Virus - Cannot enter Safe Mode.

[NotHelpDesk]

I have a computer that I think has the FBI virus.  I am unable to boot the computer to Safe Mode.  The computer is useless at this point.  When it is turned on, it never gets to the windows desktop after logging on to it.  Windows 7 Home Premium ASUS  Essentio Series Desktop.  Is anyone able to help with the removal process?

 

Thank you...

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

• Please download Farbar Recovery Scan Tool and save it to a flash drive.

  Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  Plug the flash drive into the infected PC.

• If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

  If you are using Vista or Windows 7 enter System Recovery Options.

  To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

  To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

  To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
• On the System Recovery Options menu you will get the following options:

  • • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

      Select Command Prompt

      Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[NotHelpDesk]

Thank you for the quick response!  I am attempting to get to a command prompt.  As soon as I am able I will post the results of the scan.

[NotHelpDesk]

Here are the results of the scan:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-09-2013
Ran by SYSTEM on MININT-QG70DOT on 06-09-2013 11:55:57
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

Winlogon\Notify\PFW:
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\qttask.exe [282624 2010-09-09] (Apple Computer, Inc.)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKU\Schaub\...\Run: [EPSON NX110 Series] - C:\Users\Schaub\AppData\Local\Temp\E_SF288.tmp [120 2013-02-05] ()
HKU\Schaub\...\Winlogon: [shell] explorer.exe,C:\Users\Schaub\AppData\Roaming\cache.dat [85504 2013-07-08] () <==== ATTENTION

==================== Services (Whitelisted) =================

S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 CouponXplorer_5zService; C:\PROGRA~2\COUPON~4\bar\1.bin\5zbarsvc.exe [42504 2012-09-14] (COMPANYVERS_NAME)
S2 FastFreeConverterUpdt; C:\Program Files (x86)\Fast Free Converter\FastFreeConverterUpdt.exe [687104 2012-11-26] ()
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [227232 2010-09-02] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S2 MyFunCards_5mService; C:\PROGRA~2\MYFUNC~2\bar\1.bin\5mbarsvc.exe [42528 2012-09-17] (COMPANYVERS_NAME)
S2 MyScrapNook_12Service; C:\PROGRA~2\MYSCRA~2\bar\1.bin\12barsvc.exe [42504 2012-09-17] (COMPANYVERS_NAME)
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [132504 2013-03-20] (Symantec Corporation)
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 SupportSoft RemoteAssist; C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe [386424 2010-02-24] (SupportSoft, Inc.)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{50854cd7-a391-e12e-52c4-5b5f0efcb4f5}\   \...\???\{50854cd7-a391-e12e-52c4-5b5f0efcb4f5}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-03] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-03] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-05] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-05] ()
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
S3 mfeavfk01; No ImagePath
S3 tmlwf;
S3 tmwfp;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-30 02:57 - 2013-09-06 08:41 - 00000004 _____ C:\Users\Schaub\AppData\Roaming\cache.ini
2013-08-14 14:06 - 2013-07-25 21:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-14 14:06 - 2013-07-25 21:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-14 14:06 - 2013-07-25 21:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-14 14:06 - 2013-07-25 21:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-14 14:06 - 2013-07-25 21:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-14 14:06 - 2013-07-25 19:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-14 14:06 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 14:06 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 14:06 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 14:06 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 14:06 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 14:06 - 2013-07-25 18:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-14 14:06 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 14:05 - 2013-07-25 21:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-14 14:05 - 2013-07-25 21:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-14 14:05 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 14:05 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 14:01 - 2013-08-14 14:02 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 03:32 - 2013-07-25 01:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 03:32 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 03:32 - 2013-07-18 17:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 03:32 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 03:32 - 2013-07-08 22:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-14 03:32 - 2013-07-08 21:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-14 03:32 - 2013-07-08 21:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-14 03:32 - 2013-07-08 21:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 03:32 - 2013-07-08 21:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 03:32 - 2013-07-08 21:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 03:32 - 2013-07-08 21:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 03:32 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 03:32 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 03:32 - 2013-07-08 20:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 03:32 - 2013-07-08 20:53 - 00085504 _____ C:\Users\Schaub\AppData\Roaming\cache.dat
2013-08-14 03:32 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 03:32 - 2013-07-08 20:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 03:32 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 03:32 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 03:32 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 03:32 - 2013-07-08 18:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 03:32 - 2013-07-08 18:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 03:32 - 2013-07-08 18:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 03:32 - 2013-06-14 20:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-08-14 03:31 - 2013-07-08 21:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 03:31 - 2013-07-08 20:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 03:31 - 2013-07-08 18:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 03:31 - 2013-07-05 22:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

