Jump to content

Recommended Posts

Hello,

My computer has been infected with Trojan.Zaccess according to Malwarebytes.  I apparently am not alone. I will post the log file from this morning's scan from the other computer.  After reading other threads, I believe I have downloaded the appropriate tools.  Any help is appreciated.  Thank you.

sp

Link to post
Share on other sites

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.24.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
 

Protection: Enabled

8/24/2013 12:45:26 PM
mbam-log-2013-08-24 (12-45-26).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 409141
Time elapsed: 34 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Trojan.Zaccess) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Here is the log from RogueKiller...

 

RogueKiller V8.6.6 _x64_ [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : [Admin rights]
Mode : Scan -- Date : 08/24/2013 15:27:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤
[DLL] rundll32.exe -- C:\Users\R\AppData\Roaming\wstbi.dll [-] -> rundll32.exe KILLED [TermProc]
[DLL] rundll32.exe -- C:\Users\R\AppData\Roaming\dpntc.dll [-] -> rundll32.exe KILLED [TermProc]
[DLL] rundll32.exe -- C:\Users\R\AppData\Roaming\wstbi.dll [-] -> rundll32.exe KILLED [TermProc]
[DLL] rundll32.exe -- C:\Users\R\AppData\Roaming\dpntc.dll [-] -> rundll32.exe KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\AppData\Local\Google\Desktop\Install\{4a520414-089e-8bd4-9ede-85dc8b5a1622}\?��?��?��\?��?��?��\???ﯹ๛\{4a520414-089e-8bd4-9ede-85dc8b5a1622}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : wstbi ("C:\Windows\System32\rundll32.exe" "C:\Users\R\AppData\Roaming\wstbi.dll",InteractLoop [7][-][x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : dpntc ("C:\Windows\System32\rundll32.exe" "C:\Users\R\AppData\Roaming\dpntc.dll",Long_AsLongLong [7][-][x]) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-443364689-2759691422-3487929739-1185\[...]\Run : Google Update ("C:\Users\R\AppData\Local\Google\Desktop\Install\{4a520414-089e-8bd4-9ede-85dc8b5a1622}\?��?��?��\?��?��?��\???ﯹ๛\{4a520414-089e-8bd4-9ede-85dc8b5a1622}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-443364689-2759691422-3487929739-1185\[...]\Run : wstbi ("C:\Windows\System32\rundll32.exe" "C:\Users\R\AppData\Roaming\wstbi.dll",InteractLoop [7][-][x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-443364689-2759691422-3487929739-1185\[...]\Run : dpntc ("C:\Windows\System32\rundll32.exe" "C:\Users\R\AppData\Roaming\dpntc.dll",Long_AsLongLong [7][-][x]) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Backup : C:\Program Files\Microsoft Security Client\Backup >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] DbgHelp.dll : C:\Program Files\Microsoft Security Client\DbgHelp.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Drivers : C:\Program Files\Microsoft Security Client\Drivers >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] en-us : C:\Program Files\Microsoft Security Client\en-us >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] EppManifest.dll : C:\Program Files\Microsoft Security Client\EppManifest.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Microsoft Security Client\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Microsoft Security Client\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Microsoft Security Client\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Microsoft Security Client\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] mpevmsg.dll : C:\Program Files\Microsoft Security Client\mpevmsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAv.dll : C:\Program Files\Microsoft Security Client\MpOAv.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Microsoft Security Client\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Microsoft Security Client\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSESysprep.dll : C:\Program Files\Microsoft Security Client\MSESysprep.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Microsoft Security Client\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpEng.exe : C:\Program Files\Microsoft Security Client\MsMpEng.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Microsoft Security Client\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Microsoft Security Client\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] msseces.exe : C:\Program Files\Microsoft Security Client\msseces.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] msseoobe.exe : C:\Program Files\Microsoft Security Client\msseoobe.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] msseooberes.dll : C:\Program Files\Microsoft Security Client\msseooberes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsseWat.dll : C:\Program Files\Microsoft Security Client\MsseWat.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisIpsPlugin.dll : C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisLog.dll : C:\Program Files\Microsoft Security Client\NisLog.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisSrv.exe : C:\Program Files\Microsoft Security Client\NisSrv.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] NisWFP.dll : C:\Program Files\Microsoft Security Client\NisWFP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] Setup.exe : C:\Program Files\Microsoft Security Client\Setup.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SetupRes.dll : C:\Program Files\Microsoft Security Client\SetupRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] shellext.dll : C:\Program Files\Microsoft Security Client\shellext.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] sqmapi.dll : C:\Program Files\Microsoft Security Client\sqmapi.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SymSrv.dll : C:\Program Files\Microsoft Security Client\SymSrv.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] SymSrv.yes : C:\Program Files\Microsoft Security Client\SymSrv.yes >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Users\R\AppData\Local\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAKX-753CA1 +++++
--- User ---
[MBR] 7f019f706be9a840955a21a68ca2a3d6
[bSP] 05ff9741352e05afc52ed6255b66c85a : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD2500AAKX-753CA1 +++++
--- User ---
[MBR] 01ec8b4e986bd5943b461ed605a884ef
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 14975 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08242013_152715.txt >>

