Nasty Ukash virus

Monsoon · June 17, 2013

Hi, I'm praying someone can help me out, I've got a newer version of the Ukash virus that will not allow me to boot in any safe mode.. I was unable to do anything but load a boot scan program onto a usb drive and boot from there, but I've tried 3 different removal programs and nothing seems to work.. just recently i was able to get access to the task manager by sheer luck as I tried to reboot and i've started to run various online scans, but I am scared to turn off the computer in case I cannot get access to the task manager again.. is there a way to verify the virus has been removed before I restart, or is there another path I can take? Thanks in advance

Psychotic · June 17, 2013

Hi there,

my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Which windows version is installed? Also tell, if it is 32 or 64bit!

Monsoon · June 17, 2013

I have windows XP 32 bit version.

Psychotic · June 17, 2013

Create a BartPE boot disk by following these instructions:

http://www.winhelpon...ing-pe-builder/

When finished, download Farbar´s Recovery Scan Tool and safe it to an USB disk: http://www.bleepingc...can-tool/dl/81/

Plug the usb drive into the infected computer, insert the created cd and boot into BartPE.

Run FRST.exe and click on scan - the tool will create two logfiles on the usb drive, post the content here.

Monsoon · June 17, 2013

I'm afraid this computer does not have a cd drive..

Psychotic · June 17, 2013

Then you may try the instructions to build a bootable usb device: http://xpt.sourceforge.net/techdocs/nix/disk/boot/boot12-BartPEUSB/

Monsoon · June 17, 2013

But I am able to access the usb to scan with the frst.exe if you like

Psychotic · June 17, 2013

If that works, try it this way, yes!

Monsoon · June 17, 2013

Frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-06-2013 01

Ran by User (administrator) on 17-06-2013 03:40:15

Running from I:\

Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Normal

==================== Processes (Whitelisted) ===================

() C:\Program Files\RSI\RSIInterfaceControl\CallAccounting\CallAccounting.exe

() C:\Program Files\Cash\HSDCashCosterService.exe

() C:\Program Files\Cash\HSDCashLogService.exe

() C:\Program Files\Cash\HSDCashPMSService.exe

() C:\Program Files\CashPlus\HSDRptService.exe

(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe

() C:\Program Files\RSI\RSIInterfaceControl\RSIInterfaceMonitor\RSIInterfaceMonitor.exe

(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

(OTi) C:\WINDOWS\system32\UStorSrv.exe

(TightVNC Group) C:\Program Files\TightVNC\WinVNC.exe

(Trend Micro Inc.) C:\Program Files\Trend Micro\BM\TMBMSRV.exe

(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe

(Anvisoft) C:\Program Files\Anvisoft\Anvi Smart Defender\ASDSrv.exe

(Anvisoft) C:\Program Files\Anvisoft\Anvi Smart Defender\ASDTray.exe

(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE

(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe

(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe

(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe

() C:\Program Files\CashPlus\HSDPopupMonitor.exe

(Twain Working Group) C:\WINDOWS\twunk_32.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

() C:\Program Files\RSI\RSIInterfaceControl\PBX\PBX.exe

(Twain Working Group) C:\WINDOWS\twunk_32.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow [874832 2010-12-30] (Trend Micro Inc.)

HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]

HKLM\...\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper [589824 2007-05-07] (TightVNC Group)

HKLM\...\Run: [Anvi Smart Defender] C:\Program Files\Anvisoft\Anvi Smart Defender\ASDTray.exe [1563720 2013-06-08] (Anvisoft)

HKLM\...\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto [169984 2008-04-14] (Microsoft Corporation)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)

Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)

HKCU\...\Run: [Adobe CSS5.1 Manager] C:\Documents and Settings\User\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad\cbaedddad.exe [209920 2013-06-15] () <===== ATTENTION

HKCU\...\RunOnce: [Adobe CSS5.1 Manager] C:\Documents and Settings\User\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad\cbaedddad.exe [209920 2013-06-15] () <===== ATTENTION

HKCU\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [26112 2008-04-14] (Microsoft Corporation)

HKCU\...\Winlogon: [shell] C:\Documents and Settings\User\Application Data\dbu32.ocx,explorer.exe <==== ATTENTION

MountPoints2: {10018045-bc15-11de-bb76-002618aa9b07} - G:\LaunchU3.exe -a

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cash+ Alert Popup.lnk

ShortcutTarget: Cash+ Alert Popup.lnk -> C:\Program Files\CashPlus\HSDPopupMonitor.exe ()

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Serial Export.lnk

ShortcutTarget: Serial Export.lnk -> C:\Program Files\Cash\Cashco32.exe (Hansen Software Development)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

SearchScopes: HKLM - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxdm778YYCA&ptb=wDVcR_FAUQCp46ux5ymHbw&ind=2011040111&ptnrS=ZUxdm778YYCA&si=&n=77de096f&psa=&st=sb&searchfor={searchTerms}

SearchScopes: HKCU - {046EC026-69A5-43B6-9FA4-0B2B5453F386} URL = http://www.google.ca/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7SUNC_en

SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC

SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =

SearchScopes: HKCU - {56256A51-B582-467e-B8D4-7786EDA79AE0} URL =

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

Toolbar: HKCU -No Name - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File

Toolbar: HKCU -No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: ipp - No CLSID Value -

