Multiple Viruses Running

[redallover]

Hi,

I have the audio virus, google search redirect and have some other strange things going on such as can't access my wireless router and have a Symantec Endpoint icon in my sys tray but have never purchased the program.

I've followed steps that are in other threads such as run rogue killer (but not deleted anything), then ran mbar but as soon as it kicked off, I got an error saying 'the system volume seems inaccessable or encrypted. scan can't continue.'

Can Anyone help?

Thanks!

[Psychotic]

Hi there,

my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  
• Perform everything in the correct order. Sometimes one step requires the previous one.
  
• If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  
• Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  
• Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please post up the rogue killer log.

Also, do the following:

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

• Run FRST.
  
• Don´t change one of the checkboxes and hit Scan.
  
• Logfiles are created on your desktop.
  
• Poste the FRST.txt and (after the first scan only!) the Addition.txt.
  

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
    
  • IAT/EAT
    
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is.

  [*]Close all other running programs as well as your Browser.

  [*]Click the Scan button & wait for it to finish.

  [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

  [*]Save it where you can easily find it, such as your desktop.

  [*]Please post the content of the ark.txt here.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[redallover]

Hi Marius, thanks for the reply. Rogue killerlog below, I'll start downloading FRST now.

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : elliot.james [Admin rights]

Mode : Scan -- Date : 06/14/2013 09:20:17

| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\elliot.james\AppData\Roaming\hidfg.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\elliot.james\AppData\Roaming\btapro.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\elliot.james\AppData\Roaming\btapro.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\elliot.james\AppData\Roaming\hidfg.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : hidfg ("C:\Windows\System32\rundll32.exe" "C:\Users\elliot.james\AppData\Roaming\hidfg.dll",_mystricmp) [7] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : btapro ("C:\Windows\System32\rundll32.exe" "C:\Users\elliot.james\AppData\Roaming\btapro.dll",Long_FromUnicode) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-329068152-1454471165-1417001333-347895[...]\Run : hidfg ("C:\Windows\System32\rundll32.exe" "C:\Users\elliot.james\AppData\Roaming\hidfg.dll",_mystricmp) [7] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-329068152-1454471165-1417001333-347895[...]\Run : btapro ("C:\Windows\System32\rundll32.exe" "C:\Users\elliot.james\AppData\Roaming\btapro.dll",Long_FromUnicode) [7] -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST320LT007-9ZV142 +++++

--- User ---

[MBR] c2bc324976e8518a346b1b7170181cd6

[bSP] 22457e3fed18d06a1337bc03c455b2fa : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 304932 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 624502784 | Size: 300 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_06142013_02d0920.txt >>

RKreport[1]_S_06142013_02d0920.txt

[redallover]

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-06-2013

Ran by elliot.james (administrator) on 14-06-2013 09:47:29

Running from C:\Users\elliot.james\Desktop

Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

==================== Processes (Whitelisted) =================

(IDT, Inc.) C:\Program Files\IDT\WDM\STacSV64.exe

(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe

(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe

(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

(Accenture) C:\Program Files\Accenture\Mobile Media Reminder\MobileMediaReminderService.exe

(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe

() C:\Program Files\Manufacturer\Endpoint Agent\edpa.exe

(Microsoft Corporation) C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe

(Dell Inc.) C:\Program Files\Dell\OpenManage\Client\Iap.exe

(O2Micro International) C:\Windows\system32\DRIVERS\o2flash.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe

(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

() C:\Program Files\Manufacturer\Endpoint Agent\wdp.exe

(Microsoft Corporation) C:\Windows\SysWOW64\CCM\CcmExec.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe

(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe

(Vodafone) C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\Smc.exe

[redallover]

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-06-2013

Ran by elliot.james at 2013-06-14 09:48:24 Run:

Running from C:\Users\elliot.james\Desktop

Boot Mode: Normal

==========================================================

==================== Installed Programs =======================

AccelerometerP11 (Version: 2.00.10.33)

Accenture CA Root Certificates (Version: 1.1.1)

Accenture FY2010 Templates for Office 2007 and 2010 (Version: 1.1.0)

Accenture Mobile Media Reminder (Version: 2.2.0.2)

Accenture PPT Templates (Version: 1.0.0.0)

Accenture PPT Templates 2012 (Version: 1.0.0.0)

Accenture SSL CA Certificates (Version: 1.0.0.0)

Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)

Adobe Reader XI (11.0.02) (Version: 11.0.02)

AgentInstall64 (Version: 11.6.1001.21018)

Ask Toolbar (Version: 1.17.0.0)

Ask Toolbar Updater (Version: 1.4.0.25589)

Cisco EAP-FAST Module (Version: 2.2.14)

Cisco LEAP Module (Version: 1.0.19)

Cisco PEAP Module (Version: 1.1.6)

Cisco WebEx Meetings

Configuration Manager Client (Version: 4.00.6487.2000)

CutePDF Writer 3.0 (Version: 3.0)

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Dell ControlVault Host Components Installer 64 bit (Version: 2.0.20.159)

Dell Feature Enhancement Pack (Version: 2.2.1)

Dell OpenManage Inventory Agent (for Dell Business Client Systems) (Version: 1.4.1)

Dell Touchpad (Version: 7.1208.101.125)

Dell_Battery_Prompt (Version: 1.0)

DW WLAN Card Utility (Version: 5.100.82.124)

Extended Asian Language font pack for Adobe Reader XI (Version: 11.0.0)

Forefront Identity Manager Add-ins and Extensions (Version: 4.1.2515.0)

Intel® Control Center (Version: 1.2.1.1007)

Intel® Management Engine Components (Version: 7.1.40.1161)

Intel® Network Connections Drivers (Version: 17.1)

Intel® Processor Graphics (Version: 8.15.10.2418)

Java 6 Update 33 (Version: 6.0.330)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft .NET Framework 4 Extended (Version: 4.0.30319)

Microsoft Lync - Welcome

Microsoft Lync 2010 (Version: 4.0.7577.4109)

Microsoft Lync 2010, MUI (Version: 4.0.7577.0)

Microsoft Office 2010 Service Pack 1 (SP1)

[Psychotic]

The FRST log is incomplete, please attach the files to your reply.

[redallover]

Ok, I've closed everything and tried to run the GMER.exe file with the options unchecked but keep getting the same error:

C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process.

