00122368 ____A C:\Users\Josh\Downloads\Chapter 6 workbook (1).xls

2012-11-25 19:57 - 2012-11-25 19:57 - 00126976 ____A C:\Users\Josh\Downloads\Chapter 6 workbook.xls

2012-11-23 21:16 - 2012-11-23 21:16 - 00071168 ____A C:\Users\Josh\Downloads\FilasWeek4Problem4.xls

2012-11-20 07:40 - 2012-11-20 07:40 - 00262144 ____A C:\Windows\Minidump\112012-23790-01.dmp

2012-11-19 16:22 - 2012-11-19 15:08 - 00140800 ____A C:\Users\Josh\Downloads\chapter 5 workbook rev.xls

ZeroAccess:

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\00000004.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\201d3dde

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\4cce1f70

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\00000008.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\000000cb.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000064.@

ZeroAccess:

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\n

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-03 15:48:32

Restore point made on: 2012-12-03 15:49:32

Restore point made on: 2012-12-14 15:38:51

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 4003.17 MB

Available physical RAM: 3275.56 MB

Total Pagefile: 4001.37 MB

Available Pagefile: 3266.83 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:206.79 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.29 GB) NTFS ==>[system with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive e: detected. Check for MBR/Partition infection.

4 Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

5 Drive g: () (Removable) (Total:1.91 GB) (Free:0.55 GB) FAT

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 1953 MB 0 B

Disk 2 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 451 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 DELLUTILITY FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E Recovery NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C OS NTFS Partition 451 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1952 MB 122 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT Removable 1952 MB Healthy

=========================================================

Last Boot: 2012-12-14 15:32

==================== End Of Log =============================

Link to post
Share on other sites

  • Staff

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
2012-12-01 21:33 - 2009-07-13 19:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
TDL4: custom:26000022 <===== ATTENTION!
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

NEXT

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

NEXT

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

  • Staff

yes, please try it in safe mode

you have an infected services.exe, CombFix usually finds and replaces this file for us, but it may be having difficulty doing so, if it still wont complete in safe mode, then we will use FRST again

To Enter Safemode

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Link to post
Share on other sites

I did allow combofix to run over night and it had rebooted my computer and finished the log. Unfortunately I'm still getting messages from my AVG program that services.exe is still infected. Also, when I tried to log onto the internet my computer blue screened and when it rebooted my network adapater had been affected. My network adapter will not recognize any wireless or directly connected sources.

I'm using a second coputer to post the log from combofix and also to download the malwarebytes rootkit tool. Hoping the rootkit will fix this issue other wise I will need to do a system restore I'm assuming to get my network adapter back. Log is too long to paste so I have attached it.Combofix.txt

Link to post
Share on other sites

  • Staff

let's restore to before you ran combofix so we can recover the network adapter, then we will go about finding a replacement for the infected services.exe another way

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
RestoreErunt: cf
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

  • FRST will let you know when the fix is complete and has written the Fixlog.txt to file, close out this message, then type the following into the search box:
    services.exe
  • now press the search button
  • when the search is complete, search.txt will also be written to your USB
  • type exit and reboot the computer normally
  • please copy and paste both logs in your reply.(FRST.txt and Search.txt)

Link to post
Share on other sites

I did complete the restore but it did not fix my network adapter so I am currently allowing my computer to do a system restore back to the point that combofix created before it ran. Has been going a while.

I also attempted to the services.exe search but my system seemed to loop through that process for a couple hours so I aborted. I can still do that but I would prefer to let it go while I sleep or work on something else.

Computer has been attempting a restore for 45 minutes now and should be close to finishing. Below is the log from the FRST fix:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012

Ran by SYSTEM at 2012-12-16 10:15:17 Run:2

Running from G:\

==============================================

BCD not restored.

DEFAULT restored successfuly.

SAM restored successfuly.

SECURITY restored successfuly.

SOFTWARE restored successfuly.

hiv-backup\BCD not found.

