FBI MoneyPak Virus..Require Removal Assistance

gideon2386 · July 12, 2013

Hello All,

I humbly require assistance in removing this FBI MoneyPak Virus that has my laptop on lockdown. I would highly appreciate any and all assistance. Thank you.

Here are the frst.txt log and Service.txt log

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-07-2013
Ran by SYSTEM on 11-07-2013 20:09:32
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [524800 2010-12-01] (IDT, Inc.)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\Run: [startCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-12-15] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] - "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [976832 2010-06-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1497352 2011-02-21] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [HPOSD] - C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Alyssa\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\Alyssa\...\Run: [Google Update] - "C:\Users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-23] (Google Inc.)
HKU\Alyssa\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex [247968 2011-12-11] (Adobe Systems, Inc.)
HKU\BHI Renovations LLC\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\BHI Renovations LLC\...\Run: [skype] - "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [19550344 2011-10-13] (Skype Technologies S.A.)
HKU\BHI Renovations LLC\...\Run: [{0FD10AED-2B1A-2F4F-1F99-56963D4BA3DE}] - "C:\Users\BHI Renovations LLC\AppData\Roaming\Wasyaw\ewguac.exe" [196096 2011-05-22] ()
HKU\BHI Renovations LLC\...\Run: [150.exe] - C:\Users\BHI Renovations LLC\AppData\Roaming\Microsoft\98DA\150.exe [291840 2011-12-22] ()
HKU\BHI Renovations LLC\...\Run: [dP17724LfLkE17724] - C:\ProgramData\dP17724LfLkE17724\dP17724LfLkE17724.exe [372224 2011-12-22] ()
HKU\BHI Renovations LLC\...\Run: [charient] - rundll32 "C:\Users\BHIREN~1\AppData\Local\Temp\drivlace.dll",CreateProcessNotify [47616 2011-12-22] (Kaspersky Lab) <===== ATTENTION
HKU\BHI Renovations LLC\...\Run: [dccwview] - rundll32 "C:\Users\BHIREN~1\AppData\Local\Temp\drivlace64.dll",CreateProcessNotify [52224 2011-12-22] (Kaspersky Lab) <===== ATTENTION
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Tino.BHIRenovationsL\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\Tino.BHIRenovationsL.001\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\Tino.BHIRenovationsL.001\...\Run: [ATI] - rundll32 "C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit\ATI\ghgmojmg.dll",DllRegisterServer [320000 2013-07-05] (Microsoft Corporation) <===== ATTENTION
HKU\Tino.BHIRenovationsL.001\...\Run: [Netscape] - regsvr32.exe C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape\gsroesug.dll [891904 2013-07-05] (Autodesk, Inc.) <===== ATTENTION
HKU\Tino.BHIRenovationsL.001\...\Run: [atiUtilLibs8] - rundll32.exe "C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8\atiUtilLibs8.dll",fxMobileIo Bassmapcprt [31232 2013-07-06] ()
HKU\Tino.BHIRenovationsL.001\...\Run: [TimeServer] - "C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\WIN199E.exe" [133120 2013-07-07] ()
HKU\Tino.BHIRenovationsL.001\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad\cbfacead.exe [172544 2013-07-11] () <===== ATTENTION
HKU\Tino.BHIRenovationsL.001\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad\cbfacead.exe [172544 2013-07-11] () <===== ATTENTION
HKU\Tino.BHIRenovationsL.001\...\Winlogon: [shell] explorer.exe,C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat [142848 2011-11-16] (Intro-Software Lab.) <==== ATTENTION
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Wireless Connection Manager.lnk
ShortcutTarget: Wireless Connection Manager.lnk -> C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe (D-Link Corp.)