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

Handler: msdaipp - No CLSID Value -

Hosts file not detected in the default directory

Tcpip\..\Interfaces\{4DACC828-A817-4472-AE76-AF79CFA67085}: [NameServer]8.8.8.8,8.8.4.4

Tcpip\..\Interfaces\{D156F5F3-3CD1-47AF-8AF5-58682C60A5D3}: [NameServer]8.8.8.8,8.8.4.4

Chrome:

=======

CHR HomePage: hxxp://search.conduit.com/?ctid=CT3201318&SearchSource=48

CHR RestoreOnStartup: "hxxp://search.conduit.com/?ctid=CT3201318&SearchSource=48"

CHR DefaultSearchURL: (Conduit) - http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3201318

CHR DefaultSuggestURL: (Conduit) - "suggest_url": ""

CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll ()

CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Java Deployment Toolkit 6.0.230.5) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)

CHR Plugin: (Java Platform SE 6 U23) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)

CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))

CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)

CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)

CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File

CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)

CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)

CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

CHR Extension: (FLV Runner) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ahilkiibpgjnonbhdfkkgjddddmapala\10.16.4.512_0

========================== Services (Whitelisted) =================

R2 asdsrv; C:\Program Files\Anvisoft\Anvi Smart Defender\ASDSrv.exe [739400 2013-06-08] (Anvisoft)

R2 CallAccounting; C:\Program Files\RSI\RSIInterfaceControl\CallAccounting\CallAccounting.exe [35840 2010-12-10] ()

S2 HidServ; C:\Windows\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)

R2 HSDCashCosterService; C:\Program Files\Cash\HSDCashCosterService.exe [13312 2012-11-05] ()

R2 HSDCashLogService; C:\Program Files\Cash\HSDCashLogService.exe [22528 2012-11-05] ()

R2 HSDCashPMSService; C:\Program Files\Cash\HSDCashPMSService.exe [14336 2012-11-05] ()

R2 HSDCashReportService; C:\Program Files\CashPlus\HSDRptService.exe [16896 2012-11-05] ()

R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [458464 2012-02-02] (Intel® Corporation)

R2 InterfaceMonitor; C:\Program Files\RSI\RSIInterfaceControl\RSIInterfaceMonitor\RSIInterfaceMonitor.exe [41472 2010-06-24] ()

S2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)

S4 LLPTSService; C:\Program Files\Comtrol Corporation\Lodging Link PTS\LLPTSService.exe [364544 2004-08-03] ()

R2 MSSQL$SNAPSCHEDULE; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)

R2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [1509312 2010-12-16] (Trend Micro Inc.)

R2 PBX; C:\Program Files\RSI\RSIInterfaceControl\PBX\PBX.exe [75264 2009-10-02] ()

S2 SimpleHelpSimpleGatewayService; C:\Program Files\SimpleHelpService\SimpleService.exe [94616 2011-02-04] ()

R3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [345424 2010-06-15] (Trend Micro Inc.)

R2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [1597120 2010-12-16] (Trend Micro Inc.)

S3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [689416 2010-04-24] (Trend Micro Inc.)

R2 UStorage Server Service; C:\WINDOWS\system32\UStorSrv.exe [139264 2006-02-17] (OTi)

R2 winvnc; C:\Program Files\TightVNC\WinVNC.exe [589824 2007-05-07] (TightVNC Group)

S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S3 Ambfilt; C:\Windows\System32\drivers\Ambfilt.sys [1691480 2009-11-17] (Creative)

R1 asdrm; C:\Windows\System32\DRIVERS\asdrm.sys [16208 2012-11-07] (Anvisoft)

R2 asdrs; C:\WINDOWS\system32\DRIVERS\asdrs.sys [22864 2012-11-07] (Anvisoft)

R1 asdws; C:\Windows\System32\DRIVERS\asdws.sys [14160 2012-11-07] ()

S1 chreevbq; C:\WINDOWS\system32\drivers\chreevbq.sys [43600 2013-06-17] (Microsoft Corporation)

R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [13560 2013-05-16] (GFI Software)

R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows ® Server 2003 DDK provider)

S3 L1e; C:\Windows\System32\DRIVERS\l1e51x86.sys [39424 2009-08-05] (Atheros Communications, Inc.)

R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-06-17] (Malwarebytes Corporation)

R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [46080 2011-11-10] (Intel Corporation)

S3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1395800 2009-11-17] (Creative Technology Ltd.)

S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()

R3 OxMf; C:\Windows\System32\DRIVERS\OxMf.sys [52016 2012-08-29] (OEM)

R3 OxSer; C:\Windows\System32\DRIVERS\OxSer.sys [84272 2012-08-29] (OEM)

R3 RTLE8023xp; C:\Windows\System32\DRIVERS\Rtenicxp.sys [323816 2011-08-24] (Realtek Semiconductor Corporation )

R2 tmactmon; C:\WINDOWS\system32\drivers\tmactmon.sys [67664 2010-12-07] (Trend Micro Inc.)

R2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [257928 2012-07-26] (Trend Micro Inc.)

R2 tmevtmgr; C:\WINDOWS\system32\drivers\tmevtmgr.sys [57424 2010-12-07] (Trend Micro Inc.)

R2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [264504 2012-07-17] (Trend Micro Inc.)

R2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36664 2012-07-17] (Trend Micro Inc.)

R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [90448 2010-12-07] (Trend Micro Inc.)