 

 

Link to post
Share on other sites

Here are the logs from the Farbar scan...

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-08-2013 01
Ran by RSpencer (administrator) on 24-08-2013 15:40:09
Running from C:\Users\RSpencer\Desktop\Farbar Recovery Scan Tool
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Viewpoint Corporation) C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Dell Inc.) c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(AMD) C:\Windows\system32\atieclxx.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
(Dell Inc.) C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
(Dropbox, Inc.) C:\Users\RSpencer\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_94_ActiveX.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_94_ActiveX.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ATIModeChange] - Ati2mdxx.exe [x]
HKLM\...\Run: [intelliPoint] - c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-06-20] ()
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [wstbi] - C:\Users\RSpencer\AppData\Roaming\wstbi.dll [593920 2013-08-22] (Corporation.) <===== ATTENTION
HKCU\...\Run: [dpntc] - C:\Users\RSpencer\AppData\Roaming\dpntc.dll [327680 2013-08-22] (Technology Inc.) <===== ATTENTION
MountPoints2: {57fdf492-2a4b-11e1-81eb-d067e5e66f00} - E:\TL-Bootstrap.exe
MountPoints2: {89ffd798-6ae0-11e2-9e1c-d067e5e66f00} - E:\TL-Bootstrap.exe
MountPoints2: {9e7543f4-7b63-11e2-9475-d067e5e66f00} - F:\TL-Bootstrap.exe
HKLM-x32\...\Run: [soundMAXPnP] - C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)
HKLM-x32\...\Run: [iAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)
HKLM-x32\...\Run: [startCCC] - c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-01-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [RemoteControl9] - C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell System Manager.lnk
ShortcutTarget: Dell System Manager.lnk -> C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe (Dell Inc.)
Startup: C:\Users\RSpencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\RSpencer\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {AFACBCDE-3D93-4020-A68C-A468BEC87647} URL = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - DefaultScope {AFACBCDE-3D93-4020-A68C-A468BEC87647} URL = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {AFACBCDE-3D93-4020-A68C-A468BEC87647} URL =
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {12545791-AC9A-44B2-8964-0DA216C4A4E5} http://webassistants.partcommunity.com/partserver/viewer/cnsweb3d/cnsweb3d.cab
DPF: HKLM-x32 {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} https://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/event/ieatgpc1.cab
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1

FireFox:
========
FF ProfilePath: C:\Users\RSpencer\AppData\Roaming\Mozilla\Firefox\Profiles\a4qbzpbs.default
FF Plugin: @3ds.com/3dxml - C:\Program Files\Dassault Systemes\3D XML Player\win_b64\code\bin\NP3DXMLPlugin.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @3ds.com/3dxml - C:\Program Files\Dassault Systemes\3D XML Player\win_b64\code\bin32\NP3DXMLPlugin.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_35 - C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @viewpoint.com/VMP - C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll (Viewpoint Corporation)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

Chrome:
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION

==================== Services (Whitelisted) =================

R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [117760 2012-10-03] (Dassault Systèmes)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-06-20] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-06-20] ()
S3 Remote Solver for Flow Simulation 2012; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [109624 2011-09-28] (Mentor Graphics Corporation)
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] ()
R2 Viewpoint Service; C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [30152 2008-04-04] (Viewpoint Corporation)