==================== Services (Whitelisted) =================

S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [354304 2010-12-15] (Advanced Micro Devices, Inc.)
S2 AMD Reservation Manager; C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [194496 2010-06-17] (Advanced Micro Devices)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [130008 2011-04-16] (Symantec Corporation)
S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] ()
S2 WlanWpsSvc; C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [167936 2008-06-26] ()

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-10] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [136824 2011-06-01] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [488056 2011-06-02] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [488056 2011-06-02] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\ENG64.SYS [117880 2011-06-01] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\ENG64.SYS [117880 2011-06-01] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\EX64.SYS [2011768 2011-06-01] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110630.038\EX64.SYS [2011768 2011-06-01] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
S3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [141384 2010-11-10] (MCCI Corporation)
S0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-11] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-11 20:08 - 2013-07-11 20:08 - 00000000 ____D C:\FRST
2013-07-11 14:19 - 2013-07-11 15:31 - 00000004 ____A C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini
2013-07-11 14:16 - 2013-07-11 15:00 - 00000352 ___AH C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job
2013-07-11 14:16 - 2013-07-11 14:16 - 00003092 ____A C:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}
2013-07-11 14:16 - 2013-07-11 14:16 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad
2013-07-11 14:15 - 2013-07-11 14:15 - 00142848 ____A (Intro-Software Lab.) C:\Users\Tino.BHIRenovationsL.001\notepad.exe
2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\rundll32.exe
2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\opera.exe
2013-07-11 13:36 - 2013-07-11 13:36 - 00000000 ____D C:\3475043e4c5f81a47541accf5d
2013-07-09 23:33 - 2013-06-04 19:34 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-09 23:33 - 2013-06-03 22:00 - 00624128 ____A (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-09 23:33 - 2013-06-03 20:53 - 00509440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-09 23:33 - 2013-05-05 22:03 - 01887744 ____A (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-09 23:33 - 2013-05-05 20:56 - 01620480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-09 23:33 - 2013-04-09 15:34 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-09 23:33 - 2013-04-02 14:51 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-06 23:48 - 2013-07-06 23:48 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8
2013-07-05 10:41 - 2013-07-05 22:19 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape
2013-07-03 23:57 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-07-03 23:57 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-07-02 23:01 - 2013-07-11 13:35 - 00068420 ____A C:\Windows\IE10_main.log
2013-06-13 17:43 - 2013-06-13 17:43 - 00262144 ____A C:\Windows\Minidump\061313-36145-01.dmp
2013-06-11 12:15 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 12:15 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 12:15 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 12:15 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 12:15 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 12:15 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 12:15 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 12:15 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 12:15 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 12:15 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 12:15 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 12:15 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 12:15 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 12:15 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 12:15 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 12:15 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 12:15 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