[redallover]

sorry - complete log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-06-2013

Ran by elliot.james (administrator) on 14-06-2013 09:47:29

Running from C:\Users\elliot.james\Desktop

Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

==================== Processes (Whitelisted) =================

(IDT, Inc.) C:\Program Files\IDT\WDM\STacSV64.exe

(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe

(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe

(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

(Accenture) C:\Program Files\Accenture\Mobile Media Reminder\MobileMediaReminderService.exe

(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe

() C:\Program Files\Manufacturer\Endpoint Agent\edpa.exe

(Microsoft Corporation) C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe

(Dell Inc.) C:\Program Files\Dell\OpenManage\Client\Iap.exe

(O2Micro International) C:\Windows\system32\DRIVERS\o2flash.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe

(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

() C:\Program Files\Manufacturer\Endpoint Agent\wdp.exe

(Microsoft Corporation) C:\Windows\SysWOW64\CCM\CcmExec.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe

(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe

(Vodafone) C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\Smc.exe

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Windows\sysWOW64\wbem\wmiprvse.exe

() C:\Program Files\Manufacturer\Endpoint Agent\cui.exe

(Autonomy, Inc.) C:\Program Files\Manufacturer\Endpoint Agent\verity\kvoop.exe

(Autonomy, Inc.) C:\Program Files\Manufacturer\Endpoint Agent\verity\kvoop.exe

(Accenture) C:\Program Files\Accenture\Mobile Media Reminder\AccentureMobileMediaReminderClient.exe

(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe

() C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe

(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe

(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE

(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe

(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe

(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe

(Ask) C:\Program Files (x86)\Ask.com\Updater\Updater.exe

(Vodafone) C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe

(Microsoft Corporation) C:\Windows\sysWOW64\wbem\wmiprvse.exe

(Microsoft Corporation) C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

(Microsoft Corporation) C:\Windows\splwow64.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Accenture Mobile Media Reminder] C:\Program Files\Accenture\Mobile Media Reminder\AccentureMobileMediaReminderClient.exe [108544 2013-01-18] (Accenture)

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)

HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()

HKLM\...\Run: [printer_install] C:\Program Files\Accenture\Follow-Me-Printer-UKLTS_CMD\printer_install.bat [1814 2012-03-19] ()

HKLM\...\Run: [] [x]

HKLM\...\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [7469568 2012-02-15] (Dell Inc.)

HKLM\...\Run: [DFEPApplication] C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077432 2012-08-15] (Dell Inc.)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)

HKCU\...\Run: [hidfg] "C:\Windows\System32\rundll32.exe" "C:\Users\elliot.james\AppData\Roaming\hidfg.dll",_mystricmp [913408 2013-05-30] ()

HKCU\...\Run: [btapro] "C:\Windows\System32\rundll32.exe" "C:\Users\elliot.james\AppData\Roaming\btapro.dll",Long_FromUnicode [462848 2013-05-30] (Mise Technology,Inc)

MountPoints2: {28fe4023-445b-11e2-bacb-9cb70dea22bc} - D:\setup_vmc_lite.exe /checkApplicationPresence

MountPoints2: {28fe402a-445b-11e2-bacb-9cb70dea22bc} - D:\setup_vmc_lite.exe /checkApplicationPresence

MountPoints2: {6a82f745-4567-11e2-82b8-9cb70dea22bc} - D:\setup_vmc_lite.exe /checkApplicationPresence

MountPoints2: {6a82f74b-4567-11e2-82b8-9cb70dea22bc} - D:\setup_vmc_lite.exe /checkApplicationPresence

HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey [12100696 2012-07-27] (Microsoft Corporation)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1644744 2012-08-08] (Ask)

HKLM-x32\...\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent [2086912 2008-10-09] (Vodafone)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-18] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AMMR] C:\Program Files\Accenture\Mobile Media Reminder\AccentureMobileMediaReminderClient.exe [108544 2013-01-18] (Accenture)

HKU\Administrator\...\Run: [browserChoice] "C:\Windows\System32\browserchoice.exe" /run [294912 2010-02-23] (Microsoft Corporation)

Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk

ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk

ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk

ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)

Startup: C:\Users\elliot.james\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\elliot.james\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk

ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com

SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll (Microsoft Corporation)

BHO-x32: Symantec Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)

BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

DPF: HKLM-x32 {BF17C411-9ADA-4C73-B12C-BD814BDE187F} https://mylearning.accenture.com/accenture/core/common/ScheduleServices/ScheduleServices.cab

DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://cisco.webex.com/client/WBXclient-T28L10NSP9-15980/webex/ieatgpc1.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)

Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) =================

R2 Accenture Mobile Media Reminder Service; C:\Program Files\Accenture\Mobile Media Reminder\MobileMediaReminderService.exe [26624 2013-01-18] (Accenture)

R2 DFEPService; C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2280504 2012-08-15] (Dell Inc.)

S2 dsiasrv; C:\Program Files (x86)\Dell\SysMgt\dsia\bin\DsiaSrv32.exe [149560 2012-06-21] (Dell Inc.)

R2 EDPA; C:\Program Files\Manufacturer\Endpoint Agent\edpa.exe [360176 2013-01-30] ()

R2 FIMPasswordReset; C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe [80448 2012-07-11] (Microsoft Corporation)

R2 Iap; C:\Program Files\Dell\OpenManage\Client\Iap.exe [613288 2010-03-23] (Dell Inc.)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)

R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe [143928 2013-06-06] (Symantec Corporation)

R3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\Smc.exe [2294112 2013-06-06] (Symantec Corporation)

S3 smstsmgr; C:\Windows\SysWOW64\CCM\TSManager.exe [246624 2009-09-18] (Microsoft Corporation)

S3 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\snac64.exe [334288 2013-06-06] (Symantec Corporation)

R2 VMCService; C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [14336 2008-10-09] (Vodafone)

R2 WDP; C:\Program Files\Manufacturer\Endpoint Agent\wdp.exe [323824 2013-01-30] ()

R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE [48128 2012-02-15] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\BASHDefs\20130531.011\BHDrvx64.sys [1393240 2013-05-31] (Symantec Corporation)

R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\BASHDefs\20130531.011\BHDrvx64.sys [1393240 2013-05-31] (Symantec Corporation)

R1 ccSettings_{3771A34D-2132-48EA-A486-D62ECDF9D553}; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\ccSetx64.sys [168096 2013-06-06] (Symantec Corporation)

S3 d554gps; C:\Windows\system32\drivers\d554gps64.sys [101416 2010-12-01] (Ericsson AB)

S3 dc21x4vm; C:\Windows\System32\DRIVERS\dc21x4vm.sys [57344 2009-06-10] (Microsoft Corp.)