==================== Drivers (Whitelisted) ====================

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-24 15:38 - 2013-08-24 15:39 - 00000000 ____D C:\Users\RSpencer\Desktop\Farbar Recovery Scan Tool
2013-08-24 15:32 - 2013-08-24 15:32 - 00009749 _____ C:\Users\RSpencer\Desktop\RKreport[0]_S_08242013_152715mynameremoved.txt
2013-08-24 15:27 - 2013-08-24 15:27 - 00009789 _____ C:\Users\RSpencer\Desktop\RKreport[0]_S_08242013_152715.txt
2013-08-24 15:24 - 2013-08-24 15:32 - 00000000 ____D C:\Users\RSpencer\Desktop\RK_Quarantine
2013-08-24 15:24 - 2013-08-24 14:14 - 03814400 _____ C:\Users\RSpencer\Desktop\RogueKillerX64.exe
2013-08-24 12:11 - 2013-08-24 12:41 - 00000183 _____ C:\Users\RSpencer\Documents\MOST USED TEXT STRINGS.txt
2013-08-23 10:51 - 2013-08-23 10:52 - 00000000 ____D C:\Users\RSpencer\Documents\1D51D2A3-0AA4-47E8-93BF-F645757303C3.AP214IS
2013-08-22 14:06 - 2013-08-22 14:06 - 00327680 _____ (Technology Inc.) C:\Users\RSpencer\AppData\Roaming\dpntc.dll
2013-08-22 14:05 - 2013-08-22 14:05 - 00593920 _____ (Corporation.) C:\Users\RSpencer\AppData\Roaming\wstbi.dll
2013-08-22 13:29 - 2013-08-22 13:29 - 00216596 _____ C:\Users\RSpencer\Documents\1D51D2A3-0AA4-47E8-93BF-F645757303C3.AP214IS.zip
2013-08-20 15:10 - 2013-08-20 15:11 - 00000000 ____D C:\Users\RSpencer\Downloads\Brother gEARMOTORS
2013-08-20 09:42 - 2013-08-20 11:48 - 00000000 ____D C:\Users\RSpencer\Downloads\Encoder Products
2013-08-14 18:08 - 2013-07-09 01:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 18:08 - 2013-07-09 01:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 18:08 - 2013-07-09 01:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 18:08 - 2013-07-09 01:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 18:08 - 2013-07-09 00:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 18:08 - 2013-07-09 00:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 18:08 - 2013-07-09 00:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 18:08 - 2013-07-09 00:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 18:04 - 2013-07-25 05:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-14 18:04 - 2013-07-25 04:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 18:04 - 2013-07-09 01:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 18:04 - 2013-07-09 00:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 18:03 - 2013-07-09 02:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 18:03 - 2013-07-09 01:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 18:03 - 2013-07-09 01:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-14 18:03 - 2013-07-09 01:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 18:03 - 2013-07-09 01:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 18:03 - 2013-07-09 00:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 18:03 - 2013-07-09 00:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 18:03 - 2013-07-08 22:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 18:03 - 2013-07-08 22:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 18:03 - 2013-07-08 22:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 18:03 - 2013-07-08 22:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 18:03 - 2013-06-15 00:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-14 18:03 - 2012-11-30 01:45 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2013-08-14 18:03 - 2012-11-30 01:45 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2013-08-14 18:03 - 2012-11-30 01:43 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2013-08-14 18:03 - 2012-11-30 01:41 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-08-14 18:03 - 2012-11-30 01:41 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 01:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:53 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-08-14 18:03 - 2012-11-30 00:53 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-08-14 18:03 - 2012-11-30 00:45 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-08-14 18:03 - 2012-11-29 23:23 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-08-14 18:03 - 2012-11-29 22:38 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-08-14 18:03 - 2012-11-29 22:38 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-14 18:03 - 2012-11-29 22:38 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-14 18:03 - 2012-11-29 22:38 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-08-14 18:02 - 2013-07-24 23:54 - 17830400 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-14 18:02 - 2013-07-24 23:37 - 02312704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-14 18:02 - 2013-07-24 23:35 - 10926080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-14 18:02 - 2013-07-24 23:31 - 01346560 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-14 18:02 - 2013-07-24 23:30 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-14 18:02 - 2013-07-24 23:29 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-08-14 18:02 - 2013-07-24 23:29 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-08-14 18:02 - 2013-07-24 23:29 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-14 18:02 - 2013-07-24 23:28 - 02147840 