==================== One Month Modified Files and Folders =======

2013-07-11 20:08 - 2013-07-11 20:08 - 00000000 ____D C:\FRST
2013-07-11 15:59 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-11 15:58 - 2009-07-13 20:51 - 00054411 ____A C:\Windows\setupact.log
2013-07-11 15:31 - 2013-07-11 14:19 - 00000004 ____A C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini
2013-07-11 15:16 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At40.job
2013-07-11 15:16 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At39.job
2013-07-11 15:16 - 2011-08-16 11:58 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002UA.job
2013-07-11 15:16 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-11 15:16 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-11 15:10 - 2011-03-10 23:04 - 01840270 ____A C:\Windows\WindowsUpdate.log
2013-07-11 15:09 - 2011-12-31 06:51 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\CrashDumps
2013-07-11 15:02 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-11 15:00 - 2013-07-11 14:16 - 00000352 ___AH C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job
2013-07-11 14:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At24.job
2013-07-11 14:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At29.job
2013-07-11 14:22 - 2009-07-13 20:45 - 00378824 ____A C:\Windows\System32\FNTCACHE.DAT
2013-07-11 14:21 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 14:21 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 14:18 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At38.job
2013-07-11 14:18 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At37.job
2013-07-11 14:17 - 2011-12-22 19:14 - 00000000 ____D C:\users\Tino.BHIRenovationsL.001
2013-07-11 14:17 - 2011-08-16 11:58 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002Core.job
2013-07-11 14:16 - 2013-07-11 14:16 - 00003092 ____A C:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}
2013-07-11 14:16 - 2013-07-11 14:16 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad
2013-07-11 14:15 - 2013-07-11 14:15 - 00142848 ____A (Intro-Software Lab.) C:\Users\Tino.BHIRenovationsL.001\notepad.exe
2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\rundll32.exe
2013-07-11 14:15 - 2013-07-11 14:15 - 00000000 ____A C:\Users\Tino.BHIRenovationsL.001\opera.exe
2013-07-11 13:54 - 2011-11-23 07:15 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003UA.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At36.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At34.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At32.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At30.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At28.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At26.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At22.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At20.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At18.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At16.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At14.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At12.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At35.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At33.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At31.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At27.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At25.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At23.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At21.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At19.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At17.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At15.job
2013-07-11 13:46 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At13.job
2013-07-11 13:36 - 2013-07-11 13:36 - 00000000 ____D C:\3475043e4c5f81a47541accf5d
2013-07-11 13:36 - 2011-11-23 07:15 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003Core.job
2013-07-11 13:35 - 2013-07-02 23:01 - 00068420 ____A C:\Windows\IE10_main.log
2013-07-11 13:33 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At11.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At48.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At46.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At44.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000354 ____A C:\Windows\Tasks\At42.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At47.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At45.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At43.job
2013-07-11 00:22 - 2011-12-24 05:35 - 00000352 ____A C:\Windows\Tasks\At41.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At8.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At6.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At4.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At2.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000354 ____A C:\Windows\Tasks\At10.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At9.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At7.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At5.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At3.job
2013-07-11 00:22 - 2011-12-24 05:34 - 00000352 ____A C:\Windows\Tasks\At1.job
2013-07-09 23:49 - 2011-05-10 03:24 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-07-09 23:48 - 2011-12-20 16:36 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-07-07 19:54 - 2011-12-22 20:08 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific
2013-07-06 23:48 - 2013-07-06 23:48 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8
2013-07-05 22:19 - 2013-07-05 10:41 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape
2013-07-05 22:18 - 2013-05-19 13:36 - 423270142 ____A C:\Windows\MEMORY.DMP
2013-07-05 22:18 - 2011-07-03 22:51 - 00000000 ____D C:\Windows\Minidump
2013-07-05 10:41 - 2012-03-15 16:23 - 00000000 ____D C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit
2013-07-05 10:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK
2013-07-04 00:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR
2013-07-02 23:07 - 2013-07-02 23:07 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-07-02 23:07 - 2013-07-02 23:07 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-06-26 23:55 - 2013-02-26 12:21 - 00003180 ____A C:\Windows\System32\Tasks\HPCeeScheduleForTino
2013-06-26 23:55 - 2013-02-26 12:21 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForTino.job
2013-06-13 17:43 - 2013-06-13 17:43 - 00262144 ____A C:\Windows\Minidump\061313-36145-01.dmp

ZeroAccess:
C:\Windows\System32\consrv.dll

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\L
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\n
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\L\00000004.@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\L\4cce1f70
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\00000004.@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\00000008.@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\000000cb.@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\80000000.@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\80000032.@
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}\U\80000064.@

Files to move or delete:
====================
C:\ProgramData\w2SKWedwdkDaG2.exe
C:\ProgramData\YPfdbKQmYWnOqAL.exe
C:\Users\Tino.BHIRenovationsL.001\notepad.exe
C:\Users\Tino.BHIRenovationsL.001\opera.exe
C:\Users\Tino.BHIRenovationsL.001\rundll32.exe
C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat
C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini
C:\ProgramData\I45akNWE.dat
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At11.job
C:\Windows\Tasks\At12.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At14.job
C:\Windows\Tasks\At15.job
C:\Windows\Tasks\At16.job
C:\Windows\Tasks\At17.job
C:\Windows\Tasks\At18.job
C:\Windows\Tasks\At19.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At20.job
C:\Windows\Tasks\At21.job
C:\Windows\Tasks\At22.job
C:\Windows\Tasks\At23.job
C:\Windows\Tasks\At24.job
C:\Windows\Tasks\At25.job
C:\Windows\Tasks\At26.job
C:\Windows\Tasks\At27.job
C:\Windows\Tasks\At28.job
C:\Windows\Tasks\At29.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At30.job
C:\Windows\Tasks\At31.job
C:\Windows\Tasks\At32.job
C:\Windows\Tasks\At33.job
C:\Windows\Tasks\At34.job
C:\Windows\Tasks\At35.job
C:\Windows\Tasks\At36.job
C:\Windows\Tasks\At37.job
C:\Windows\Tasks\At38.job
C:\Windows\Tasks\At39.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At41.job
C:\Windows\Tasks\At42.job
C:\Windows\Tasks\At43.job
C:\Windows\Tasks\At44.job
C:\Windows\Tasks\At45.job
C:\Windows\Tasks\At46.job
C:\Windows\Tasks\At47.job
C:\Windows\Tasks\At48.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At9.job
C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Windows\system64