S3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [845184 2008-07-25] (VIA Technologies, Inc.)

R2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1515232 2012-07-17] (Trend Micro Inc.)

S4 Abiosdsk; No ImagePath

S4 abp480n5; No ImagePath

S4 adpu160m; No ImagePath

S4 Aha154x; No ImagePath

S4 aic78u2; No ImagePath

S4 aic78xx; No ImagePath

S4 AliIde; No ImagePath

S4 amsint; No ImagePath

S4 asc; No ImagePath

S4 asc3350p; No ImagePath

S4 asc3550; No ImagePath

S4 Atdisk; No ImagePath

S4 cd20xrnt; No ImagePath

S1 Changer; No ImagePath

S4 CmdIde; No ImagePath

S4 Cpqarray; No ImagePath

U4 dac2w2k; No ImagePath

S4 dac960nt; No ImagePath

S4 dpti2o; No ImagePath

S4 hpn; No ImagePath

S1 i2omgmt; No ImagePath

S4 i2omp; No ImagePath

S4 ini910u; No ImagePath

S4 IntelIde; No ImagePath

S1 lbrtfdc; No ImagePath

S4 mraid35x; No ImagePath

S1 PCIDump; No ImagePath

S3 PDCOMP; No ImagePath

S3 PDFRAME; No ImagePath

S3 PDRELI; No ImagePath

S3 PDRFRAME; No ImagePath

S4 perc2; No ImagePath

S4 perc2hib; No ImagePath

S4 ql1080; No ImagePath

S4 Ql10wnt; No ImagePath

S4 ql12160; No ImagePath

S4 ql1240; No ImagePath

S4 ql1280; No ImagePath

S4 Simbad; No ImagePath

S4 Sparrow; No ImagePath

S4 symc810; No ImagePath

S4 symc8xx; No ImagePath

S4 sym_hi; No ImagePath

S4 sym_u3; No ImagePath

S4 TosIde; No ImagePath

S4 ultra; No ImagePath

S4 ViaIde; No ImagePath

S3 WDICA; No ImagePath

U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-17 03:39 - 2013-06-17 03:39 - 00000000 ____D C:\FRST

2013-06-17 03:18 - 2013-06-17 03:19 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2013-06-17 03:18 - 2013-06-17 03:18 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2013-06-17 03:18 - 2013-06-17 03:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-06-17 03:18 - 2013-06-17 03:18 - 00000000 ____D C:\Documents and Settings\User\Application Data\Malwarebytes

2013-06-17 03:18 - 2013-06-17 03:18 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes

2013-06-17 03:18 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-06-17 03:12 - 2013-06-17 03:12 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\chreevbq.sys

2013-06-17 03:12 - 2013-06-17 03:12 - 00000000 ____D C:\Windows\System32\MpEngineStore

2013-06-17 02:52 - 2013-06-17 02:52 - 00000311 ____A C:\Documents and Settings\User\Local Settings\Application Data\poetsch.bat

2013-06-16 23:51 - 2013-06-16 23:51 - 00000837 ____A C:\Documents and Settings\All Users\Desktop\Anvi Smart Defender.lnk

2013-06-16 23:51 - 2012-11-07 01:16 - 00022864 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrs.sys

2013-06-16 23:51 - 2012-11-07 01:16 - 00016208 ____A (Anvisoft) C:\Windows\System32\Drivers\asdrm.sys

2013-06-16 23:51 - 2012-11-07 01:16 - 00014160 ____A C:\Windows\System32\Drivers\asdws.sys

2013-06-16 23:23 - 2013-06-16 23:23 - 00060676 ____A C:\Windows\ews.gnl

2013-06-16 14:31 - 2013-06-16 14:33 - 00000004 ____A C:\Documents and Settings\User\Application Data\AltShell.ini

2013-06-15 23:08 - 2013-06-16 23:51 - 00000000 ____D C:\Documents and Settings\User\Application Data\Anvisoft

2013-06-15 23:07 - 2013-06-15 23:07 - 00000000 ____D C:\Program Files\Anvisoft

2013-06-15 23:07 - 2013-06-15 23:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Anvisoft

2013-06-15 23:04 - 2013-06-15 23:04 - 00000000 __SHD C:\found.000

2013-06-15 19:24 - 2013-06-15 20:02 - 00000000 ____D C:\Windows\Microsoft Antimalware

2013-06-15 18:16 - 2013-06-15 18:22 - 25747872 ____A C:\asdsetup.exe

2013-06-15 18:14 - 2013-06-15 18:14 - 33554432 ____A C:\Windows\System32\config\software.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 11272192 ____A C:\Windows\System32\config\system.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 00524288 ____A C:\Windows\System32\config\default.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 00262144 ____A C:\Windows\System32\config\SAM.bhv

2013-06-15 17:51 - 2013-06-15 17:51 - 00000000 ___AD C:\$Anvi Rescue Disk$

2013-06-15 13:42 - 2013-06-15 13:42 - 00001984 ____A C:\Documents and Settings\User\Local Settings\Application Data\d3d9caps.tmp

2013-06-15 13:15 - 2013-06-15 13:15 - 00000370 ___AH C:\Windows\Tasks\{B6928638-BBB8-4E12-9A5D-09911B31D2F2}.job

2013-06-15 13:15 - 2013-06-15 13:15 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 12:02 - 2013-06-15 12:02 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 11:48 - 2013-06-15 11:48 - 00000238 ___AH C:\Windows\Tasks\{C840C9D3-09E1-4416-AC2D-C00E26E18C16}.job