SYSTEM restored successfuly.

Link to post
Share on other sites

  • Staff

ok, we'll take this one step at a time

please re-run FRST and this time, complete the search for the services.exe file

I'll give you the full and complete instructions again to save you scrolling up for them

You should still have FRST saved to your USB > insert into your computer

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

services.exe

[*]now press the search button

[*]when the search is complete, search.txt will also be written to your USB

[*]type exit and reboot the computer normally

[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)

Link to post
Share on other sites

Completed both process over night. Strangely enough nothing has popped up as infected on my AVG with this most recent boot. Here are the logs:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012

Ran by SYSTEM at 16-12-2012 12:25:19

Running from G:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [609144 2011-04-12] (Alps Electric Co., Ltd.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3666800 2011-01-21] (Dell Inc.)

HKLM\...\Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2010-12-17] (Intel® Corporation)

HKLM\...\Run: [bTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10228224 2010-11-03] (Intel Corporation)

HKLM\...\Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe" [765952 2010-04-01] ()

HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe" [135168 2009-06-22] ()

HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207845 2011-05-30] ()

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [487562 2010-08-19] (Creative Technology Ltd)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-02-04] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()

HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35768 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2825741 2011-05-30] ()

HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [273528 2011-08-24] (RealNetworks, Inc.)

HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)

HKLM-x32\...\Run: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1443080 2010-09-27] (Intuit Inc. All rights reserved.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3143800 2012-11-06] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [997320 2012-12-04] ()

HKLM-x32\...\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [1020512 2012-12-03] ()

HKU\Josh\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)

HKU\Josh\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1354736 2012-12-03] (Valve Corporation)

HKU\Josh\...\Run: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h [x]

HKU\Josh\...\Run: [Google Update] "C:\Users\Josh\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-05-25] (Google Inc.)

HKU\Josh\...\Run: [iCQ] "C:\Program Files (x86)\ICQ7.7\ICQ.exe" silent loginmode=4 [127040 2012-01-23] (ICQ, LLC.)

HKU\Josh\...\Run: [Facebook Update] "C:\Users\Josh\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-10-23] (Facebook Inc.)

HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-13] (Dell)

HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)

HKLM-x32\...\RunOnce: [Z1] C:\Users\Josh\AppData\Local\Temp\Rar$EXa0.800\mbar\mbar.exe /cleanup /s [1342312 2012-12-04] (Malwarebytes Corporation)

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk

ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk

ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE (Intuit Inc.)

Startup: C:\Users\Josh\Start Menu\Programs\Startup\MagicDisc.lnk

ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814392 2012-11-06] (AVG Technologies CZ, s.r.o.)

2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)

2 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [40448 2010-04-01] ()

2 dlea_device; C:\Windows\system32\dleacoms.exe -service [1047552 2009-12-09] ( )

2 dlea_device; C:\Windows\SysWow64\dleacoms.exe -service [593920 2009-12-09] ( )

2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-17] ()

2 QBVSS; "C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe" [1251840 2010-09-17] ()

2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-12-03] ()

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )

0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )

1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)

0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)

0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111456 2012-10-05] (AVG Technologies CZ, s.r.o.)

0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)

1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)

1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-12-03] (AVG Technologies)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-16 10:15 - 2012-12-16 10:11 - 80740352 ____A C:\Windows\System32\config\SOFTWARE.OLD

2012-12-16 10:15 - 2012-12-16 10:11 - 21233664 ____A C:\Windows\System32\config\SYSTEM.OLD

2012-12-16 10:15 - 2012-12-16 10:11 - 01572864 ____A C:\Windows\System32\config\DEFAULT.OLD

2012-12-16 10:15 - 2012-12-16 10:11 - 00262144 ____A C:\Windows\System32\config\SECURITY.OLD

2012-12-16 10:15 - 2012-12-16 10:11 - 00262144 ____A C:\Windows\System32\config\SAM.OLD

2012-12-16 08:50 - 2012-12-16 08:50 - 00085639 ____A C:\Users\Josh\Desktop\Combofix.txt