S3 ecnssndis; C:\Windows\System32\Drivers\wwuss64.sys [26664 2010-02-24] (Ericsson AB)

S3 ecnssndisfltr; C:\Windows\System32\Drivers\wwussf64.sys [30248 2010-02-24] (Ericsson AB)

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-06-05] (Symantec Corporation)

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-06-05] (Symantec Corporation)

R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-06-05] (Symantec Corporation)

S1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\IPSDefs\20130612.011\IDSvia64.sys [513184 2013-06-05] (Symantec Corporation)

S1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\IPSDefs\20130612.011\IDSvia64.sys [513184 2013-06-05] (Symantec Corporation)

S3 Mbm3DevMt; C:\Windows\system32\drivers\Mbm3DevMt.sys [419912 2010-10-31] (MCCI Corporation)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130612.021\ENG64.SYS [126040 2013-06-05] (Symantec Corporation)

R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130612.021\ENG64.SYS [126040 2013-06-05] (Symantec Corporation)

R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130612.021\EX64.SYS [2098776 2013-06-05] (Symantec Corporation)

R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\VirusDefs\20130612.021\EX64.SYS [2098776 2013-06-05] (Symantec Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

R3 O2MDFRDR; C:\Windows\System32\DRIVERS\O2MDFxpx64.sys [71968 2011-01-04] (O2Micro )

R3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjxpx64.sys [83560 2011-03-23] (O2Micro )

R1 omci; C:\Windows\System32\DRIVERS\omci.sys [26624 2010-03-08] (Dell Inc.)

R3 prepdrvr; C:\Windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)

R3 prepdrvr; C:\Windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)

S3 SFsCtrx1161; C:\Windows\System32\DRIVERS\SFsCtrx1161.sys [57072 2013-01-30] ()

R3 SRTSP; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\SRTSP64.SYS [776352 2013-06-06] (Symantec Corporation)

R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\SRTSPX64.SYS [37496 2013-06-06] (Symantec Corporation)

S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\SyDvCtrl64.sys [34352 2013-06-06] (Symantec Corporation)

S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\SyDvCtrl64.sys [34352 2013-06-06] (Symantec Corporation)

R0 SymDS; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\SYMDS64.SYS [493216 2013-06-06] (Symantec Corporation)

R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\SYMEFA64.SYS [1133216 2013-06-06] (Symantec Corporation)

R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-11] (Symantec Corporation)

R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\Ironx64.SYS [224416 2013-06-06] (Symantec Corporation)

R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C0107DF\07DF.105\x64\SYMNETS.SYS [432800 2013-06-06] (Symantec Corporation)

R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [154904 2013-06-11] (Symantec Corporation)

R3 tdifd1161; C:\Windows\System32\DRIVERS\tdifd1161.sys [61168 2013-01-30] (Symantec Corporation)

R3 vfsmfd; C:\Windows\System32\DRIVERS\vfsmfd.sys [70384 2013-01-30] ()

R3 vrtam; C:\Windows\System32\DRIVERS\vrtam.sys [33520 2013-01-30] ()

U4 mbamswissarmy;

S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-14 09:46 - 2013-06-14 09:46 - 01920398 ____A (Farbar) C:\Users\elliot.james\Desktop\FRST64.exe

2013-06-14 09:46 - 2013-06-14 09:46 - 00000000 ____D C:\FRST

2013-06-14 09:26 - 2013-06-14 09:26 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-06-14 09:24 - 2013-06-14 09:24 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-06-14 09:22 - 2013-06-14 09:22 - 00000000 ____D C:\Users\elliot.james\Desktop\mbar-1.06.0.1003

2013-06-14 09:20 - 2013-06-14 09:20 - 00002676 ____A C:\Users\elliot.james\Desktop\RKreport[1]_S_06142013_02d0920.txt

2013-06-14 09:17 - 2013-06-14 09:17 - 13169742 ____A C:\Users\elliot.james\Desktop\mbar-1.06.0.1003.zip

2013-06-14 09:16 - 2013-06-14 09:20 - 00000000 ____D C:\Users\elliot.james\Desktop\RK_Quarantine

2013-06-14 09:14 - 2013-06-14 09:14 - 00816128 ____A C:\Users\elliot.james\Desktop\RogueKiller.exe

2013-06-14 09:14 - 2013-06-14 09:14 - 00791040 ____A C:\Users\elliot.james\Desktop\RogueKillerX64.exe

2013-06-14 08:48 - 2013-06-14 08:48 - 04378864 ____A (Piriform Ltd) C:\Users\elliot.james\Desktop\ccsetup402.exe

2013-06-14 08:48 - 2013-06-14 08:48 - 00726464 ____A (Enigma Software Group USA, LLC.) C:\Users\elliot.james\Desktop\SpyHunter-Installer.exe

2013-06-14 08:47 - 2013-06-14 08:47 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\elliot.james\Desktop\tdsskiller.exe

2013-06-14 08:47 - 2013-06-14 08:47 - 00187464 ____A (Webroot) C:\Users\elliot.james\Desktop\antizeroaccess.exe

2013-06-13 13:42 - 2013-06-13 13:42 - 00372705 ____A C:\Users\elliot.james\Desktop\IFR Template.pptx

2013-06-13 12:09 - 2013-05-10 06:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll

2013-06-13 12:09 - 2013-05-10 04:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll

2013-06-13 12:09 - 2013-04-26 06:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-06-13 12:09 - 2013-04-26 05:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-06-13 12:06 - 2013-05-17 04:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-06-13 12:06 - 2013-05-17 04:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-06-13 12:06 - 2013-05-17 04:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-06-13 12:06 - 2013-05-17 04:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-06-13 12:06 - 2013-05-17 04:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-06-13 12:06 - 2013-05-17 03:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-06-13 12:06 - 2013-05-17 03:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-06-13 12:06 - 2013-05-17 03:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-06-13 12:06 - 2013-05-17 03:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-06-13 12:06 - 2013-05-17 03:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-06-13 12:06 - 2013-05-17 03:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-06-13 12:06 - 2013-05-17 03:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-06-13 12:06 - 2013-05-17 03:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-06-13 12:06 - 2013-05-17 03:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-06-13 12:06 - 2013-05-16 23:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-06-13 12:06 - 2013-05-16 23:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-06-13 12:06 - 2013-05-16 23:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-06-13 12:06 - 2013-05-16 23:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-06-13 12:06 - 2013-05-16 23:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-06-13 12:06 - 2013-05-16 23:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-06-13 12:06 - 2013-05-16 23:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-06-13 12:06 - 2013-05-16 23:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-06-13 12:06 - 2013-05-16 23:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-06-13 12:06 - 2013-05-16 23:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-06-13 12:06 - 2013-05-16 23:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-06-13 12:06 - 2013-05-16 23:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-06-13 12:06 - 2013-05-16 23:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-06-13 12:06 - 2013-05-16 23:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-06-13 12:05 - 2013-05-17 05:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-06-13 12:05 - 2013-05-17 04:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-06-13 12:05 - 2013-05-17 00:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-06-13 12:05 - 2013-05-16 23:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-06-13 12:00 - 2013-06-14 09:05 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-13 12:00 - 2013-06-13 12:00 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-06-13 12:00 - 2013-06-13 12:00 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-06-13 11:49 - 2013-05-08 07:14 - 00376680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2013-06-13 11:49 - 2013-05-08 07:14 - 00288104 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS

2013-06-13 11:48 - 2013-05-08 07:14 - 01900392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2013-06-13 11:47 - 2013-05-13 06:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2013-06-13 11:47 - 2013-05-13 06:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2013-06-13 11:47 - 2013-05-13 06:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2013-06-13 11:47 - 2013-05-13 06:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll

2013-06-13 11:47 - 2013-05-13 05:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll

2013-06-13 11:47 - 2013-05-13 05:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll

2013-06-13 11:47 - 2013-05-13 05:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

2013-06-13 11:47 - 2013-05-13 04:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe

2013-06-13 11:47 - 2013-05-13 04:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe

2013-06-13 11:47 - 2013-05-13 04:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll

2013-06-12 15:41 - 2013-06-12 15:41 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2013-06-12 15:40 - 2013-06-12 15:41 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-06-12 12:58 - 2013-06-12 12:58 - 00000637 ____A C:\Users\elliot.james\Desktop\virus.txt

2013-06-12 08:28 - 2013-06-12 08:28 - 00000000 ____D C:\Users\elliot.james\AppData\Local\Symantec

2013-06-11 16:08 - 2013-06-11 16:08 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS

2013-06-11 16:08 - 2013-06-11 16:08 - 00007631 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT

2013-06-11 16:08 - 2013-06-11 16:08 - 00000000 ____D C:\Program Files\Symantec

2013-06-11 16:08 - 2013-06-11 16:08 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2013-06-11 16:06 - 2013-06-11 16:06 - 00575952 ____A (Symantec Corporation) C:\Windows\System32\SymVPN.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00458704 ____A (Symantec Corporation) C:\Windows\System32\sysfer.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00419792 ____A (Symantec Corporation) C:\Windows\SysWOW64\SymVPN.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00359888 ____A (Symantec Corporation) C:\Windows\SysWOW64\sysfer.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00157136 ____A (Symantec Corporation) C:\Windows\System32\FwsVpn.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00154904 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SysPlant.sys

2013-06-11 16:06 - 2013-06-11 16:06 - 00136144 ____A (Symantec Corporation) C:\Windows\SysWOW64\FwsVpn.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00056272 ____A (Symantec Corporation) C:\Windows\System32\snacnp.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00050128 ____A (Symantec Corporation) C:\Windows\SysWOW64\snacnp.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00044008 ____A (Symantec Corporation) C:\Windows\System32\Drivers\WGX64.SYS

2013-06-11 16:06 - 2013-06-11 16:06 - 00011728 ____A (Symantec Corporation) C:\Windows\System32\sysferThunk.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00010704 ____A (Symantec Corporation) C:\Windows\SysWOW64\sysferThunk.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00000000 ____D C:\Windows\System32\Drivers\SEP

2013-06-11 16:06 - 2013-06-11 16:06 - 00000000 ____D C:\ProgramData\regid.1992-12.com.symantec

2013-06-11 16:06 - 2013-06-11 16:06 - 00000000 ____D C:\Program Files (x86)\Symantec

2013-06-11 16:05 - 2013-06-12 15:41 - 00001945 ____A C:\Windows\epplauncher.mif

2013-06-11 16:05 - 2013-06-11 16:06 - 00000000 ____D C:\ProgramData\Symantec

2013-06-11 16:04 - 2013-06-11 16:04 - 00001773 ____A C:\Windows\MSIOEQBD.mif

2013-05-30 18:08 - 2013-05-30 18:08 - 00913408 ____A () C:\Users\elliot.james\AppData\Roaming\hidfg.dll

2013-05-30 18:08 - 2013-05-30 18:08 - 00462848 ____A (Mise Technology,Inc) C:\Users\elliot.james\AppData\Roaming\btapro.dll

2013-05-20 08:42 - 2013-05-20 08:42 - 00000165 ___AH C:\Users\elliot.james\Desktop\~$International Reporting.xlsx

2013-05-17 17:26 - 2013-03-19 06:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-17 17:26 - 2013-03-19 06:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-17 17:25 - 2013-04-12 15:16 - 01686888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-05-17 17:21 - 2012-10-18 18:51 - 00498176 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys

2013-05-17 17:20 - 2013-02-13 13:25 - 00789504 ____A (Microsoft Corporation) C:\Windows\System32\gpprefcl.dll

2013-05-17 17:20 - 2013-02-13 13:24 - 00097792 ____A C:\Windows\System32\RDVGHelper.exe

2013-05-17 17:20 - 2013-02-13 12:25 - 00589824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gpprefcl.dll

2013-05-17 17:20 - 2013-01-05 03:55 - 00315392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdbss.sys

2013-05-17 17:20 - 2012-11-01 05:33 - 00559616 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

2013-05-17 17:20 - 2012-10-18 23:00 - 00296808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys

2013-05-17 17:20 - 2012-10-18 23:00 - 00213848 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdyboost.sys

2013-05-17 17:20 - 2012-10-18 23:00 - 00190824 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys

2013-05-17 17:20 - 2012-10-18 21:34 - 01742848 ____A (Microsoft Corporation) C:\Windows\System32\sysmain.dll

2013-05-17 17:20 - 2012-10-18 21:34 - 00262656 ____A (Microsoft Corporation) C:\Windows\System32\WebClnt.dll

2013-05-17 17:20 - 2012-10-18 21:34 - 00235520 ____A (Microsoft Corporation) C:\Windows\System32\srvsvc.dll

2013-05-17 17:20 - 2012-10-18 21:34 - 00214528 ____A (Microsoft Corporation) C:\Windows\System32\umrdp.dll

2013-05-17 17:20 - 2012-10-18 21:34 - 00164864 ____A (Microsoft Corporation) C:\Windows\System32\umpo.dll

2013-05-17 17:20 - 2012-10-18 21:34 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\tcpmonui.dll

2013-05-17 17:20 - 2012-10-18 21:34 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\tcpmib.dll

2013-05-17 17:20 - 2012-10-18 21:33 - 00512000 ____A (Microsoft Corporation) C:\Windows\System32\rpcss.dll

2013-05-17 17:20 - 2012-10-18 21:33 - 00127488 ____A (Microsoft Corporation) C:\Windows\System32\SessEnv.dll

2013-05-17 17:20 - 2012-10-18 21:32 - 00832000 ____A (Microsoft Corporation) C:\Windows\System32\nshwfp.dll

2013-05-17 17:20 - 2012-10-18 21:32 - 00223744 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll

2013-05-17 17:20 - 2012-10-18 21:31 - 00698880 ____A (Microsoft Corporation) C:\Windows\System32\netlogon.dll

2013-05-17 17:20 - 2012-10-18 21:31 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll

2013-05-17 17:20 - 2012-10-18 21:31 - 00222208 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll

2013-05-17 17:20 - 2012-10-18 21:31 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll

2013-05-17 17:20 - 2012-10-18 21:30 - 00965120 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

2013-05-17 17:20 - 2012-10-18 21:30 - 00166400 ____A (Microsoft Corporation) C:\Windows\System32\inetpp.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 01065984 ____A (Microsoft Corporation) C:\Windows\System32\Display.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00855040 ____A (Microsoft Corporation) C:\Windows\System32\IKEEXT.DLL

2013-05-17 17:20 - 2012-10-18 21:29 - 00777216 ____A (Microsoft Corporation) C:\Windows\System32\gpsvc.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00324096 ____A (Microsoft Corporation) C:\Windows\System32\FWPUCLNT.DLL

2013-05-17 17:20 - 2012-10-18 21:29 - 00317952 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00253952 ____A (Microsoft Corporation) C:\Windows\System32\dot3svc.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00225792 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\dot3msm.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\dot3gpclnt.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00054784 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll

2013-05-17 17:20 - 2012-10-18 21:29 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\gpprnext.dll

2013-05-17 17:20 - 2012-10-18 21:28 - 00695808 ____A (Microsoft Corporation) C:\Windows\System32\cscsvc.dll

2013-05-17 17:20 - 2012-10-18 21:28 - 00240128 ____A (Microsoft Corporation) C:\Windows\System32\cscobj.dll

2013-05-17 17:20 - 2012-10-18 21:28 - 00137216 ____A (Microsoft Corporation) C:\Windows\System32\CscMig.dll

2013-05-17 17:20 - 2012-10-18 21:28 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\davclnt.dll

2013-05-17 17:20 - 2012-10-18 21:28 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\cscapi.dll

2013-05-17 17:20 - 2012-10-18 21:28 - 00030208 ____A (Microsoft Corporation) C:\Windows\System32\cscdll.dll

2013-05-17 17:20 - 2012-10-18 21:27 - 00876544 ____A (Microsoft Corporation) C:\Windows\System32\advapi32.dll

2013-05-17 17:20 - 2012-10-18 21:27 - 00706560 ____A (Microsoft Corporation) C:\Windows\System32\BFE.DLL

2013-05-17 17:20 - 2012-10-18 21:27 - 00193536 ____A (Microsoft Corporation) C:\Windows\System32\appmgmts.dll

2013-05-17 17:20 - 2012-10-18 20:39 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll

2013-05-17 17:20 - 2012-10-18 20:39 - 00031232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tcpmib.dll

2013-05-17 17:20 - 2012-10-18 20:38 - 00657920 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll

2013-05-17 17:20 - 2012-10-18 20:38 - 00118272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SessEnv.dll

2013-05-17 17:20 - 2012-10-18 20:37 - 00566784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netlogon.dll

2013-05-17 17:20 - 2012-10-18 20:37 - 00160768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll

2013-05-17 17:20 - 2012-10-18 20:37 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 01039872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Display.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00256000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00216576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL

2013-05-17 17:20 - 2012-10-18 20:35 - 00194048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00115200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dot3msm.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00091136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dot3api.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00079360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dot3gpclnt.dll

2013-05-17 17:20 - 2012-10-18 20:35 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll

2013-05-17 17:20 - 2012-10-18 20:34 - 00640512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll

2013-05-17 17:20 - 2012-10-18 20:34 - 00149504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\appmgmts.dll

2013-05-17 17:20 - 2012-10-18 20:34 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cscobj.dll

2013-05-17 17:20 - 2012-10-18 20:34 - 00087552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll

2013-05-17 17:20 - 2012-10-18 20:34 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cscdll.dll

2013-05-17 17:20 - 2012-10-18 20:30 - 00071680 ____A C:\Windows\System32\PrintBrmUi.exe

2013-05-17 17:20 - 2012-10-18 20:29 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wpnpinst.exe

2013-05-17 17:20 - 2012-10-18 20:02 - 00300544 ____A (Microsoft Corporation) C:\Windows\System32\rdpshell.exe

2013-05-17 17:20 - 2012-10-18 20:02 - 00275456 ____A (Microsoft Corporation) C:\Windows\System32\rdpdd.dll

2013-05-17 17:20 - 2012-10-18 20:02 - 00179712 ____A (Microsoft Corporation) C:\Windows\System32\rdpinit.exe

2013-05-17 17:20 - 2012-10-18 19:52 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndisuio.sys

2013-05-17 17:20 - 2012-10-18 19:50 - 00060416 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\vwififlt.sys

2013-05-17 17:20 - 2012-10-18 19:50 - 00018432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\vwifimp.sys

2013-05-17 17:20 - 2012-10-18 19:49 - 00091648 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\USBSTOR.SYS

2013-05-17 17:20 - 2012-10-18 19:49 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys

2013-05-17 17:20 - 2012-10-18 19:41 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tcpmonui.dll

2013-05-17 17:20 - 2012-10-18 19:41 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gpprnext.dll

2013-05-17 17:20 - 2012-10-18 19:11 - 00047104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dot3dlg.dll

2013-05-17 17:20 - 2012-10-18 19:02 - 00027136 ____A (Microsoft Corporation) C:\Windows\System32\svchost.exe

2013-05-17 17:20 - 2012-10-18 18:57 - 00009728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sscore.dll

2013-05-17 17:20 - 2012-10-18 18:55 - 00467456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\srv.sys

2013-05-17 17:20 - 2012-10-18 18:55 - 00408576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\srv2.sys

2013-05-17 17:20 - 2012-10-18 18:55 - 00158208 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb.sys

2013-05-17 17:20 - 2012-10-18 18:54 - 00516096 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\csc.sys

2013-05-17 17:20 - 2012-10-18 18:54 - 00288768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb10.sys

2013-05-17 17:20 - 2012-10-18 18:54 - 00141312 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys

2013-05-17 17:20 - 2012-10-18 18:54 - 00128000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb20.sys

2013-05-17 17:20 - 2012-10-18 18:54 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dfsc.sys

2013-05-17 17:20 - 2012-10-18 18:40 - 00021504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe

2013-05-17 17:20 - 2012-10-18 18:34 - 00034304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cscapi.dll

2013-05-17 17:14 - 2013-02-27 06:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-17 17:14 - 2013-02-27 06:25 - 00111976 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-17 17:14 - 2013-02-27 06:23 - 14176768 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-17 17:14 - 2013-02-27 06:23 - 01931776 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-17 17:14 - 2013-02-27 06:23 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-17 17:14 - 2013-02-27 05:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-17 17:14 - 2013-02-27 05:27 - 12875776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-17 17:14 - 2013-02-27 05:27 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-17 17:12 - 2013-04-10 04:18 - 03156480 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-17 17:04 - 2013-04-10 07:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-17 17:04 - 2013-04-10 07:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-17 17:04 - 2011-02-03 12:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