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-07-04 05:48:21
Restore point made on: 2013-07-05 10:30:18
Restore point made on: 2013-07-05 23:00:59
Restore point made on: 2013-07-06 23:43:43
Restore point made on: 2013-07-07 23:00:40
Restore point made on: 2013-07-08 23:15:09
Restore point made on: 2013-07-09 23:22:28
Restore point made on: 2013-07-10 23:58:13

==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 2810.9 MB
Available physical RAM: 2142.89 MB
Total Pagefile: 2809.05 MB
Available Pagefile: 2137.85 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:282.82 GB) (Free:202.86 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:14.98 GB) (Free:1.87 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4)
Drive h: () (Removable) (Total:7.45 GB) (Free:1.88 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: CB3F4DE8)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=283 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2012-12-26 14:36

==================== End Of Log ============================

Farbar Recovery Scan Tool (x64) Version: 12-07-2013
Ran by SYSTEM at 2013-07-11 20:13:02
Running from H:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\system64\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Psychotic · July 12, 2013

Fix with FRST (Recovery Environment)

Open notepad (Start =>All Programs => Accessories => Notepad).

Please copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKU\BHI Renovations LLC\...\Run: [{0FD10AED-2B1A-2F4F-1F99-56963D4BA3DE}] - "C:\Users\BHI Renovations LLC\AppData\Roaming\Wasyaw\ewguac.exe" [196096 2011-05-22] ()HKU\BHI Renovations LLC\...\Run: [150.exe] - C:\Users\BHI Renovations LLC\AppData\Roaming\Microsoft\98DA\150.exe [291840 2011-12-22] ()HKU\BHI Renovations LLC\...\Run: [dP17724LfLkE17724] - C:\ProgramData\dP17724LfLkE17724\dP17724LfLkE17724.exe [372224 2011-12-22] ()HKU\BHI Renovations LLC\...\Run: [charient] - rundll32 "C:\Users\BHIREN~1\AppData\Local\Temp\drivlace.dll",CreateProcessNotify [47616 2011-12-22] (Kaspersky Lab) <===== ATTENTIONHKU\BHI Renovations LLC\...\Run: [dccwview] - rundll32 "C:\Users\BHIREN~1\AppData\Local\Temp\drivlace64.dll",CreateProcessNotify [52224 2011-12-22] (Kaspersky Lab) <===== ATTENTIONHKU\Tino.BHIRenovationsL.001\...\Run: [ATI] - rundll32 "C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit\ATI\ghgmojmg.dll",DllRegisterServer [320000 2013-07-05] (Microsoft Corporation) <===== ATTENTIONHKU\Tino.BHIRenovationsL.001\...\Run: [Netscape] - regsvr32.exe C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape\gsroesug.dll [891904 2013-07-05] (Autodesk, Inc.) <===== ATTENTIONHKU\Tino.BHIRenovationsL.001\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad\cbfacead.exe [172544 2013-07-11] () <===== ATTENTIONHKU\Tino.BHIRenovationsL.001\...\RunOnce: [Adobe CSS5.1 Manager] - C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad\cbfacead.exe [172544 2013-07-11] () <===== ATTENTIONHKU\Tino.BHIRenovationsL.001\...\Winlogon: [Shell] explorer.exe,C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat [142848 2011-11-16] (Intro-Software Lab.) <==== ATTENTIONSubSystems: [Windows] ATTENTION! ====> ZeroAccessHKU\Tino.BHIRenovationsL.001\...\Run: [TimeServer] - "C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\WIN199E.exe" [133120 2013-07-07] ()C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.jobC:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad(Intro-Software Lab.) C:\Users\Tino.BHIRenovationsL.001\notepad.exeC:\Users\Tino.BHIRenovationsL.001\rundll32.exeC:\Users\Tino.BHIRenovationsL.001\opera.exeC:\Users\BHI Renovations LLC\AppData\Roaming\WasyawC:\Users\BHI Renovations LLC\AppData\Roaming\Microsoft\98DAC:\ProgramData\dP17724LfLkE17724\C:\Users\BHIREN~1\AppData\Local\Temp\drivlace.dllC:\Users\BHIREN~1\AppData\Local\Temp\drivlace64.dllC:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit\ATIC:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape\C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682adC:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.datC:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8C:\Users\Tino.BHIRenovationsL.001\AppData\Local\NetscapeC:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.iniC:\Windows\Tasks\At*C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002UA.jobC:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0C:\Windows\System32\consrv.dllC:\Windows\assembly\GAC_32\Desktop.iniC:\Windows\assembly\GAC_64\Desktop.iniC:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769}C:\ProgramData\w2SKWedwdkDaG2.exeC:\ProgramData\YPfdbKQmYWnOqAL.exeC:\ProgramData\I45akNWE.datC:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.jobC:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\DeleteJunctionsIndirectory: C:\Windows\system64