2012-12-16 08:43 - 2012-12-16 11:32 - 00000000 ____D C:\Users\Josh\Desktop\mbar-1.01.0.1011

2012-12-16 08:43 - 2012-12-16 09:41 - 13485902 ____A C:\Users\Josh\Desktop\mbar-1.01.0.1011.zip

2012-12-16 08:42 - 2012-12-16 08:42 - 00085639 ____A C:\ComboFix.txt

2012-12-15 19:36 - 2012-12-16 08:36 - 00000000 ____D C:\ComboFix

2012-12-15 18:49 - 2012-12-15 18:49 - 00000000 ____D C:\FRST

2012-12-15 18:00 - 2012-12-16 12:05 - 00000000 ____D C:\Windows\erdnt

2012-12-15 18:00 - 2012-12-16 08:42 - 00000000 ____D C:\Qoobox

2012-12-13 23:18 - 2012-12-13 23:18 - 00067852 ____A C:\Users\Josh\Downloads\daily_picdump_88_pics-86.jpeg

2012-12-13 23:04 - 2012-12-13 23:04 - 00050365 ____A C:\Users\Josh\Downloads\veMEsWZCWEifOKawXH2bRg2.jpeg

2012-12-11 15:56 - 2012-12-11 15:56 - 16363960 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2012-12-10 18:26 - 2012-12-10 18:50 - 00031232 ____A C:\Users\Josh\Desktop\Partnership Project rev.xls

2012-12-10 17:59 - 2012-12-10 17:59 - 00015966 ____A C:\Users\Josh\Downloads\Partnership Project rev.xlsx

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

2012-12-06 19:43 - 2012-12-16 12:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\My Documents\Tax Conference.ppt

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\Documents\Tax Conference.ppt

2012-12-04 19:51 - 2012-12-04 19:51 - 03845120 ____A C:\Users\Josh\Downloads\Pure Michigan Travel Template.ppt

2012-12-03 18:23 - 2012-12-03 18:23 - 00000000 ____D C:\Users\Josh\Desktop\RESCUE

2012-12-03 18:22 - 2012-12-03 18:22 - 00000000 ____D C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411

2012-12-03 18:17 - 2012-12-03 18:18 - 102010580 ____A C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411.zip

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\Application Data\AVG2013

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\AppData\Roaming\AVG2013

2012-12-03 15:53 - 2012-12-09 08:20 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk

2012-12-03 15:53 - 2012-12-09 08:20 - 00000967 ____A C:\Users\All Users\Desktop\AVG 2013.lnk

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Application Data\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Roaming\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Local\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search

2012-12-03 15:52 - 2012-12-04 17:16 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2012-12-03 15:52 - 2012-12-03 15:52 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2012-12-03 15:50 - 2012-12-03 18:38 - 00000000 ____D C:\Users\All Users\AVG2013

2012-12-03 15:50 - 2012-12-03 18:38 - 00000000 ____D C:\Users\All Users\Application Data\AVG2013

2012-12-03 15:50 - 2012-12-03 15:50 - 00000000 ____D C:\$AVG

2012-12-03 15:48 - 2012-12-03 15:48 - 00000000 ____D C:\Program Files (x86)\AVG

2012-12-03 15:42 - 2012-12-16 11:24 - 00000000 ____D C:\Users\All Users\MFAData

2012-12-03 15:42 - 2012-12-16 11:24 - 00000000 ____D C:\Users\All Users\Application Data\MFAData

2012-12-03 15:42 - 2012-12-03 15:58 - 00000000 ____D C:\Users\Josh\Local Settings\Avg2013

2012-12-03 15:42 - 2012-12-03 15:58 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\Avg2013

2012-12-03 15:42 - 2012-12-03 15:58 - 00000000 ____D C:\Users\Josh\AppData\Local\Avg2013

2012-12-03 15:42 - 2012-12-03 15:42 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\avg_free_stb_all_2013_2793_cnet (1).exe

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\AppData\Local\MFAData

2012-12-03 15:41 - 2012-12-03 15:41 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\Unconfirmed 787124.crdownload

2012-12-02 20:52 - 2012-12-02 20:52 - 00262144 ____A C:\Windows\Minidump\120212-29218-01.dmp

2012-12-02 13:13 - 2012-12-02 13:13 - 00262144 ____A C:\Windows\Minidump\120212-55598-01.dmp

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\Application Data\Yahoo!