2013-06-15 11:48 - 2013-06-15 11:48 - 00000000 ____D C:\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 11:43 - 2013-06-16 23:43 - 00029386 ____A C:\Windows\gnqxwhf.qbc

2013-06-15 11:43 - 2013-06-16 23:23 - 00104168 ____A C:\Windows\fdbb.zof

2013-06-15 11:43 - 2013-06-16 23:22 - 00256349 ____A C:\Windows\qwqwihb.eji

2013-06-15 11:43 - 2013-06-15 11:44 - 00041086 ____A C:\Windows\tbu.fhg

2013-06-15 11:43 - 2013-06-15 11:43 - 00150093 ____A C:\Windows\cmjmvvf.mdl

2013-06-15 11:43 - 2013-06-15 11:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\olx

2013-06-15 11:42 - 2013-06-16 23:22 - 00037656 ____A C:\Windows\rlw.ijb

2013-06-15 11:42 - 2013-06-15 11:42 - 00133632 ____A (Bloodshed Software) C:\Documents and Settings\User\empb.tmp

2013-06-15 11:40 - 2013-06-15 11:40 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-13 03:01 - 2013-06-13 03:01 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$

2013-06-13 03:00 - 2013-06-13 03:00 - 00012189 ____A C:\Windows\KB2838727-IE8.log

2013-06-12 03:14 - 2013-06-13 03:01 - 00016105 ____A C:\Windows\KB2839229.log

2013-05-20 13:06 - 2013-05-20 13:06 - 00004096 ___AH C:\Documents and Settings\User\Local Settings\Application Data\keyfile3.drm

==================== One Month Modified Files and Folders ========

2013-06-17 03:40 - 2009-10-13 12:40 - 00000000 ____D C:\Program Files\Cash

2013-06-17 03:39 - 2013-06-17 03:39 - 00000000 ____D C:\FRST

2013-06-17 03:37 - 2011-04-22 13:45 - 00000420 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{8522F79A-4174-49F6-884A-2CBC916745D1}.job

2013-06-17 03:19 - 2013-06-17 03:18 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2013-06-17 03:18 - 2013-06-17 03:18 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2013-06-17 03:18 - 2013-06-17 03:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-06-17 03:18 - 2013-06-17 03:18 - 00000000 ____D C:\Documents and Settings\User\Application Data\Malwarebytes

2013-06-17 03:18 - 2013-06-17 03:18 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes

2013-06-17 03:12 - 2013-06-17 03:12 - 00043600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\chreevbq.sys

2013-06-17 03:12 - 2013-06-17 03:12 - 00000000 ____D C:\Windows\System32\MpEngineStore

2013-06-17 03:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At4.job

2013-06-17 03:10 - 2012-11-19 10:46 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-06-17 03:01 - 2011-04-25 12:14 - 00000232 ____A C:\Windows\Tasks\Scheduled Update for Ask Toolbar.job

2013-06-17 03:00 - 2009-10-13 03:32 - 00000211 ___SH C:\boot.ini

2013-06-17 03:00 - 2008-04-14 06:00 - 00000634 ____A C:\Windows\win.ini

2013-06-17 03:00 - 2008-04-14 06:00 - 00000227 ____A C:\Windows\system.ini

2013-06-17 02:57 - 2009-10-13 09:54 - 00032186 ____A C:\Windows\SchedLgU.Txt

2013-06-17 02:57 - 2009-10-13 09:47 - 01683810 ____A C:\Windows\WindowsUpdate.log

2013-06-17 02:56 - 2012-12-12 02:59 - 00000000 ____D C:\Program Files\VideoPerformer

2013-06-17 02:56 - 2012-05-22 20:52 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-17 02:52 - 2013-06-17 02:52 - 00000311 ____A C:\Documents and Settings\User\Local Settings\Application Data\poetsch.bat

2013-06-17 02:27 - 2013-05-16 18:16 - 00000036 ____A C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache

2013-06-17 02:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At3.job

2013-06-17 01:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At2.job

2013-06-17 00:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At1.job

2013-06-16 23:58 - 2011-09-09 19:11 - 00181808 ___AC C:\Windows\RegBootClean.exe

2013-06-16 23:51 - 2013-06-16 23:51 - 00000837 ____A C:\Documents and Settings\All Users\Desktop\Anvi Smart Defender.lnk

2013-06-16 23:51 - 2013-06-15 23:08 - 00000000 ____D C:\Documents and Settings\User\Application Data\Anvisoft

2013-06-16 23:43 - 2013-06-15 11:43 - 00029386 ____A C:\Windows\gnqxwhf.qbc

2013-06-16 23:39 - 2011-03-28 22:52 - 00000664 ____A C:\Windows\System32\d3d9caps.dat

2013-06-16 23:23 - 2013-06-16 23:23 - 00060676 ____A C:\Windows\ews.gnl

2013-06-16 23:23 - 2013-06-15 11:43 - 00104168 ____A C:\Windows\fdbb.zof

2013-06-16 23:22 - 2013-06-15 11:43 - 00256349 ____A C:\Windows\qwqwihb.eji

2013-06-16 23:22 - 2013-06-15 11:42 - 00037656 ____A C:\Windows\rlw.ijb

2013-06-16 23:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At24.job

2013-06-16 22:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At23.job

2013-06-16 21:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At22.job

2013-06-16 20:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At21.job

2013-06-16 19:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At20.job

2013-06-16 18:21 - 2009-10-13 03:34 - 00783030 ____A C:\Windows\System32\PerfStringBackup.INI