==================== One Month Modified Files and Folders =======

2013-06-14 09:46 - 2013-06-14 09:46 - 01920398 ____A (Farbar) C:\Users\elliot.james\Desktop\FRST64.exe

2013-06-14 09:46 - 2013-06-14 09:46 - 00000000 ____D C:\FRST

2013-06-14 09:26 - 2013-06-14 09:26 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-06-14 09:24 - 2013-06-14 09:24 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-06-14 09:22 - 2013-06-14 09:22 - 00000000 ____D C:\Users\elliot.james\Desktop\mbar-1.06.0.1003

2013-06-14 09:20 - 2013-06-14 09:20 - 00002676 ____A C:\Users\elliot.james\Desktop\RKreport[1]_S_06142013_02d0920.txt

2013-06-14 09:20 - 2013-06-14 09:16 - 00000000 ____D C:\Users\elliot.james\Desktop\RK_Quarantine

2013-06-14 09:18 - 2012-08-08 16:18 - 00005272 ____A C:\Windows\System32\config\netlogon.ftl

2013-06-14 09:17 - 2013-06-14 09:17 - 13169742 ____A C:\Users\elliot.james\Desktop\mbar-1.06.0.1003.zip

2013-06-14 09:14 - 2013-06-14 09:14 - 00816128 ____A C:\Users\elliot.james\Desktop\RogueKiller.exe

2013-06-14 09:14 - 2013-06-14 09:14 - 00791040 ____A C:\Users\elliot.james\Desktop\RogueKillerX64.exe

2013-06-14 09:05 - 2013-06-13 12:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-14 09:00 - 2009-07-14 05:45 - 00019328 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-14 09:00 - 2009-07-14 05:45 - 00019328 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-14 08:56 - 2012-10-11 11:19 - 00000462 ____A C:\Windows\SMSCFG.ini

2013-06-14 08:54 - 2012-10-11 11:43 - 00000000 ____D C:\Users\elliot.james\Tracing

2013-06-14 08:52 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-14 08:52 - 2009-07-14 05:51 - 00052005 ____A C:\Windows\setupact.log

2013-06-14 08:50 - 2012-08-08 16:19 - 01312347 ____A C:\Windows\WindowsUpdate.log

2013-06-14 08:48 - 2013-06-14 08:48 - 04378864 ____A (Piriform Ltd) C:\Users\elliot.james\Desktop\ccsetup402.exe

2013-06-14 08:48 - 2013-06-14 08:48 - 00726464 ____A (Enigma Software Group USA, LLC.) C:\Users\elliot.james\Desktop\SpyHunter-Installer.exe

2013-06-14 08:47 - 2013-06-14 08:47 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\elliot.james\Desktop\tdsskiller.exe

2013-06-14 08:47 - 2013-06-14 08:47 - 00187464 ____A (Webroot) C:\Users\elliot.james\Desktop\antizeroaccess.exe

2013-06-14 08:34 - 2010-11-21 04:47 - 00041326 ____A C:\Windows\PFRO.log

2013-06-13 17:24 - 2012-08-08 16:21 - 00273896 _RASH C:\ProgramData\ntuser.pol

2013-06-13 14:48 - 2012-10-19 17:54 - 00000000 ____D C:\Users\elliot.james\Documents\Outlook Files

2013-06-13 13:42 - 2013-06-13 13:42 - 00372705 ____A C:\Users\elliot.james\Desktop\IFR Template.pptx

2013-06-13 12:00 - 2013-06-13 12:00 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-06-13 12:00 - 2013-06-13 12:00 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-06-13 12:00 - 2012-07-11 01:37 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-06-13 11:58 - 2012-07-11 01:18 - 00771922 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2013-06-13 11:58 - 2009-07-14 06:13 - 00771922 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-13 11:14 - 2012-10-19 16:01 - 00000000 ____D C:\Users\elliot.james\AppData\Local\CutePDF Writer

2013-06-13 08:14 - 2012-10-11 11:43 - 00017838 _RASH C:\Users\elliot.james\ntuser.pol

2013-06-13 08:14 - 2012-10-11 11:43 - 00000000 ____D C:\users\elliot.james

2013-06-12 15:41 - 2013-06-12 15:41 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2013-06-12 15:41 - 2013-06-12 15:40 - 00000000 ____D C:\Program Files\Microsoft Security Client

2013-06-12 15:41 - 2013-06-11 16:05 - 00001945 ____A C:\Windows\epplauncher.mif

2013-06-12 14:34 - 2012-02-01 20:06 - 00356520 ____A (Ask.com) C:\Users\elliot.james\Documents\ApnStub.exe

2013-06-12 12:58 - 2013-06-12 12:58 - 00000637 ____A C:\Users\elliot.james\Desktop\virus.txt

2013-06-12 08:28 - 2013-06-12 08:28 - 00000000 ____D C:\Users\elliot.james\AppData\Local\Symantec

2013-06-11 16:08 - 2013-06-11 16:08 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS

2013-06-11 16:08 - 2013-06-11 16:08 - 00007631 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT

2013-06-11 16:08 - 2013-06-11 16:08 - 00000000 ____D C:\Program Files\Symantec

2013-06-11 16:08 - 2013-06-11 16:08 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared

2013-06-11 16:06 - 2013-06-11 16:06 - 00575952 ____A (Symantec Corporation) C:\Windows\System32\SymVPN.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00458704 ____A (Symantec Corporation) C:\Windows\System32\sysfer.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00419792 ____A (Symantec Corporation) C:\Windows\SysWOW64\SymVPN.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00359888 ____A (Symantec Corporation) C:\Windows\SysWOW64\sysfer.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00157136 ____A (Symantec Corporation) C:\Windows\System32\FwsVpn.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00154904 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SysPlant.sys

2013-06-11 16:06 - 2013-06-11 16:06 - 00136144 ____A (Symantec Corporation) C:\Windows\SysWOW64\FwsVpn.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00056272 ____A (Symantec Corporation) C:\Windows\System32\snacnp.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00050128 ____A (Symantec Corporation) C:\Windows\SysWOW64\snacnp.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00044008 ____A (Symantec Corporation) C:\Windows\System32\Drivers\WGX64.SYS

2013-06-11 16:06 - 2013-06-11 16:06 - 00011728 ____A (Symantec Corporation) C:\Windows\System32\sysferThunk.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00010704 ____A (Symantec Corporation) C:\Windows\SysWOW64\sysferThunk.dll

2013-06-11 16:06 - 2013-06-11 16:06 - 00000000 ____D C:\Windows\System32\Drivers\SEP

2013-06-11 16:06 - 2013-06-11 16:06 - 00000000 ____D C:\ProgramData\regid.1992-12.com.symantec