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\AppData\Roaming\Yahoo!

2012-12-01 21:33 - 2009-07-13 19:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-12-01 21:31 - 2012-12-01 21:31 - 00000000 ____A C:\Windows\SysWOW64\sho644C.tmp

2012-12-01 21:25 - 2012-12-16 11:56 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-28 06:12 - 2012-11-28 06:11 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-11-28 06:10 - 2012-11-28 06:10 - 31160808 ____A (Oracle Corporation) C:\Users\Josh\Downloads\jre-7u9-windows-i586.exe

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB83.tmp

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB82.tmp

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA437.tmp

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA436.tmp

2012-11-28 06:07 - 2012-11-28 06:09 - 00000139 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log

2012-11-28 06:06 - 2012-11-28 06:06 - 00895464 ____A (Oracle Corporation) C:\Users\Josh\Downloads\chromeinstall-7u9.exe

2012-11-26 15:56 - 2012-11-26 15:56 - 00146432 ____A C:\Users\Josh\Downloads\Chapter 5 Workbook.xls

2012-11-26 14:43 - 2012-11-26 14:43 - 00122368 ____A C:\Users\Josh\Downloads\Chapter 6 workbook (1).xls

2012-11-25 19:57 - 2012-11-25 19:57 - 00126976 ____A C:\Users\Josh\Downloads\Chapter 6 workbook.xls

2012-11-23 21:16 - 2012-11-23 21:16 - 00071168 ____A C:\Users\Josh\Downloads\FilasWeek4Problem4.xls

2012-11-20 07:40 - 2012-11-20 07:40 - 00262144 ____A C:\Windows\Minidump\112012-23790-01.dmp

2012-11-19 15:08 - 2012-11-19 16:22 - 00140800 ____A C:\Users\Josh\Downloads\chapter 5 workbook rev.xls

==================== One Month Modified Files and Folders =======

2012-12-16 12:14 - 2011-07-02 16:43 - 00000000 ____D C:\Users\Josh\Application Data\uTorrent

2012-12-16 12:14 - 2011-07-02 16:43 - 00000000 ____D C:\Users\Josh\AppData\Roaming\uTorrent

2012-12-16 12:09 - 2012-12-16 12:09 - 00000000 ____D C:\Users\Josh\Downloads\Windows 7 Ultimate SP1 x86 en-US Dec14 2012

2012-12-16 12:08 - 2012-10-23 20:03 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000UA.job

2012-12-16 12:05 - 2012-12-15 18:00 - 00000000 ____D C:\Windows\erdnt

2012-12-16 12:05 - 2012-12-06 19:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-16 12:05 - 2011-09-15 09:00 - 00000000 ____D C:\Users\All Users\pdf995

2012-12-16 12:05 - 2011-09-15 09:00 - 00000000 ____D C:\Users\All Users\Application Data\pdf995

2012-12-16 12:05 - 2011-06-08 10:49 - 00000000 ____D C:\users\Josh

2012-12-16 12:02 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration

2012-12-16 12:01 - 2011-08-24 15:36 - 00000000 ____D C:\Users\All Users\Real

2012-12-16 12:01 - 2011-08-24 15:36 - 00000000 ____D C:\Users\All Users\Application Data\Real

2012-12-16 11:56 - 2012-12-01 21:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-16 11:46 - 2011-06-03 06:07 - 01875078 ____A C:\Windows\WindowsUpdate.log