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-14 18:02 - 2013-07-24 23:28 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-14 18:02 - 2013-07-24 23:28 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-14 18:02 - 2013-07-24 23:28 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-08-14 18:02 - 2013-07-24 23:28 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-08-14 18:02 - 2013-07-24 23:27 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-14 18:02 - 2013-07-24 23:27 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-08-14 18:02 - 2013-07-24 23:26 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-14 18:02 - 2013-07-24 22:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 18:02 - 2013-07-24 22:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 18:02 - 2013-07-24 22:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 18:02 - 2013-07-24 22:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 18:02 - 2013-07-24 22:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 18:02 - 2013-07-24 22:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-08-14 18:02 - 2013-07-24 22:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-08-14 18:02 - 2013-07-24 22:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 18:02 - 2013-07-24 22:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 18:02 - 2013-07-24 22:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 18:02 - 2013-07-24 22:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 18:02 - 2013-07-24 22:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-08-14 18:02 - 2013-07-24 22:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-08-14 18:02 - 2013-07-24 22:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 18:02 - 2013-07-24 22:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 18:02 - 2013-07-24 22:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-08-14 18:02 - 2013-07-06 02:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 10:43 - 2013-08-14 10:46 - 00000000 ____D C:\_insert
2013-08-13 17:42 - 2013-08-14 16:48 - 00000000 ____D C:\Users\RSpencer\Downloads\Bison
2013-08-13 13:38 - 2013-08-22 17:47 - 00000000 ____D C:\Users\RSpencer\Downloads\Bodine
2013-08-11 13:54 - 2013-08-11 15:03 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\Mozilla
2013-08-11 13:54 - 2013-08-11 13:54 - 00001149 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\Users\RSpencer\AppData\Local\Mozilla
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\ProgramData\Mozilla
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-11 13:52 - 2013-08-11 13:52 - 00281896 _____ (Mozilla) C:\Users\RSpencer\Downloads\Firefox Setup Stub 23.0.exe
2013-07-30 18:21 - 2013-07-30 18:23 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-MB001A
2013-07-30 18:04 - 2013-07-30 18:05 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-C24470618
2013-07-30 16:40 - 2013-07-30 16:41 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-MB004A
2013-07-30 14:55 - 2013-07-30 14:56 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-C24470648
2013-07-30 14:50 - 2013-07-30 14:51 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-4314-52
2013-07-30 14:39 - 2013-07-30 14:43 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-4314-51
2013-07-30 14:26 - 2013-07-31 10:11 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-B74G-4AK-AD3-RMG+4314-52+18-013-209
2013-07-30 14:10 - 2013-07-31 09:49 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-P74C-NAD-PPA+4314-51+4315-03
2013-07-29 17:18 - 2013-07-29 17:18 - 00143144 _____ C:\Users\RSpencer\Downloads\Ansi1.dwg
2013-07-29 15:51 - 2013-07-29 15:53 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-C24470418
2013-07-29 15:51 - 2013-07-29 15:51 - 00081851 _____ C:\Users\RSpencer\Downloads\Norgren-C24470418.zip
2013-07-29 14:26 - 2013-07-29 14:26 - 00093391 _____ C:\Users\RSpencer\Downloads\Norgren-C24470618.zip
2013-07-29 14:25 - 2013-07-29 14:25 - 00080655 _____ C:\Users\RSpencer\Downloads\Norgren-C24470648.zip
2013-07-29 14:18 - 2013-07-29 14:18 - 00095331 _____ C:\Users\RSpencer\Downloads\Norgren-MB001A.zip
2013-07-29 14:17 - 2013-07-29 14:17 - 00094229 _____ C:\Users\RSpencer\Downloads\Norgren-MB004A.zip
2013-07-29 13:59 - 2013-07-29 13:59 - 00859148 _____ C:\Users\RSpencer\Downloads\Norgren-P74C-NAD-PPA+4314-51+4315-03.zip
2013-07-29 13:54 - 2013-07-29 13:54 - 00058654 _____ C:\Users\RSpencer\Downloads\Norgren-18-011-024.zip
2013-07-29 13:54 - 2013-07-29 13:54 - 00053470 _____ C:\Users\RSpencer\Downloads\Norgren-MS001A.zip
2013-07-29 13:51 - 2013-07-29 13:51 - 00060078 _____ C:\Users\RSpencer\Downloads\Norgren-4314-51.zip
2013-07-29 13:50 - 2013-07-29 13:50 - 00076453 _____ C:\Users\RSpencer\Downloads\Norgren-4314-52.zip
2013-07-29 13:42 - 2013-07-29 13:42 - 00040243 _____ C:\Users\RSpencer\Downloads\Norgren-B74G-4AK-AD3-RMG+4314-52+18-013-209.dwg.zip
2013-07-29 13:38 - 2013-07-29 13:38 - 00349075 _____ C:\Users\RSpencer\Downloads\Norgren-B74G-4AK-AD3-RMG+4314-52+18-013-209.zip
2013-07-29 13:19 - 2013-07-29 13:19 - 00086501 _____ C:\Users\RSpencer\Downloads\all_air_line_equipment.zip
2013-07-27 14:28 - 2013-07-27 14:28 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\CADClick