2013-06-11 16:06 - 2013-06-11 16:06 - 00000000 ____D C:\Program Files (x86)\Symantec

2013-06-11 16:06 - 2013-06-11 16:05 - 00000000 ____D C:\ProgramData\Symantec

2013-06-11 16:04 - 2013-06-11 16:04 - 00001773 ____A C:\Windows\MSIOEQBD.mif

2013-06-11 16:04 - 2012-07-11 01:43 - 00000000 ____D C:\Program Files\Accenture

2013-05-30 18:08 - 2013-05-30 18:08 - 00913408 ____A () C:\Users\elliot.james\AppData\Roaming\hidfg.dll

2013-05-30 18:08 - 2013-05-30 18:08 - 00462848 ____A (Mise Technology,Inc) C:\Users\elliot.james\AppData\Roaming\btapro.dll

2013-05-24 20:06 - 2012-12-11 12:54 - 00000000 ____D C:\ProgramData\Skype

2013-05-24 20:05 - 2012-12-11 12:55 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-05-23 09:30 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache

2013-05-23 08:01 - 2012-12-11 12:55 - 00000000 ____D C:\Users\elliot.james\AppData\Roaming\Skype

2013-05-20 08:42 - 2013-05-20 08:42 - 00000165 ___AH C:\Users\elliot.james\Desktop\~$International Reporting.xlsx

2013-05-18 12:47 - 2009-07-14 05:45 - 00343328 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-17 17:30 - 2012-07-11 01:21 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-17 05:05 - 2013-06-13 12:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-17 04:27 - 2013-06-13 12:05 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-17 04:09 - 2013-06-13 12:06 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-17 04:02 - 2013-06-13 12:06 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-17 04:02 - 2013-06-13 12:06 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-17 04:01 - 2013-06-13 12:06 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-17 04:00 - 2013-06-13 12:06 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-17 03:58 - 2013-06-13 12:06 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-17 03:56 - 2013-06-13 12:06 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-17 03:56 - 2013-06-13 12:06 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-17 03:55 - 2013-06-13 12:06 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-17 03:54 - 2013-06-13 12:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-17 03:53 - 2013-06-13 12:06 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-17 03:51 - 2013-06-13 12:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-17 03:51 - 2013-06-13 12:06 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-17 03:46 - 2013-06-13 12:06 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-17 00:08 - 2013-06-13 12:05 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-16 23:49 - 2013-06-13 12:05 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-16 23:39 - 2013-06-13 12:06 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-16 23:28 - 2013-06-13 12:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-16 23:28 - 2013-06-13 12:06 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-16 23:27 - 2013-06-13 12:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-05-16 23:26 - 2013-06-13 12:06 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-05-16 23:23 - 2013-06-13 12:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-16 23:21 - 2013-06-13 12:06 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-16 23:21 - 2013-06-13 12:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-05-16 23:20 - 2013-06-13 12:06 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-05-16 23:19 - 2013-06-13 12:06 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-16 23:17 - 2013-06-13 12:06 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-16 23:17 - 2013-06-13 12:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-05-16 23:16 - 2013-06-13 12:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-16 23:12 - 2013-06-13 12:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe

[2013-05-17 17:20] - [2012-10-18 19:02] - 0027136 ____A (Microsoft Corporation) DFDE777FAF31DC25E3624E8071073146

C:\Windows\SysWOW64\svchost.exe

[2013-05-17 17:20] - [2012-10-18 18:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2013-05-17 17:20] - [2012-10-18 23:00] - 0296808 ____A (Microsoft Corporation) DF83AA1C4278E2C0E36C0479C1555A9C

LastRegBack: 2013-06-13 09:18

==================== End Of Log ============================

[redallover]

My bad, you said attach them! How do I attach?

[redallover]

Arrached

FRST.txt

Addition.txt

[redallover]

Managed to run GMER but keep getting the same error message mentioned earlier. Pasted below and attached:

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-06-14 12:54:33

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST320LT0 rev.0003 298.09GB

Running: l3l7wrrg.exe; Driver: C:\Users\ELLIOT~1.JAM\AppData\Local\Temp\fxtiikob.sys

---- Threads - GMER 2.1 ----

Thread C:\Windows\System32\svchost.exe [404:1416] 000007fefa2759a0

Thread C:\Windows\System32\svchost.exe [404:4028] 000007feef9fa2b0

Thread C:\Windows\System32\svchost.exe [404:5264] 000007fef2c088f8

Thread C:\Windows\System32\svchost.exe [404:3992] 000007fef15444e0

Thread C:\Windows\System32\svchost.exe [404:4436] 000007fef1568730

Thread C:\Windows\System32\spoolsv.exe [1520:2420] 000007fef2fa10c8

Thread C:\Windows\System32\spoolsv.exe [1520:2584] 000007fef2f66144

Thread C:\Windows\System32\spoolsv.exe [1520:2592] 000007fef1ca5fd0

Thread C:\Windows\System32\spoolsv.exe [1520:2596] 000007fef1c93438

Thread C:\Windows\System32\spoolsv.exe [1520:2600] 000007fef1ca63ec

Thread C:\Windows\System32\spoolsv.exe [1520:2608] 000007fef3125e5c

Thread C:\Windows\System32\spoolsv.exe [1520:2612] 000007fef38d5090

Thread C:\Windows\system32\svchost.exe [1612:7064] 000007fee6c35f1c

Thread C:\Windows\system32\svchost.exe [1612:6240] 000007fee965598c

Thread C:\Windows\system32\svchost.exe [1612:2724] 000007fee9652e40

Thread C:\Windows\system32\svchost.exe [1612:5236] 000007fef30b2090

Thread C:\Windows\system32\svchost.exe [1612:5576] 000007fef3095124

Thread C:\Windows\system32\taskhost.exe [2188:2344] 000007fef3562740

Thread C:\Windows\system32\taskhost.exe [2188:2580] 000007fefb961010

Thread C:\Windows\Explorer.EXE [2412:5860] 000007feec182118

Thread C:\Windows\Explorer.EXE [2412:6360] 000007fef9df2f9c

Thread C:\Windows\Explorer.EXE [2412:4116] 000007feebeda3f8

Thread C:\Windows\Explorer.EXE [2412:8980] 000007fef9df2f9c

Thread C:\Windows\Explorer.EXE [2412:7652] 000007fef9df2f9c

Thread C:\Windows\Explorer.EXE [2412:8344] 000007fedfb5f5bc

Thread C:\Windows\system32\wbem\wmiprvse.exe [3292:5596] 000007feeb555e88

Thread C:\Windows\system32\wbem\wmiprvse.exe [3292:3632] 000007feeb555e88

Thread C:\Windows\system32\wbem\wmiprvse.exe [3292:2728] 000007fefc441d74

Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6472:6952] 000007fefbd72a7c

Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6472:7024] 000007fef3095124

Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [7096:7144] 0000000071a232fb

Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [7096:6428] 0000000005787e41

Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [7096:700] 0000000005787137

Thread [2780:4768] 00000000777f2e25

Thread [2780:7928] 000000005982625f

Thread [2780:8468] 0000000059822b6d

Thread [2780:9108] 000000005982625f

Thread [2780:8920] 00000000746146fa

Thread [2780:3044] 000000006f0c786a

Thread [2780:2448] 000000005982625f

Thread [2780:8124] 000000005982625f

Thread [2780:6204] 00000000777f3e45

Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [8796:6620] 000000006a5817a4

---- EOF - GMER 2.1 ----

ark.txt

[Psychotic]

Please re-run rogue killer and delte its findings. Post the log.