2012-12-16 11:32 - 2012-12-16 08:43 - 00000000 ____D C:\Users\Josh\Desktop\mbar-1.01.0.1011

2012-12-16 11:29 - 2009-07-13 22:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-16 11:29 - 2009-07-13 22:45 - 00020928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-16 11:27 - 2009-07-13 23:13 - 00798642 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-16 11:25 - 2012-10-27 13:20 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-16 11:25 - 2012-05-25 09:19 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000UA.job

2012-12-16 11:24 - 2012-12-03 15:42 - 00000000 ____D C:\Users\All Users\MFAData

2012-12-16 11:24 - 2012-12-03 15:42 - 00000000 ____D C:\Users\All Users\Application Data\MFAData

2012-12-16 11:24 - 2011-07-02 16:51 - 00000000 ____D C:\Program Files (x86)\Steam

2012-12-16 11:23 - 2012-06-05 19:04 - 00000000 ____D C:\Users\Josh\Application Data\ICQ

2012-12-16 11:23 - 2012-06-05 19:04 - 00000000 ____D C:\Users\Josh\AppData\Roaming\ICQ

2012-12-16 11:21 - 2012-10-27 13:20 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-16 11:21 - 2011-06-08 18:16 - 00026280 ____A C:\Users\All Users\dleascan.log

2012-12-16 11:21 - 2011-06-08 18:16 - 00026280 ____A C:\Users\All Users\Application Data\dleascan.log

2012-12-16 11:21 - 2011-06-08 10:49 - 00000000 ____D C:\Users\Josh\Local Settings\SoftThinks

2012-12-16 11:21 - 2011-06-08 10:49 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\SoftThinks

2012-12-16 11:21 - 2011-06-08 10:49 - 00000000 ____D C:\Users\Josh\AppData\Local\SoftThinks

2012-12-16 11:21 - 2011-06-03 06:44 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2012-12-16 11:20 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-16 11:20 - 2009-07-13 22:51 - 00056402 ____A C:\Windows\setupact.log

2012-12-16 10:11 - 2012-12-16 10:15 - 80740352 ____A C:\Windows\System32\config\SOFTWARE.OLD

2012-12-16 10:11 - 2012-12-16 10:15 - 21233664 ____A C:\Windows\System32\config\SYSTEM.OLD

2012-12-16 10:11 - 2012-12-16 10:15 - 01572864 ____A C:\Windows\System32\config\DEFAULT.OLD

2012-12-16 10:11 - 2012-12-16 10:15 - 00262144 ____A C:\Windows\System32\config\SECURITY.OLD

2012-12-16 10:11 - 2012-12-16 10:15 - 00262144 ____A C:\Windows\System32\config\SAM.OLD

2012-12-16 09:57 - 2011-06-09 11:29 - 00003114 ____A C:\Users\All Users\dlea.log

2012-12-16 09:57 - 2011-06-09 11:29 - 00003114 ____A C:\Users\All Users\Application Data\dlea.log

2012-12-16 09:41 - 2012-12-16 08:43 - 13485902 ____A C:\Users\Josh\Desktop\mbar-1.01.0.1011.zip

2012-12-16 09:26 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF

2012-12-16 08:50 - 2012-12-16 08:50 - 00085639 ____A C:\Users\Josh\Desktop\Combofix.txt

2012-12-16 08:42 - 2012-12-16 08:42 - 00085639 ____A C:\ComboFix.txt

2012-12-16 08:42 - 2012-12-15 18:00 - 00000000 ____D C:\Qoobox

2012-12-16 08:36 - 2012-12-15 19:36 - 00000000 ____D C:\ComboFix

2012-12-15 18:49 - 2012-12-15 18:49 - 00000000 ____D C:\FRST

2012-12-15 18:46 - 2011-06-03 06:33 - 00000000 ____D C:\Users\All Users\Sonic

2012-12-15 18:46 - 2011-06-03 06:33 - 00000000 ____D C:\Users\All Users\Application Data\Sonic