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.

Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Start your system in normal mode.

Combofix

Combofix should only be run when adviced by a team member!

Link

Important - Save the file to your desktop!

Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
Run Combofix.exe

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

gideon2386 · July 12, 2013

Here the Fix Log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-07-2013 01
Ran by SYSTEM at 2013-07-12 09:01:36 Run:1
Running from H:\
Boot Mode: Recovery
==============================================

HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\{0FD10AED-2B1A-2F4F-1F99-56963D4BA3DE} => Value deleted successfully.
HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\150.exe => Value deleted successfully.
HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\dP17724LfLkE17724 => Value deleted successfully.
HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\charient => Value deleted successfully.
HKU\BHI Renovations LLC\Software\Microsoft\Windows\CurrentVersion\Run\\dccwview => Value deleted successfully.
HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\ATI => Value deleted successfully.
HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\Netscape => Value deleted successfully.
HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\System\ControlSet001\Control\Session Manager\SubSystems\\Windows => Value was restored successfully.
HKU\Tino.BHIRenovationsL.001\Software\Microsoft\Windows\CurrentVersion\Run\\TimeServer => Value deleted successfully.
C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job => Moved successfully.
C:\Windows\System32\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173} => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\notepad.exe => No running process found
C:\Users\Tino.BHIRenovationsL.001\rundll32.exe => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\opera.exe => Moved successfully.
C:\Users\BHI Renovations LLC\AppData\Roaming\Wasyaw => Moved successfully.
C:\Users\BHI Renovations LLC\AppData\Roaming\Microsoft\98DA => Moved successfully.
C:\ProgramData\dP17724LfLkE17724\ => Moved successfully.
C:\Users\BHIREN~1\AppData\Local\Temp\drivlace.dll => Moved successfully.
C:\Users\BHIREN~1\AppData\Local\Temp\drivlace64.dll => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Intuit\ATI => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape\ => Moved successfully.
"C:\Users\Tino.BHIRenovationsL.001\AppData\Local\c99b2097-237f-4a8c-8921-155e54251682ad" => File/Directory not found.
C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.dat => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8 => Moved successfully.
"C:\Users\Tino.BHIRenovationsL.001\AppData\Local\Netscape" => File/Directory not found.
C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\skype.ini => Moved successfully.
C:\Windows\Tasks\At* => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1002UA.job => Moved successfully.
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
C:\Windows\System32\consrv.dll => Moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully.
C:\Users\Tino.BHIRenovationsL.001\AppData\Local\{448ba2fe-1264-12d8-69cb-65e0f4030769} => Moved successfully.
C:\ProgramData\w2SKWedwdkDaG2.exe => Moved successfully.
C:\ProgramData\YPfdbKQmYWnOqAL.exe => Moved successfully.
C:\ProgramData\I45akNWE.dat => Moved successfully.
"C:\Windows\Tasks\{4DA4FABE-9528-4E6F-9FBF-618B09E89173}.job" => File/Directory not found.
C:\Users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\ => Moved successfully.
Error: DeleteJunctionsIndirectory: C:\Windows\system64 => entry should be fixed outside recovery mode.