==================== One Month Modified Files and Folders =======

2013-08-24 15:39 - 2013-08-24 15:38 - 00000000 ____D C:\Users\RSpencer\Desktop\Farbar Recovery Scan Tool
2013-08-24 15:32 - 2013-08-24 15:32 - 00009749 _____ C:\Users\RSpencer\Desktop\RKreport[0]_S_08242013_152715mynameremoved.txt
2013-08-24 15:32 - 2013-08-24 15:24 - 00000000 ____D C:\Users\RSpencer\Desktop\RK_Quarantine
2013-08-24 15:27 - 2013-08-24 15:27 - 00009789 _____ C:\Users\RSpencer\Desktop\RKreport[0]_S_08242013_152715.txt
2013-08-24 14:57 - 2009-07-14 00:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-24 14:57 - 2009-07-14 00:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-24 14:55 - 2009-07-14 01:13 - 00795548 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-24 14:54 - 2009-07-14 00:51 - 00065783 _____ C:\Windows\setupact.log
2013-08-24 14:53 - 2011-11-18 17:44 - 01971840 _____ C:\Windows\WindowsUpdate.log
2013-08-24 14:51 - 2012-02-22 09:24 - 00000000 ___RD C:\Users\RSpencer\Dropbox
2013-08-24 14:51 - 2012-02-22 09:22 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\Dropbox
2013-08-24 14:49 - 2011-12-19 09:20 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2013-08-24 14:49 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-24 14:14 - 2013-08-24 15:24 - 03814400 _____ C:\Users\RSpencer\Desktop\RogueKillerX64.exe
2013-08-24 12:41 - 2013-08-24 12:11 - 00000183 _____ C:\Users\RSpencer\Documents\MOST USED TEXT STRINGS.txt
2013-08-24 12:41 - 2011-12-19 11:13 - 00000000 ___HD C:\Users\RSpencer\Documents\SolidWorks Working
2013-08-24 12:04 - 2011-12-19 14:40 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\SolidWorks
2013-08-23 10:52 - 2013-08-23 10:51 - 00000000 ____D C:\Users\RSpencer\Documents\1D51D2A3-0AA4-47E8-93BF-F645757303C3.AP214IS
2013-08-23 08:59 - 2011-12-22 11:30 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\Olnoa
2013-08-23 08:59 - 2010-11-20 23:47 - 00016672 _____ C:\Windows\PFRO.log
2013-08-23 08:58 - 2011-12-25 01:51 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\Miovk
2013-08-23 08:17 - 2013-02-24 10:55 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-23 08:17 - 2013-02-24 10:55 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-22 17:47 - 2013-08-13 13:38 - 00000000 ____D C:\Users\RSpencer\Downloads\Bodine
2013-08-22 14:06 - 2013-08-22 14:06 - 00327680 _____ (Technology Inc.) C:\Users\RSpencer\AppData\Roaming\dpntc.dll
2013-08-22 14:05 - 2013-08-22 14:05 - 00593920 _____ (Corporation.) C:\Users\RSpencer\AppData\Roaming\wstbi.dll
2013-08-22 14:05 - 2012-04-02 09:50 - 00000000 ___HD C:\Users\RSpencer\AppData\Local\Google
2013-08-22 13:38 - 2012-05-23 10:01 - 00000000 ____D C:\Users\RSpencer\Documents\Benchtop PW
2013-08-22 13:29 - 2013-08-22 13:29 - 00216596 _____ C:\Users\RSpencer\Documents\1D51D2A3-0AA4-47E8-93BF-F645757303C3.AP214IS.zip
2013-08-22 11:51 - 2012-05-24 11:08 - 00001821 _____ C:\Users\RSpencer\Desktop\Sage ERP MAS 90 WorkStation.lnk
2013-08-21 17:40 - 2012-11-05 18:00 - 00310591 _____ C:\Users\RSpencer\Documents\chain length calculator.xlsx
2013-08-21 10:26 - 2011-12-19 15:10 - 00000000 ___HD C:\Users\RSpencer\AppData\Local\SolidWorks
2013-08-20 15:11 - 2013-08-20 15:10 - 00000000 ____D C:\Users\RSpencer\Downloads\Brother gEARMOTORS
2013-08-20 11:48 - 2013-08-20 09:42 - 00000000 ____D C:\Users\RSpencer\Downloads\Encoder Products
2013-08-20 11:19 - 2013-06-19 10:59 - 00000000 ____D C:\Users\RSpencer\Downloads\MUSBA31130
2013-08-16 11:14 - 2012-02-29 11:51 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\Luxology
2013-08-16 09:22 - 2012-07-03 11:05 - 00000000 ____D C:\Users\RSpencer\Downloads\McMaster-Carr
2013-08-15 12:24 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2013-08-14 18:07 - 2011-12-19 09:27 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-14 16:48 - 2013-08-13 17:42 - 00000000 ____D C:\Users\RSpencer\Downloads\Bison