2013-06-16 18:17 - 2012-11-19 10:46 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-06-16 18:17 - 2009-10-13 09:57 - 00000062 __ASH C:\Documents and Settings\User\Local Settings\desktop.ini

2013-06-16 18:17 - 2009-10-13 09:54 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini

2013-06-16 18:17 - 2009-10-13 09:54 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-16 18:17 - 2008-04-14 06:00 - 00012598 ____A C:\Windows\System32\wpa.dbl

2013-06-16 18:16 - 2009-10-13 09:57 - 00000278 ___SH C:\Documents and Settings\User\ntuser.ini

2013-06-16 18:16 - 2009-10-13 09:53 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini

2013-06-16 15:11 - 2009-10-13 10:06 - 00000000 __SHD C:\Windows\CSC

2013-06-16 14:33 - 2013-06-16 14:31 - 00000004 ____A C:\Documents and Settings\User\Application Data\AltShell.ini

2013-06-16 14:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At15.job

2013-06-15 23:07 - 2013-06-15 23:07 - 00000000 ____D C:\Program Files\Anvisoft

2013-06-15 23:07 - 2013-06-15 23:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Anvisoft

2013-06-15 23:04 - 2013-06-15 23:04 - 00000000 __SHD C:\found.000

2013-06-15 20:02 - 2013-06-15 19:24 - 00000000 ____D C:\Windows\Microsoft Antimalware

2013-06-15 18:22 - 2013-06-15 18:16 - 25747872 ____A C:\asdsetup.exe

2013-06-15 18:14 - 2013-06-15 18:14 - 33554432 ____A C:\Windows\System32\config\software.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 11272192 ____A C:\Windows\System32\config\system.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 00524288 ____A C:\Windows\System32\config\default.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv

2013-06-15 18:14 - 2013-06-15 18:14 - 00262144 ____A C:\Windows\System32\config\SAM.bhv

2013-06-15 18:14 - 2011-09-09 18:02 - 00000000 ____D C:\Program Files\TightVNC

2013-06-15 18:00 - 2011-04-25 12:31 - 00370558 ___AC C:\Windows\setupapi.log

2013-06-15 17:51 - 2013-06-15 17:51 - 00000000 ___AD C:\$Anvi Rescue Disk$

2013-06-15 17:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At18.job

2013-06-15 13:42 - 2013-06-15 13:42 - 00001984 ____A C:\Documents and Settings\User\Local Settings\Application Data\d3d9caps.tmp

2013-06-15 13:15 - 2013-06-15 13:15 - 00000370 ___AH C:\Windows\Tasks\{B6928638-BBB8-4E12-9A5D-09911B31D2F2}.job

2013-06-15 13:15 - 2013-06-15 13:15 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 13:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At14.job

2013-06-15 12:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At13.job

2013-06-15 12:02 - 2013-06-15 12:02 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 11:48 - 2013-06-15 11:48 - 00000238 ___AH C:\Windows\Tasks\{C840C9D3-09E1-4416-AC2D-C00E26E18C16}.job

2013-06-15 11:48 - 2013-06-15 11:48 - 00000000 ____D C:\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 11:44 - 2013-06-15 11:43 - 00041086 ____A C:\Windows\tbu.fhg

2013-06-15 11:43 - 2013-06-15 11:43 - 00150093 ____A C:\Windows\cmjmvvf.mdl

2013-06-15 11:43 - 2013-06-15 11:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\olx

2013-06-15 11:42 - 2013-06-15 11:42 - 00133632 ____A (Bloodshed Software) C:\Documents and Settings\User\empb.tmp

2013-06-15 11:40 - 2013-06-15 11:40 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\c899b337-5886-488a-85e3-425ddd713848ad

2013-06-15 11:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At12.job

2013-06-15 10:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At11.job

2013-06-15 09:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At10.job

2013-06-15 08:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At9.job

2013-06-15 07:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At8.job

2013-06-15 06:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At7.job

2013-06-15 05:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At6.job

2013-06-15 04:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At5.job

2013-06-15 03:18 - 2011-02-04 12:34 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\CutePDF Writer

2013-06-15 03:17 - 2011-05-17 04:38 - 00000000 ____D C:\Documents and Settings\User\Desktop\Night Audit

2013-06-14 18:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At19.job

2013-06-14 16:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At17.job

2013-06-14 15:11 - 2011-09-09 16:08 - 00000344 ____A C:\Windows\Tasks\At16.job

2013-06-13 04:39 - 2012-12-17 21:30 - 00001156 ____A C:\Windows\DCEBOOT.RST

2013-06-13 04:39 - 2012-12-17 21:30 - 00000000 ____A C:\Windows\DCEBOOT.LOG

2013-06-13 04:38 - 2011-05-13 23:47 - 00000216 ___AC C:\Windows\wiadebug.log

2013-06-13 04:38 - 2011-05-13 23:47 - 00000048 ___AC C:\Windows\wiaservc.log

2013-06-13 03:01 - 2013-06-13 03:01 - 00000000 __HDC C:\Windows\$NtUninstallKB2839229$