==== End of Fixlog ====

Here is ComboFix Log

ComboFix 13-07-11.03 - Tino 07/12/2013 11:43:47.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2811.1178 [GMT -4:00]
Running from: c:\users\Tino.BHIRenovationsL.001\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\StartNow Toolbar
c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files (x86)\StartNow Toolbar\Resources\installer.xml
c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml
c:\program files (x86)\StartNow Toolbar\Resources\update.xml
c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe
c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
c:\program files (x86)\StartNow Toolbar\uninstall.dat
c:\program files (x86)\StartNow Toolbar\verify\Reactivate.exe
c:\program files (x86)\StartNow Toolbar\verify\ReactivateFF.exe
c:\program files (x86)\StartNow Toolbar\verify\StartNowToolbarUninstall.exe
c:\program files (x86)\StartNow Toolbar\verify\Toolbar32.dll
c:\program files (x86)\StartNow Toolbar\verify\ToolbarBroker.exe
c:\program files (x86)\StartNow Toolbar\verify\ToolbarUpdaterService.exe
c:\program files (x86)\StartNow Toolbar\verify\XBrowser.dll
c:\users\Tino.BHIRenovationsL.001\notepad.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Updater Service for StartNow Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-12 to 2013-07-12 )))))))))))))))))))))))))))))))
.
.
2013-07-12 18:53 . 2013-07-12 18:53 -------- d-----w- c:\users\Tino.BHIRenovationsL\AppData\Local\temp
2013-07-12 13:18 . 2013-07-12 13:18 -------- d-----w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific
2013-07-12 04:08 . 2013-07-12 04:08 -------- d-----w- C:\FRST
2013-07-11 21:36 . 2013-07-11 21:36 -------- d-----w- C:\3475043e4c5f81a47541accf5d
2013-07-04 07:57 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2013-07-04 07:57 . 2013-04-17 06:24 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-31 15:31 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-05-31 15:31 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-05-16 01:00 . 2010-06-24 19:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 05:51 . 2013-06-11 20:15 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-11 20:15 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-11 20:15 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-11 20:15 52224 ----a-w- c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-11 20:15 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45 . 2013-06-11 20:15 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-11 20:15 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43 . 2013-06-11 20:15 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-11 20:15 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-11 20:15 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-05-10 05:49 . 2013-06-11 20:15 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-11 20:15 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39 . 2013-06-11 20:15 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-04-26 05:51 . 2013-06-11 20:15 751104 ----a-w- c:\windows\system32\win32spl.dll
2013-04-26 04:55 . 2013-06-11 20:15 492544 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-04-25 23:30 . 2013-06-11 20:15 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-15 336384]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2010-11-18 1040952]
Wireless Connection Manager.lnk - c:\program files (x86)\D-Link\DWA-131 revA\wirelesscm.exe [2011-12-16 517440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192su.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1207020.003\SYMNETS.SYS [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
S2 WlanWpsSvc;WlanWpsSvc;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 22:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003Core.job
- c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15]
.
2013-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003UA.job
- c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15]
.
2013-06-27 c:\windows\Tasks\HPCeeScheduleForTino.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-12-02 524800]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.3
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{6E13D095-45C3-4271-9475-F3B48227DD9F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
Toolbar-{5911488E-9D1E-40ec-8CBB-06B231CC153F} - c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
Wow6432Node-HKCU-Run-atiUtilLibs8 - c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\atiUtilLibs8\atiUtilLibs8.dll
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
.
**************************************************************************
.
Completion time: 2013-07-12 15:07:24 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-12 19:07
.
Pre-Run: 225,769,791,488 bytes free
Post-Run: 225,629,081,600 bytes free
.
- - End Of File - - 812779C46517ADEE3D669ABA6BF57EF8
A36C5E4F47E84449FF07ED3517B43A31