2012-12-14 13:25 - 2012-05-25 09:19 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000Core.job

2012-12-14 07:48 - 2012-05-04 18:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2012-12-13 23:18 - 2012-12-13 23:18 - 00067852 ____A C:\Users\Josh\Downloads\daily_picdump_88_pics-86.jpeg

2012-12-13 23:04 - 2012-12-13 23:04 - 00050365 ____A C:\Users\Josh\Downloads\veMEsWZCWEifOKawXH2bRg2.jpeg

2012-12-13 21:08 - 2012-10-23 20:03 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1519063904-2080716059-1839271955-1000Core.job

2012-12-12 14:50 - 2011-06-08 18:17 - 00000000 ____D C:\Users\All Users\Dl_cats

2012-12-12 14:50 - 2011-06-08 18:17 - 00000000 ____D C:\Users\All Users\Application Data\Dl_cats

2012-12-11 15:56 - 2012-12-11 15:56 - 16363960 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

2012-12-11 15:56 - 2012-07-24 05:30 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-11 15:56 - 2011-06-17 06:40 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-11 07:27 - 2011-06-30 11:19 - 00000000 ____D C:\Users\Josh\Desktop\Character and Fitness

2012-12-10 18:50 - 2012-12-10 18:26 - 00031232 ____A C:\Users\Josh\Desktop\Partnership Project rev.xls

2012-12-10 17:59 - 2012-12-10 17:59 - 00015966 ____A C:\Users\Josh\Downloads\Partnership Project rev.xlsx

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\Application Data\TuneUp Software

2012-12-09 08:20 - 2012-12-09 08:20 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

2012-12-09 08:20 - 2012-12-03 15:53 - 00000967 ____A C:\Users\Public\Desktop\AVG 2013.lnk

2012-12-09 08:20 - 2012-12-03 15:53 - 00000967 ____A C:\Users\All Users\Desktop\AVG 2013.lnk

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\My Documents\Tax Conference.ppt

2012-12-04 19:52 - 2012-12-04 19:52 - 03842560 ____A C:\Users\Josh\Documents\Tax Conference.ppt

2012-12-04 19:51 - 2012-12-04 19:51 - 03845120 ____A C:\Users\Josh\Downloads\Pure Michigan Travel Template.ppt

2012-12-04 17:48 - 2011-06-09 07:29 - 00000000 ____D C:\Users\All Users\PCDr

2012-12-04 17:48 - 2011-06-09 07:29 - 00000000 ____D C:\Users\All Users\Application Data\PCDr

2012-12-04 17:48 - 2011-06-03 06:40 - 00000000 ____D C:\Program Files\Dell Support Center

2012-12-04 17:16 - 2012-12-03 15:52 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2012-12-03 18:41 - 2010-11-20 21:47 - 00032356 ____A C:\Windows\PFRO.log

2012-12-03 18:38 - 2012-12-03 15:50 - 00000000 ____D C:\Users\All Users\AVG2013

2012-12-03 18:38 - 2012-12-03 15:50 - 00000000 ____D C:\Users\All Users\Application Data\AVG2013

2012-12-03 18:23 - 2012-12-03 18:23 - 00000000 ____D C:\Users\Josh\Desktop\RESCUE

2012-12-03 18:22 - 2012-12-03 18:22 - 00000000 ____D C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411

2012-12-03 18:18 - 2012-12-03 18:17 - 102010580 ____A C:\Users\Josh\Downloads\avg_arl_ffi_all_120_120823a5411.zip

2012-12-03 15:59 - 2012-03-27 12:59 - 00000000 ____D C:\Users\All Users\CodecC

2012-12-03 15:59 - 2012-03-27 12:59 - 00000000 ____D C:\Users\All Users\Application Data\CodecC

2012-12-03 15:58 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Avg2013

2012-12-03 15:58 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\Avg2013

2012-12-03 15:58 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\AppData\Local\Avg2013