Then get a new frst log and post it here.

[redallover]

Rogue killer created 3 txt files, I've attached them here.

RKreport0_S_06152013_152057.txt

RKreport1_S_06152013_152729.txt

RKreport2_D_06152013_152802.txt

[redallover]

FRST File attached. Many thanks for your help.

FRST.txt

[Psychotic]

I´m reviewing the log and will reply with a fix soon

[Psychotic]

Uninstall the following:

Ask Toolbar

Ask Toolbar Updater

Symantec Endpoint Protection

Run FRST and copy the following code into the edit box and hit the search button.

search: svchost.exe
search: volsnap.sys

Post the content of search.txt

Also tell me: Is this computer part of a business network?

[redallover]

Thankyou Psychotic. I am on a work computer, yes. But it is not connected to a work network.

Regarding Symantec, I've checked my work build profile and I should have it installed so have not removed it. I can do if you feel I should do so.

Logs for the searches pasted below:

Farbar Recovery Scan Tool (x64) Version: 16-06-2013 01

Ran by elliot.james at 2013-06-17 09:23:25

Running from C:\Users\elliot.james\Desktop

Boot Mode: Normal

================== Search: "search: svchost.exe" ===================

====== End Of Search ======

Farbar Recovery Scan Tool (x64) Version: 16-06-2013 01

Ran by elliot.james at 2013-06-17 09:24:28

Running from C:\Users\elliot.james\Desktop

Boot Mode: Normal

================== Search: "search: volsnap.sys" ===================

====== End Of Search ======

[Psychotic]

retry the scan with the following code:

svchost.exe; volsnap.sys

[redallover]

Farbar Recovery Scan Tool (x64) Version: 16-06-2013 01

Ran by elliot.james at 2013-06-17 10:36:24

Running from C:\Users\elliot.james\Desktop

Boot Mode: Normal

================== Search: "svchost.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.22137_none_b839a1177cbb227f\svchost.exe

[2013-05-17 17:20] - [2012-10-18 18:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

[2009-07-14 00:19] - [2009-07-14 02:14] - 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.22137_none_14583c9b351893b5\svchost.exe

[2013-05-17 17:20] - [2012-10-18 19:02] - 0027136 ____A (Microsoft Corporation) DFDE777FAF31DC25E3624E8071073146

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

[2009-07-14 00:31] - [2009-07-14 02:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\SysWOW64\svchost.exe

[2013-05-17 17:20] - [2012-10-18 18:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F

C:\Windows\System32\svchost.exe

[2013-05-17 17:20] - [2012-10-18 19:02] - 0027136 ____A (Microsoft Corporation) DFDE777FAF31DC25E3624E8071073146

====== End Of Search ======

[redallover]

arbar Recovery Scan Tool (x64) Version: 16-06-2013 01

Ran by elliot.james at 2013-06-17 10:39:46

Running from C:\Users\elliot.james\Desktop

Boot Mode: Normal

================== Search: "volsnap.sys" ===================

C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7601.22137_none_74539a7b2bdfd09d\volsnap.sys

[2013-05-17 17:20] - [2012-10-18 23:00] - 0296808 ____A (Microsoft Corporation) DF83AA1C4278E2C0E36C0479C1555A9C

C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_73dcbcf012b4850e\volsnap.sys

[2010-11-21 04:23] - [2010-11-21 04:23] - 0295808 ____A (Microsoft Corporation) 0D08D2F3B3FF84E433346669B5E0F639

C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys

[2010-11-21 04:23] - [2010-11-21 04:23] - 0295808 ____A (Microsoft Corporation) 0D08D2F3B3FF84E433346669B5E0F639

C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_9a08678273541d85\volsnap.sys

[2013-05-17 17:20] - [2012-10-18 23:00] - 0296808 ____A (Microsoft Corporation) DF83AA1C4278E2C0E36C0479C1555A9C

C:\Windows\System32\drivers\volsnap.sys

[2013-05-17 17:20] - [2012-10-18 23:00] - 0296808 ____A (Microsoft Corporation) DF83AA1C4278E2C0E36C0479C1555A9C

====== End Of Search ======

[Psychotic]

EDIT: OK, there it is, thank you

[Psychotic]

Fix with FRST

• Open notepad (Start =>All Programs => Accessories => Notepad).
  
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  
• Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
  

  
  HKLM\...\Run: []  [x]
  HKLM-x32\...\Run: []  [x]
  SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  Replace: C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.22137_none_b839a1177cbb227f\svchost.exe C:\Windows\System32\svchost.exe
  Replace: C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
  

  
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  

• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.
  

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a convenient location.
  
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Post that log back here.
  

[redallover]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-06-2013 01

Ran by elliot.james at 2013-06-17 12:51:11 Run:1

Running from C:\Users\elliot.james\Desktop

Boot Mode: Normal

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.

HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.

C:\Windows\System32\svchost.exe => Could not move.

Could not replace C:\Windows\System32\svchost.exe .

C:\Windows\System32\drivers\volsnap.sys => Could not move.

Could not replace C:\Windows\System32\drivers\volsnap.sys.

==== End of Fixlog ====

[Psychotic]

Try it from Recovery Options:

Fix with FRST

• Open notepad (Start =>All Programs => Accessories => Notepad).
  
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on a flashdrive as fixlist.txt and move FRST to the same direction as well.
  

  
  Replace: C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.22137_none_b839a1177cbb227f\svchost.exe C:\Windows\System32\svchost.exe
  Replace: C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
  

  
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  Now please enter System Recovery Options again.
  

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• Startup Repair
  
• System Restore
  
• Windows Complete PC Restore
  
• Windows Memory Diagnostic Tool
  
• Command Prompt
  
• Select Command Prompt
  

• 
  In the command window:
  
• type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  
• Note: Replace letter e with the drive letter of your flash drive.
  

Press the fix button.

[redallover]

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.17.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

elliot.james :: MW7HJCMY132WQS [administrator]

Protection: Enabled

17/06/2013 12:59:27

mbam-log-2013-06-17 (12-59-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 234163

Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)