2013-08-14 10:46 - 2013-08-14 10:43 - 00000000 ____D C:\_insert
2013-08-14 10:46 - 2011-12-19 09:24 - 00000000 ___HD C:\Users\RSpencer\AppData\Local\VirtualStore
2013-08-12 19:20 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-08-11 15:03 - 2013-08-11 13:54 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\Mozilla
2013-08-11 13:54 - 2013-08-11 13:54 - 00001149 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\Users\RSpencer\AppData\Local\Mozilla
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\ProgramData\Mozilla
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-08-11 13:54 - 2013-08-11 13:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-11 13:52 - 2013-08-11 13:52 - 00281896 _____ (Mozilla) C:\Users\RSpencer\Downloads\Firefox Setup Stub 23.0.exe
2013-07-31 15:22 - 2013-06-07 08:57 - 00000000 ____D C:\Users\RSpencer\Downloads\Bimba
2013-07-31 10:11 - 2013-07-30 14:26 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-B74G-4AK-AD3-RMG+4314-52+18-013-209
2013-07-31 09:49 - 2013-07-30 14:10 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-P74C-NAD-PPA+4314-51+4315-03
2013-07-30 18:23 - 2013-07-30 18:21 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-MB001A
2013-07-30 18:05 - 2013-07-30 18:04 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-C24470618
2013-07-30 16:41 - 2013-07-30 16:40 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-MB004A
2013-07-30 14:56 - 2013-07-30 14:55 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-C24470648
2013-07-30 14:51 - 2013-07-30 14:50 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-4314-52
2013-07-30 14:43 - 2013-07-30 14:39 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-4314-51
2013-07-30 14:05 - 2012-01-30 09:21 - 00000000 ____D C:\Users\RSpencer\Downloads\hoffman
2013-07-29 17:18 - 2013-07-29 17:18 - 00143144 _____ C:\Users\RSpencer\Downloads\Ansi1.dwg
2013-07-29 15:53 - 2013-07-29 15:51 - 00000000 ____D C:\Users\RSpencer\Downloads\Norgren-C24470418
2013-07-29 15:51 - 2013-07-29 15:51 - 00081851 _____ C:\Users\RSpencer\Downloads\Norgren-C24470418.zip
2013-07-29 14:26 - 2013-07-29 14:26 - 00093391 _____ C:\Users\RSpencer\Downloads\Norgren-C24470618.zip
2013-07-29 14:25 - 2013-07-29 14:25 - 00080655 _____ C:\Users\RSpencer\Downloads\Norgren-C24470648.zip
2013-07-29 14:18 - 2013-07-29 14:18 - 00095331 _____ C:\Users\RSpencer\Downloads\Norgren-MB001A.zip
2013-07-29 14:17 - 2013-07-29 14:17 - 00094229 _____ C:\Users\RSpencer\Downloads\Norgren-MB004A.zip
2013-07-29 13:59 - 2013-07-29 13:59 - 00859148 _____ C:\Users\RSpencer\Downloads\Norgren-P74C-NAD-PPA+4314-51+4315-03.zip
2013-07-29 13:54 - 2013-07-29 13:54 - 00058654 _____ C:\Users\RSpencer\Downloads\Norgren-18-011-024.zip
2013-07-29 13:54 - 2013-07-29 13:54 - 00053470 _____ C:\Users\RSpencer\Downloads\Norgren-MS001A.zip
2013-07-29 13:51 - 2013-07-29 13:51 - 00060078 _____ C:\Users\RSpencer\Downloads\Norgren-4314-51.zip
2013-07-29 13:50 - 2013-07-29 13:50 - 00076453 _____ C:\Users\RSpencer\Downloads\Norgren-4314-52.zip
2013-07-29 13:42 - 2013-07-29 13:42 - 00040243 _____ C:\Users\RSpencer\Downloads\Norgren-B74G-4AK-AD3-RMG+4314-52+18-013-209.dwg.zip
2013-07-29 13:38 - 2013-07-29 13:38 - 00349075 _____ C:\Users\RSpencer\Downloads\Norgren-B74G-4AK-AD3-RMG+4314-52+18-013-209.zip
2013-07-29 13:19 - 2013-07-29 13:19 - 00086501 _____ C:\Users\RSpencer\Downloads\all_air_line_equipment.zip
2013-07-27 14:28 - 2013-07-27 14:28 - 00000000 ____D C:\Users\RSpencer\AppData\Roaming\CADClick
2013-07-26 14:53 - 2013-07-16 14:17 - 00000000 ____D C:\Users\RSpencer\Downloads\Lovejoy
2013-07-25 05:25 - 2013-08-14 18:04 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-25 04:57 - 2013-08-14 18:04 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL

Files to move or delete:
====================
C:\Users\RSpencer\AppData\Roaming\wstbi.dll
C:\Users\RSpencer\AppData\Roaming\dpntc.dll
ZeroAccess:
C:\Users\RSpencer\AppData\Local\Google\Desktop\Install\{4a520414-089e-8bd4-9ede-85dc8b5a1622}
C:\Users\Richard Spencer\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\RSpencer\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\RSpencer\AppData\Local\Temp\ose00000.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\extractor.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\acisremdll.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\ifoffsolidworks2008.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\ifoffsolidworks2009.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\ifoffsolidworks2010.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\ifoffsolidworks2011.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\ifoffsolidworks2012.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\translators\ifoffsolidworks2013.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\acishlp.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\acisiges.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\acisstep.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SpaABlend.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SpaACIS.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SpaALops.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SpaASurf.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SpaAVis.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SpaBase.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SPAXAssemblyRep.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SPAXBase.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\SPAXInterop.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\xacis2k.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\xcore2k.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\xiges.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\xstep.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\libs\x86\32\custom\acisr13\xutil.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\cdt.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\cnslocal.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\cscripthost.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\fann.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\graph.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\gvc.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\gvplugin_dot_layout.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\gvplugin_neato_layout.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\meshreduction.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\msvcm90.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\msvcp90.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\msvcr90.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\part2cad.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\Pathplan.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\pcadass.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolBSP.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolCadCon.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolCadCore.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolCGI.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolCOMAdapter.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolCore.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolDB.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolGeomCore.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolGeomCoreGui.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolGeoSearchCore.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolGui.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolJava.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolLicense.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolMath.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolMetaApi.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolOpenGL.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtCLucene4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtCore4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtGui4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtHelp4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtNetwork4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtOpenGL4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtScript4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtScriptTools4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtSql4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtWebKit4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtXml4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolQtXmlPatterns4.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolSearch.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolStart.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\PSolWizard.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\pstart.exe
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\vcomp90.dll
C:\Users\RSpencer\AppData\Local\Temp\part2cad\bin\x86\32\wscripthost.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

LastRegBack: 2013-08-22 12:39

==================== End Of Log ============================

Addition.txt

FRST.txt

Link to post
Share on other sites

My computer has been infected with the Zaccess Trojan.  Can anyone offer guidance to help me remove it.  I've followed the first steps outlined by MrCharlie in other posts but need his assistance to continue.  Please refer to my posts from around 2-3pm today.  Thank you.

Link to post
Share on other sites

  • Root Admin

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

  • Root Admin

That log looks good.

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus
Please download AdwCleaner by Xplode to your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
Link to post
Share on other sites

  • Root Admin

Please run MBAM and check for updates and then go to your Settings tab, then on "Scanner Settings"

 

Then click on the "Action" items for PUP, PUM, and P2P and make sure they're set to Show in results and check for removal.

 

Then do a Quick Scan and post back that new log file.

Link to post
Share on other sites

I apologize for the delay...ran another scan today to be sure...