2012-12-03 15:58 - 2012-09-21 22:34 - 00000000 ____D C:\Users\Josh\Local Settings\JavaSoft

2012-12-03 15:58 - 2012-09-21 22:34 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\JavaSoft

2012-12-03 15:58 - 2012-09-21 22:34 - 00000000 ____D C:\Users\Josh\AppData\Local\JavaSoft

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\Application Data\AVG2013

2012-12-03 15:54 - 2012-12-03 15:54 - 00000000 ____D C:\Users\Josh\AppData\Roaming\AVG2013

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\Application Data\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Roaming\TuneUp Software

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\Josh\AppData\Local\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\AVG Secure Search

2012-12-03 15:53 - 2012-12-03 15:53 - 00000000 ____D C:\Users\All Users\Application Data\AVG Secure Search

2012-12-03 15:52 - 2012-12-03 15:52 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys

2012-12-03 15:50 - 2012-12-03 15:50 - 00000000 ____D C:\$AVG

2012-12-03 15:48 - 2012-12-03 15:48 - 00000000 ____D C:\Program Files (x86)\AVG

2012-12-03 15:42 - 2012-12-03 15:42 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\avg_free_stb_all_2013_2793_cnet (1).exe

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\Local Settings\Application Data\MFAData

2012-12-03 15:42 - 2012-12-03 15:42 - 00000000 ____D C:\Users\Josh\AppData\Local\MFAData

2012-12-03 15:41 - 2012-12-03 15:41 - 04424392 ____A (AVG Technologies) C:\Users\Josh\Downloads\Unconfirmed 787124.crdownload

2012-12-02 20:52 - 2012-12-02 20:52 - 00262144 ____A C:\Windows\Minidump\120212-29218-01.dmp

2012-12-02 20:52 - 2011-07-05 20:44 - 568580334 ____A C:\Windows\MEMORY.DMP

2012-12-02 20:52 - 2011-07-05 20:44 - 00000000 ____D C:\Windows\Minidump

2012-12-02 13:13 - 2012-12-02 13:13 - 00262144 ____A C:\Windows\Minidump\120212-55598-01.dmp

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\Application Data\Yahoo!

2012-12-02 12:56 - 2012-12-02 12:56 - 00000000 ____D C:\Users\Josh\AppData\Roaming\Yahoo!

2012-12-02 12:54 - 2011-07-05 18:10 - 00000000 ____D C:\Program Files (x86)\Pando Networks

2012-12-02 12:54 - 2011-06-20 10:13 - 00000000 ____D C:\Program Files (x86)\Yahoo!

2012-12-02 12:54 - 2009-07-13 22:45 - 00488424 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-02 08:44 - 2011-06-08 10:49 - 00134840 ____A C:\Users\Josh\Local Settings\GDIPFONTCACHEV1.DAT

2012-12-02 08:44 - 2011-06-08 10:49 - 00134840 ____A C:\Users\Josh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2012-12-02 08:44 - 2011-06-08 10:49 - 00134840 ____A C:\Users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT

2012-12-01 22:05 - 2012-02-23 10:27 - 00000000 ____D C:\Users\Josh\Desktop\accounting 2012

2012-12-01 21:52 - 2011-09-15 08:26 - 00000000 ____D C:\Program Files (x86)\PDF995

2012-12-01 21:45 - 2012-07-16 16:48 - 00000000 ____D C:\Program Files\DivX

2012-12-01 21:45 - 2012-07-16 16:47 - 00000000 ____D C:\Program Files (x86)\DivX

2012-12-01 21:45 - 2012-07-16 16:46 - 00000000 ____D C:\Users\All Users\DivX

2012-12-01 21:45 - 2012-07-16 16:46 - 00000000 ____D C:\Users\All Users\Application Data\DivX

2012-12-01 21:31 - 2012-12-01 21:31 - 00000000 ____A C:\Windows\SysWOW64\sho644C.tmp

2012-12-01 21:24 - 2011-06-03 06:43 - 00000000 ____D C:\Users\All Users\Application Data\Adobe