Psychotic · July 14, 2013

CF-Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DIRLOOK::
c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific
CLEARJAVACACHE::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

gideon2386 · July 15, 2013

New CF log

ComboFix 13-07-11.03 - Tino 07/14/2013 20:22:50.3.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2811.1387 [GMT -4:00]
Running from: c:\users\Tino.BHIRenovationsL.001\Desktop\ComboFix.exe
Command switches used :: c:\users\Tino.BHIRenovationsL.001\Desktop\CFScript.txt.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-15 to 2013-07-15 )))))))))))))))))))))))))))))))
.
.
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Tino\AppData\Local\temp
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Tino.BHIRenovationsL\AppData\Local\temp
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Tino.BHIRenovationsL.000\AppData\Local\temp
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\BHI Renovations LLC\AppData\Local\temp
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Alyssa\AppData\Local\temp
2013-07-15 00:39 . 2013-07-15 00:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-07-12 13:18 . 2013-07-12 13:18 -------- d-----w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific
2013-07-12 04:08 . 2013-07-12 04:08 -------- d-----w- C:\FRST
2013-07-11 21:36 . 2013-07-11 21:36 -------- d-----w- C:\3475043e4c5f81a47541accf5d
2013-07-04 07:57 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2013-07-04 07:57 . 2013-04-17 06:24 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-31 15:31 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-05-31 15:31 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-05-16 01:00 . 2010-06-24 19:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 05:51 . 2013-06-11 20:15 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-11 20:15 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-11 20:15 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-11 20:15 52224 ----a-w- c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-11 20:15 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45 . 2013-06-11 20:15 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-11 20:15 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43 . 2013-06-11 20:15 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-11 20:15 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-11 20:15 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-05-10 05:49 . 2013-06-11 20:15 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-11 20:15 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39 . 2013-06-11 20:15 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-04-26 05:51 . 2013-06-11 20:15 751104 ----a-w- c:\windows\system32\win32spl.dll
2013-04-26 04:55 . 2013-06-11 20:15 492544 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-04-25 23:30 . 2013-06-11 20:15 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific ----
.
2013-07-12 13:18 . 2013-07-12 13:19 11562 ----a-w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\Environment.tfc
2013-07-12 13:18 . 2013-07-12 13:19 11562 ----a-w- c:\users\Tino.BHIRenovationsL.001\AppData\Roaming\Tific\tificocs.symantec.com.tfc
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}]
c:\program files (x86)\StartNow Toolbar\Toolbar32.dll [bU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{5911488E-9D1E-40ec-8CBB-06B231CC153F}"= "c:\program files (x86)\StartNow Toolbar\Toolbar32.dll" [bU]
.
[HKEY_CLASSES_ROOT\clsid\{5911488e-9d1e-40ec-8cbb-06b231cc153f}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-15 336384]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2010-11-18 1040952]
Wireless Connection Manager.lnk - c:\program files (x86)\D-Link\DWA-131 revA\wirelesscm.exe [2011-12-16 517440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192su.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110630.050\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1207020.003\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1207020.003\SYMNETS.SYS [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
S2 WlanWpsSvc;WlanWpsSvc;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe;c:\program files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 22:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003Core.job
- c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15]
.
2013-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-58572535-489909918-2348058734-1003UA.job
- c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-23 15:15]
.
2013-06-27 c:\windows\Tasks\HPCeeScheduleForTino.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-12-02 524800]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-14 20:42:35
ComboFix-quarantined-files.txt 2013-07-15 00:42
ComboFix2.txt 2013-07-12 19:07
.
Pre-Run: 226,301,812,736 bytes free
Post-Run: 225,873,248,256 bytes free
.
- - End Of File - - 86AD39069D2B28FF3A393BAF73DEE064
A36C5E4F47E84449FF07ED3517B43A31

Psychotic · July 15, 2013

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Full System Scan with Malwarebytes Antimalware

If not existing, please download

Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

Run Malwarebytes Antimalware
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Post that log back here.

CFScript.txt

AdvancedSetup · July 16, 2013

Are you still with us?

gideon2386 · July 16, 2013

Yes I am still here.

Psychotic · July 16, 2013

OK, than do the provided steps and post up the logs, please.

AdvancedSetup · July 18, 2013

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

FBI MoneyPak Virus..Require Removal Assistance

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information