2013-06-13 03:01 - 2013-06-12 03:14 - 00016105 ____A C:\Windows\KB2839229.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00732725 ____A C:\Windows\iis6.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00686921 ____A C:\Windows\FaxSetup.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00330976 ____A C:\Windows\ocgen.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00314905 ____A C:\Windows\tsoc.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00226094 ____A C:\Windows\comsetup.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00206572 ____A C:\Windows\msmqinst.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00137437 ____A C:\Windows\ntdtcsetup.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00120722 ____A C:\Windows\netfxocm.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00047469 ____A C:\Windows\MedCtrOC.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00038089 ____A C:\Windows\ocmsn.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00034521 ____A C:\Windows\tabletoc.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00034469 ____A C:\Windows\msgsocm.log

2013-06-13 03:01 - 2011-06-16 03:01 - 00001809 ____A C:\Windows\imsins.log

2013-06-13 03:01 - 2009-11-30 12:22 - 00000000 ____D C:\Documents and Settings\User\Application Data\Ahead

2013-06-13 03:00 - 2013-06-13 03:00 - 00012189 ____A C:\Windows\KB2838727-IE8.log

2013-06-13 03:00 - 2011-06-16 03:02 - 00060394 ____A C:\Windows\updspapi.log

2013-06-13 03:00 - 2011-06-16 03:01 - 00001809 ____A C:\Windows\imsins.BAK

2013-06-13 03:00 - 2009-10-13 11:46 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-06-13 00:46 - 2011-05-14 13:48 - 00000069 ___AC C:\Windows\NeroDigital.ini

2013-06-11 23:57 - 2013-04-09 03:44 - 00000000 ____D C:\Documents and Settings\User\Desktop\Labour Expense Report

2013-06-11 14:56 - 2012-05-22 20:52 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-06-11 14:56 - 2011-07-10 09:54 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-06-05 23:11 - 2012-11-19 10:47 - 00001813 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

2013-05-31 12:26 - 2012-11-08 15:42 - 00072192 ____A C:\Documents and Settings\User\Desktop\Front Desk Schedule.xls

2013-05-29 00:06 - 2012-12-16 23:22 - 00022064 ____A C:\Windows\DCEBoot.exe

2013-05-20 13:07 - 2013-05-13 13:34 - 00188071 ____A C:\Documents and Settings\User\Desktop\2013 Labour Expense Report LHREIT revised Jan 2013.xlsx

2013-05-20 13:06 - 2013-05-20 13:06 - 00004096 ___AH C:\Documents and Settings\User\Local Settings\Application Data\keyfile3.drm

Files to move or delete:

====================

C:\Documents and Settings\User\g2ax_customer_downloadhelper_win32_x86.exe

C:\Documents and Settings\User\Application Data\AltShell.dat

C:\Documents and Settings\User\Application Data\AltShell.ini

C:\Windows\Tasks\At1.job

C:\Windows\Tasks\At10.job

C:\Windows\Tasks\At11.job

C:\Windows\Tasks\At12.job

C:\Windows\Tasks\At13.job

C:\Windows\Tasks\At14.job

C:\Windows\Tasks\At15.job

C:\Windows\Tasks\At16.job

C:\Windows\Tasks\At17.job

C:\Windows\Tasks\At18.job

C:\Windows\Tasks\At19.job

C:\Windows\Tasks\At2.job

C:\Windows\Tasks\At20.job

C:\Windows\Tasks\At21.job

C:\Windows\Tasks\At22.job

C:\Windows\Tasks\At23.job

C:\Windows\Tasks\At24.job

C:\Windows\Tasks\At3.job

C:\Windows\Tasks\At4.job

C:\Windows\Tasks\At5.job

C:\Windows\Tasks\At6.job

C:\Windows\Tasks\At7.job

C:\Windows\Tasks\At8.job

C:\Windows\Tasks\At9.job

C:\Windows\Tasks\{B6928638-BBB8-4E12-9A5D-09911B31D2F2}.job

C:\Windows\Tasks\{C840C9D3-09E1-4416-AC2D-C00E26E18C16}.job

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

addition.txt

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-06-2013 01

Ran by User at 2013-06-17 03:40:57 Run:

Running from I:\

Boot Mode: Normal

==========================================================

==================== Installed Programs =======================

Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)

Adobe Reader X (10.1.1) (Version: 10.1.1)

Adobe Reader XI (11.0.03) (Version: 11.0.03)

Adobe Shockwave Player 11.6 (Version: 11.6.4.634)

Anvi Smart Defender 1.9 (Version: 1.9)

Ask Toolbar (Version: 1.11.3.0)

Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (Version: 1.0.0.30)

CASH Call Accounting

CASH+ Client

CASH+ Log Service

CASH+ PMS Service

Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)

CutePDF Writer 2.8

East Call Accounting

Foxit Reader (Version: 4.3.1.323)

Google Chrome (Version: 27.0.1453.110)

Google Toolbar for Internet Explorer (Version: 1.0.0)

Google Update Helper (Version: 1.3.21.145)

HijackThis 2.0.2 (Version: 2.0.2)

Imation Disk Manager V a Service

Intel® Management Engine Components (Version: 8.0.2.1410)

Intel® Processor Graphics (Version: 6.14.10.5398)

Intel® Solid-State Drive Toolbox (Version: 2.02.000)

Intel® Trusted Connect Service Client (Version: 1.23.605.1)