2012-12-01 21:24 - 2011-06-03 06:43 - 00000000 ____D C:\Users\All Users\Adobe

2012-11-28 06:11 - 2012-11-28 06:12 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-11-28 06:11 - 2012-11-28 06:11 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-11-28 06:11 - 2012-06-04 15:37 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll

2012-11-28 06:11 - 2011-09-18 16:51 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

2012-11-28 06:10 - 2012-11-28 06:10 - 31160808 ____A (Oracle Corporation) C:\Users\Josh\Downloads\jre-7u9-windows-i586.exe

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB83.tmp

2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB82.tmp

2012-11-28 06:09 - 2012-11-28 06:07 - 00000139 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log

2012-11-28 06:09 - 2011-09-18 16:51 - 00000000 ____D C:\Program Files (x86)\Java

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA437.tmp

2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA436.tmp

2012-11-28 06:06 - 2012-11-28 06:06 - 00895464 ____A (Oracle Corporation) C:\Users\Josh\Downloads\chromeinstall-7u9.exe

2012-11-26 15:56 - 2012-11-26 15:56 - 00146432 ____A C:\Users\Josh\Downloads\Chapter 5 Workbook.xls

2012-11-26 14:43 - 2012-11-26 14:43 - 00122368 ____A C:\Users\Josh\Downloads\Chapter 6 workbook (1).xls

2012-11-25 19:57 - 2012-11-25 19:57 - 00126976 ____A C:\Users\Josh\Downloads\Chapter 6 workbook.xls

2012-11-23 21:16 - 2012-11-23 21:16 - 00071168 ____A C:\Users\Josh\Downloads\FilasWeek4Problem4.xls

2012-11-20 07:40 - 2012-11-20 07:40 - 00262144 ____A C:\Windows\Minidump\112012-23790-01.dmp

2012-11-19 16:22 - 2012-11-19 15:08 - 00140800 ____A C:\Users\Josh\Downloads\chapter 5 workbook rev.xls

ZeroAccess:

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\00000004.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\201d3dde

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\4cce1f70

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L\55490ac4

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\00000004.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\00000008.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\000000cb.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000000.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000032.@

C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000064.@

ZeroAccess:

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\n

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-03 15:48:32

Restore point made on: 2012-12-03 15:49:32

Restore point made on: 2012-12-14 15:38:51

Restore point made on: 2012-12-16 10:02:47

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 4003.17 MB

Available physical RAM: 3277.59 MB

Total Pagefile: 4001.37 MB

Available Pagefile: 3275.25 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:203.8 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (SHADOWLAND) (CDROM) (Total:7.85 GB) (Free:0 GB) UDF

3 Drive e: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.29 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

5 Drive g: () (Removable) (Total:1.91 GB) (Free:0.49 GB) FAT

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 1953 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 451 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 DELLUTILITY FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E Recovery NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C OS NTFS Partition 451 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1952 MB 122 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT Removable 1952 MB Healthy

=========================================================

Last Boot: 2012-12-16 04:54

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 11-12-2012

Ran by SYSTEM at 2012-12-16 23:58:02

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

  • Staff

the services.exe had been replaced successfully, but the restore brought back some zeroaccess folders, so please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
2012-12-01 21:33 - 2009-07-13 19:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-12-01 21:31 - 2012-12-01 21:31 - 00000000 ____A C:\Windows\SysWOW64\sho644C.tmp
2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB83.tmp
2012-11-28 06:09 - 2012-11-28 06:09 - 00000000 ____A C:\Windows\SysWOW64\RENEB82.tmp
2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA437.tmp
2012-11-28 06:08 - 2012-11-28 06:08 - 00000000 ____A C:\Windows\SysWOW64\RENA436.tmp
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\assembly\GAC_32\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

NEXT

Please download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    • Then click Continue > Reboot now

    [*]Copy and paste the log in your next reply

    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Please let me know how the computer is running now

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.