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.05.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
RSpencer :: RSPENCER-PC [administrator]

9/6/2013 4:39:37 PM
mbam-log-2013-09-06 (16-39-37).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 419271
Time elapsed: 46 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.04.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
RSpencer :: RSPENCER-PC [administrator]

Protection: Enabled

9/4/2013 8:56:36 AM
mbam-log-2013-09-04 (08-56-36).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 417928
Time elapsed: 43 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

  • Root Admin

Okay please run these tools.
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

 

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus
Link to post
Share on other sites

# AdwCleaner v3.003 - Report created 09/09/2013 at 08:35:23
# Updated 07/09/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : RSpencer - RSPENCER-PC
# Running from : C:\Users\RSpencer\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found C:\Users\RSpencer\AppData\Local\Temp\Smartbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\SmartBar
Key Found : [x64] HKCU\Software\AVG Secure Search
Key Found : [x64] HKCU\Software\SmartBar
Key Found : HKLM\Software\AVG Secure Search

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\RSpencer\AppData\Roaming\Mozilla\Firefox\Profiles\a4qbzpbs.default\prefs.js ]

Line Found : user_pref("extensions.enabledAddons", "gmailnoads%40mywebber.com:3.9.1,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1");
Line Found : user_pref("extensions.helperbar.DockingPositionDown", false);
Line Found : user_pref("extensions.helperbar.SmartbarDisabled", false);
Line Found : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);
Line Found : user_pref("extensions.helperbar.Visibility", false);

*************************

AdwCleaner[R0].txt - [8762 octets] - [03/09/2013 10:06:01]
AdwCleaner[R1].txt - [1413 octets] - [09/09/2013 08:35:23]
AdwCleaner[s0].txt - [8888 octets] - [03/09/2013 10:11:34]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1533 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.9 (09.07.2013:1)
OS: Windows 7 Professional x64
Ran by RSpencer on Mon 09/09/2013 at  8:41:48.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\RSpencer\AppData\Roaming\mozilla\firefox\profiles\a4qbzpbs.default\prefs.js

user_pref("extensions.helperbar.SmartbarDisabled", false);
user_pref("extensions.helperbar.SmartbarStateMinimaized", false);



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/09/2013 at  8:43:15.83
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Link to post
Share on other sites

  • Root Admin

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

 

Then start MBAM and check for updates and do a Quick Scan and pot back that new log file.

Link to post
Share on other sites

# AdwCleaner v3.003 - Report created 11/09/2013 at 12:07:53
# Updated 07/09/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : RSpencer - RSPENCER-PC
# Running from : C:\Users\RSpencer\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\RSpencer\AppData\Local\Temp\Smartbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Secure Search

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\RSpencer\AppData\Roaming\Mozilla\Firefox\Profiles\a4qbzpbs.default\prefs.js ]

Line Deleted : user_pref("extensions.enabledAddons", "gmailnoads%40mywebber.com:3.9.1,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1");
Line Deleted : user_pref("extensions.helperbar.DockingPositionDown", false);
Line Deleted : user_pref("extensions.helperbar.Visibility", false);

*************************

AdwCleaner[R0].txt - [8762 octets] - [03/09/2013 10:06:01]
AdwCleaner[R1].txt - [1621 octets] - [09/09/2013 08:35:23]
AdwCleaner[R2].txt - [1450 octets] - [11/09/2013 12:07:10]
AdwCleaner[s0].txt - [8888 octets] - [03/09/2013 10:11:34]
AdwCleaner[s1].txt - [1334 octets] - [11/09/2013 12:07:53]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [1394 octets] ##########
 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
RSpencer :: RSPENCER-PC [administrator]

9/11/2013 12:10:53 PM
mbam-log-2013-09-11 (12-10-53).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 418498
Time elapsed: 44 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\RSpencer\Downloads\freeopener_715.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

  • Root Admin

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Then restart the computer and run the following scanner.

 

dr_web_cureit_zpse80d87bf.jpg

  1. Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB
  2. NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
  3. Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
  4. Shutdown your antivirus to avoid any conflicts while scanning.
  5. Once the scans have completed please re-enable your antivirus.
  6. If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
  7. If needed you can also temporarily disable it from starting with Windows
  8. Temporarily turn off any other security add-ons or applications you may also have.
  9. Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
  10. If it does not have a Digital Signature then do not run it.
  11. Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
  12. You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
  13. Click on the Yes button to start the installer.
  14. Click OK to scan your computer in the Enhanced Protection Mode
  15. Click on the check box to agree to participate in their software improvement program.
  16. Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
  17. Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
  18. Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
  19. Then click on the Start scanning button.
  20. If a threat is found you can click on the Action column in the program.
  21. Your options will be Cure or Ignore
  22. If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
  23. Then click on the Neutralize button.
  24. Once completed click on the green Open Report link. It will open the report in NOTEPAD
  25. Save the report to your desktop. The report will be called Cureit.log
  26. Close Dr.Web Cureit!
  27. Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  28. After reboot, attach the log Cureit.log you saved previously in your next reply.
  29. Re-Enable your antivirus and other security programs when all done.


 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.