Java Auto Updater (Version: 2.0.2.4)

Java 6 Update 23 (Version: 6.0.230)

Lodging Link PTS

Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)

Microsoft .NET Framework 1.1 (Version: 1.1.4322)

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)

Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft .NET Framework 4 Extended (Version: 4.0.30319)

Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Office 2000 SR-1 Disc 2 (Version: 9.00.9327)

Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)

Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (SNAPSCHEDULE) (Version: 9.4.5000.00)

Microsoft SQL Server 2005 Tools Express Edition (Version: 9.4.5000.00)

Microsoft SQL Server Native Client (Version: 9.00.5000.00)

Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)

Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)

MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)

MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)

MSXML 6.0 Parser (Version: 6.10.1129.0)

Nero 7 Essentials (Version: 7.03.1303)

neroxml (Version: 1.0.0)

PDF24 Creator 5.4.0

PL-2303 USB-to-Serial

Platform (Version: 1.27)

Realtek High Definition Audio Driver (Version: 5.10.0.6526)

RoomKey™ by RSI

RSIInterfaceControl (Version: 1.0.0)

Snap Schedule Premium 2011 (Version: 4.0.4.0)

swMSM (Version: 12.0.0.1)

TightVNC 1.3.9 (Version: 1.3.9)

Trend Micro OfficeScan Client (Version: 10.5)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)

Update for Windows Internet Explorer 8 (KB973874) (Version: 1)

Update for Windows Internet Explorer 8 (KB976662) (Version: 1)

Update for Windows Internet Explorer 8 (KB976749) (Version: 1)

Update for Windows Internet Explorer 8 (KB980182) (Version: 1)

Update for Windows XP (KB2541763) (Version: 1)

Update for Windows XP (KB2607712) (Version: 1)

Update for Windows XP (KB2616676-v2) (Version: 2)

Update for Windows XP (KB2641690) (Version: 1)

Update for Windows XP (KB2661254-v2) (Version: 2)

Update for Windows XP (KB2718704) (Version: 1)

Update for Windows XP (KB2736233) (Version: 1)

Update for Windows XP (KB2749655) (Version: 1)

VIA Platform Device Manager (Version: 1.27)

WebFldrs XP (Version: 9.50.7523)

Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)

Windows Internet Explorer 8 (Version: 20090308.140743)

Windows Media Format 11 runtime

Windows Media Player 11

Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.70)

Windows Rights Management Client with Service Pack 2 (Version: 5.2.70)

==================== Restore Points =========================

19-03-2013 09:00:12 Software Distribution Service 3.0

20-03-2013 09:00:12 Software Distribution Service 3.0

21-03-2013 09:00:12 Software Distribution Service 3.0

22-03-2013 09:00:12 Software Distribution Service 3.0

23-03-2013 04:48:17 Software Distribution Service 3.0

23-03-2013 04:50:20 Software Distribution Service 3.0

23-03-2013 09:00:12 Software Distribution Service 3.0

23-03-2013 13:59:34 Software Distribution Service 3.0

24-03-2013 09:00:12 Software Distribution Service 3.0

25-03-2013 09:00:12 Software Distribution Service 3.0

26-03-2013 09:00:12 Software Distribution Service 3.0

27-03-2013 09:00:12 Software Distribution Service 3.0

28-03-2013 09:00:12 Software Distribution Service 3.0

29-03-2013 09:00:12 Software Distribution Service 3.0

30-03-2013 09:00:12 Software Distribution Service 3.0

31-03-2013 09:00:12 Software Distribution Service 3.0

01-04-2013 09:00:12 Software Distribution Service 3.0

02-04-2013 09:00:12 Software Distribution Service 3.0

03-04-2013 09:00:12 Software Distribution Service 3.0

04-04-2013 09:00:12 Software Distribution Service 3.0

05-04-2013 09:00:12 Software Distribution Service 3.0

06-04-2013 09:00:12 Software Distribution Service 3.0

07-04-2013 09:00:12 Software Distribution Service 3.0

08-04-2013 09:00:12 Software Distribution Service 3.0

09-04-2013 09:00:12 Software Distribution Service 3.0

09-04-2013 20:40:12 Software Distribution Service 3.0

10-04-2013 09:00:12 Software Distribution Service 3.0

11-04-2013 09:00:12 Software Distribution Service 3.0

12-04-2013 09:00:13 Software Distribution Service 3.0

12-04-2013 18:36:24 Software Distribution Service 3.0

12-04-2013 22:53:16 Printer Driver PDF24 PDF Installed

13-04-2013 23:28:26 System Checkpoint

14-04-2013 23:38:25 System Checkpoint

16-04-2013 00:47:47 System Checkpoint

17-04-2013 01:57:15 System Checkpoint

18-04-2013 03:08:25 System Checkpoint

19-04-2013 03:14:40 System Checkpoint

20-04-2013 04:13:38 System Checkpoint

21-04-2013 04:13:40 System Checkpoint

22-04-2013 05:14:45 System Checkpoint

23-04-2013 05:17:52 System Checkpoint

24-04-2013 06:14:45 System Checkpoint

25-04-2013 07:13:40 System Checkpoint

26-04-2013 07:43:41 System Checkpoint

27-04-2013 08:46:40 System Checkpoint

28-04-2013 10:11:38 System Checkpoint

29-04-2013 10:12:15 System Checkpoint

30-04-2013 10:13:40 System Checkpoint

01-05-2013 10:30:48 System Checkpoint

02-05-2013 11:13:40 System Checkpoint

03-05-2013 12:14:45 System Checkpoint

04-05-2013 12:16:46 System Checkpoint

05-05-2013 14:19:25 System Checkpoint

06-05-2013 15:48:14 System Checkpoint

07-05-2013 15:52:21 System Checkpoint

08-05-2013 16:14:45 System Checkpoint

09-05-2013 17:36:14 System Checkpoint

10-05-2013 18:35:59 System Checkpoint

11-05-2013 18:41:32 System Checkpoint

12-05-2013 21:26:31 System Checkpoint

14-05-2013 00:07:37 System Checkpoint

15-05-2013 01:26:48 System Checkpoint

15-05-2013 17:26:08 Software Distribution Service 3.0

16-05-2013 09:00:12 Software Distribution Service 3.0

16-05-2013 22:35:48 Software Distribution Service 3.0

17-05-2013 22:45:10 System Checkpoint

18-05-2013 23:17:23 System Checkpoint

19-05-2013 23:43:46 System Checkpoint

21-05-2013 02:00:42 System Checkpoint

22-05-2013 02:04:48 System Checkpoint

23-05-2013 03:06:07 System Checkpoint

24-05-2013 03:47:34 System Checkpoint

25-05-2013 04:08:50 System Checkpoint

26-05-2013 10:27:55 System Checkpoint

27-05-2013 10:42:49 System Checkpoint

28-05-2013 13:10:08 System Checkpoint

29-05-2013 13:43:59 System Checkpoint

30-05-2013 13:57:41 System Checkpoint

31-05-2013 15:07:17 System Checkpoint

01-06-2013 16:54:08 System Checkpoint

02-06-2013 17:47:04 System Checkpoint

03-06-2013 18:36:21 System Checkpoint

04-06-2013 19:04:19 System Checkpoint

05-06-2013 20:02:12 System Checkpoint

06-06-2013 21:50:24 System Checkpoint

07-06-2013 22:44:10 System Checkpoint

08-06-2013 23:51:14 System Checkpoint

10-06-2013 01:04:00 System Checkpoint

11-06-2013 02:07:59 System Checkpoint

12-06-2013 04:03:07 System Checkpoint

13-06-2013 08:55:34 System Checkpoint

13-06-2013 09:00:12 Software Distribution Service 3.0

14-06-2013 10:12:04 System Checkpoint

15-06-2013 13:50:49 System Checkpoint

16-06-2013 20:26:39 System Checkpoint

17-06-2013 08:51:11 Removed Facebook Video Calling 1.2.0.287

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:

==================

System errors:

=============

Error: (06/17/2013 03:11:00 AM) (Source: Schedule) (User: )

Description: The At4.job command failed to start due to the following error:

%%2147942402

Error: (06/17/2013 02:11:00 AM) (Source: Schedule) (User: )

Description: The At3.job command failed to start due to the following error:

%%2147942402

Error: (06/17/2013 01:11:00 AM) (Source: Schedule) (User: )

Description: The At2.job command failed to start due to the following error:

%%2147942402

Error: (06/17/2013 00:11:00 AM) (Source: Schedule) (User: )

Description: The At1.job command failed to start due to the following error:

%%2147942402

Error: (06/16/2013 11:11:00 PM) (Source: Schedule) (User: )

Description: The At24.job command failed to start due to the following error:

%%2147942402

Error: (06/16/2013 10:56:09 PM) (Source: Service Control Manager) (User: )

Description: The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).

Error: (06/16/2013 10:55:41 PM) (Source: Service Control Manager) (User: )

Description: The Intel® Dynamic Application Loader Host Interface Service service terminated unexpectedly. It has done this 1 time(s).

Error: (06/16/2013 10:55:38 PM) (Source: Service Control Manager) (User: )

Description: The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Error: (06/16/2013 10:55:32 PM) (Source: Service Control Manager) (User: )

Description: The SimpleHelp SimpleGateway Service service terminated unexpectedly. It has done this 1 time(s).

Error: (06/16/2013 10:11:00 PM) (Source: Schedule) (User: )

Description: The At23.job command failed to start due to the following error:

%%2147942402

Microsoft Office Sessions:

=========================

==================== Memory info ===========================

Percentage of memory in use: 45%

Total physical RAM: 3277.82 MB

Available physical RAM: 1795.48 MB

Total Pagefile: 4624.39 MB

Available Pagefile: 2931.7 MB

Total Virtual: 2047.88 MB

Available Virtual: 1949.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.53 GB) (Free:55.99 GB) NTFS ==>[Drive with boot components (Windows XP)]

Drive i: (HITMANPRO) (Removable) (Total:1.85 GB) (Free:1.85 GB) FAT32

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: EEA5EEA5)

Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)

========================================================

Disk: 5 (Size: 2 GB) (Disk ID: 73911C57)

Partition 1: (Active) - (Size=2 GB) - (Type=0B)

==================== End Of Log ============================

Monsoon · June 17, 2013

oh crap i just noticed mbam was scanning in the background, It removed some files and asked for a restart but I did not restart just in case, I'm really sorry i forgot it was running.. would you like another Frst scan?

Monsoon · June 17, 2013

Here is the new one just in case..

frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-06-2013 01

Ran by User (administrator) on 17-06-2013 03:55:33