==================== One Month Modified Files and Folders =======

2013-09-06 11:38 - 2013-06-01 14:01 - 00000000 ____D C:\Windows\System32\SPReview
2013-09-06 11:38 - 2013-03-03 13:01 - 00000000 ____D C:\Program Files (x86)\Sendori
2013-09-06 11:38 - 2013-03-03 13:00 - 00000000 ____D C:\Program Files (x86)\Files Access
2013-09-06 11:38 - 2013-03-03 12:59 - 00000000 ____D C:\Program Files (x86)\Fast Free Converter
2013-09-06 11:38 - 2013-03-03 12:58 - 00000000 ____D C:\Program Files (x86)\Extreme Media Player
2013-09-06 11:38 - 2012-09-18 11:44 - 00000000 ____D C:\Program Files (x86)\Norton PC Checkup 3.0
2013-09-06 11:38 - 2012-09-14 13:32 - 00000000 ____D C:\Program Files (x86)\SelectRebates
2013-09-06 11:38 - 2012-06-13 04:53 - 00000000 ____D C:\Program Files (x86)\Coupons
2013-09-06 11:38 - 2012-05-13 14:00 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-09-06 11:38 - 2012-05-13 14:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-09-06 11:38 - 2011-11-22 11:03 - 00000000 ____D C:\Program Files (x86)\Ask.com
2013-09-06 11:38 - 2011-03-01 07:03 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-09-06 11:38 - 2011-03-01 07:01 - 00000000 ____D C:\ProgramData\McAfee
2013-09-06 11:38 - 2010-09-09 14:30 - 00000000 ____D C:\Program Files (x86)\PictureProject In Touch Downloader
2013-09-06 11:38 - 2010-09-09 14:27 - 00000000 ____D C:\Program Files (x86)\QuickTime
2013-09-06 11:38 - 2010-03-18 11:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
2013-09-06 11:38 - 2009-11-05 14:30 - 00000000 ____D C:\Program Files (x86)\Microsoft Office Suite Activation Assistant
2013-09-06 11:38 - 2009-11-05 14:17 - 00000000 ____D C:\Windows\System32\Tasks\ASUS
2013-09-06 11:38 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-09-06 11:38 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-09-06 11:38 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\restore
2013-09-06 11:38 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-09-06 11:38 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-09-06 11:38 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-09-06 11:38 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-09-06 11:38 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-09-06 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services
2013-09-06 11:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-09-06 08:41 - 2013-08-30 02:57 - 00000004 _____ C:\Users\Schaub\AppData\Roaming\cache.ini
2013-09-06 08:41 - 2012-09-01 09:00 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-06 08:41 - 2010-03-18 11:00 - 00000000 ____D C:\users\Schaub
2013-09-06 08:40 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-06 08:40 - 2009-07-13 20:51 - 00116413 _____ C:\Windows\setupact.log
2013-09-06 04:28 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-06 04:28 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-06 04:27 - 2012-05-16 15:06 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-06 04:25 - 2010-03-18 14:59 - 01908664 _____ C:\Windows\WindowsUpdate.log
2013-08-30 03:01 - 2012-04-15 06:28 - 00001751 _____ C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2013-08-30 03:01 - 2010-04-02 04:32 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{5FB2C839-A95B-4E35-8350-B967F4A4020C}
2013-08-29 20:10 - 2012-09-01 09:00 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-29 12:09 - 2013-03-03 13:01 - 00000000 ____D C:\ProgramData\Sendori
2013-08-29 12:09 - 2012-09-01 08:59 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-24 12:08 - 2012-09-18 11:44 - 00004436 _____ C:\Windows\System32\Tasks\PC Checkup 3 Weekly Scan
2013-08-22 22:43 - 2012-09-01 09:03 - 00002106 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-08-20 13:27 - 2013-06-11 14:28 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-20 13:27 - 2012-05-16 15:06 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-20 13:27 - 2012-05-16 15:06 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-20 13:27 - 2011-11-14 12:58 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-14 15:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-14 14:03 - 2009-07-13 21:13 - 00740322 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-14 14:02 - 2013-08-14 14:01 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 14:00 - 2010-03-21 09:24 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1494064449-4088994902-3394997980-1000\$50854cd7a391e12e52c45b5f0efcb4f5

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$50854cd7a391e12e52c45b5f0efcb4f5

Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{50854cd7-a391-e12e-52c4-5b5f0efcb4f5}
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.
C:\Users\Schaub\6270217.exe
C:\Users\Schaub\azrqoynbzhizmejxpfdcrxth.exe
C:\Users\Schaub\AppData\Roaming\cache.dat
C:\Users\Schaub\AppData\Roaming\cache.ini
C:\Users\Schaub\AppData\Local\Temp\AD Fix 1.8.exe
C:\Users\Schaub\AppData\Local\Temp\ApnStub.exe
C:\Users\Schaub\AppData\Local\Temp\atl80.dll
C:\Users\Schaub\AppData\Local\Temp\contentDATs.exe
C:\Users\Schaub\AppData\Local\Temp\DefaultAssets.exe
C:\Users\Schaub\AppData\Local\Temp\DefaultOfflineContent.exe
C:\Users\Schaub\AppData\Local\Temp\FastFreeConverterUpdt_v4.0.exe
C:\Users\Schaub\AppData\Local\Temp\FastFreeConverterUpdt_v4.1.exe
C:\Users\Schaub\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Schaub\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\Schaub\AppData\Local\Temp\FlashPlayerUpdate02.exe
C:\Users\Schaub\AppData\Local\Temp\FlashPlayerUpdate03.exe
C:\Users\Schaub\AppData\Local\Temp\FlashPlayerUpdate04.exe
C:\Users\Schaub\AppData\Local\Temp\FlashPlayerUpdate05.exe
C:\Users\Schaub\AppData\Local\Temp\issdm_rr_en.exe
C:\Users\Schaub\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Schaub\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Schaub\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Schaub\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Schaub\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Schaub\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Schaub\AppData\Local\Temp\libexpat.dll
C:\Users\Schaub\AppData\Local\Temp\mfc80.dll
C:\Users\Schaub\AppData\Local\Temp\mfc80u.dll
C:\Users\Schaub\AppData\Local\Temp\mfcm80.dll
C:\Users\Schaub\AppData\Local\Temp\mfcm80u.dll
C:\Users\Schaub\AppData\Local\Temp\MindsparkAssets.exe
C:\Users\Schaub\AppData\Local\Temp\mssinstaller.exe
C:\Users\Schaub\AppData\Local\Temp\msvcm80.dll
C:\Users\Schaub\AppData\Local\Temp\msvcp80.dll
C:\Users\Schaub\AppData\Local\Temp\msvcr80.dll
C:\Users\Schaub\AppData\Local\Temp\nlsdl.dll
C:\Users\Schaub\AppData\Local\Temp\PCCU_Installer.exe
C:\Users\Schaub\AppData\Local\Temp\PreferencesJson.exe
C:\Users\Schaub\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Schaub\AppData\Local\Temp\setup.exe
C:\Users\Schaub\AppData\Local\Temp\TmDbg32.dll
C:\Users\Schaub\AppData\Local\Temp\TmDbg64.dll
C:\Users\Schaub\AppData\Local\Temp\_is1F71.exe
C:\Users\Schaub\AppData\Local\Temp\_is5A7E.exe
C:\Users\Schaub\AppData\Local\Temp\{C00E3A1E-86EE-4F27-9D91-76D3396D9E7B}\ISSetup.dll
C:\Users\Schaub\AppData\Local\Temp\{C00E3A1E-86EE-4F27-9D91-76D3396D9E7B}\_Setup.dll
C:\Users\Schaub\AppData\Local\Temp\{316ADA84-9BC7-4218-9310-1E98AF17643F}\ISSetup.dll
C:\Users\Schaub\AppData\Local\Temp\{316ADA84-9BC7-4218-9310-1E98AF17643F}\_Setup.dll
C:\Users\Schaub\AppData\Local\Temp\_ir_sf_temp_1\npCouponPrinter.dll
C:\Users\Schaub\AppData\Local\Temp\_ir_sf_temp_1\npMozCouponPrinter.dll
C:\Users\Schaub\AppData\Local\Temp\_ir_sf_temp_0\npCouponPrinter.dll
C:\Users\Schaub\AppData\Local\Temp\_ir_sf_temp_0\npMozCouponPrinter.dll
C:\Users\Schaub\AppData\Local\Temp\ztmp\tmp4467.exe
C:\Users\Schaub\AppData\Local\Temp\YToolbar\ytbwrap.exe
C:\Users\Schaub\AppData\Local\Temp\Nikon\MessageCenter\mca_setup_10.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\caEntitlementDLL.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\calic.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccEvtMgr.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccissimg.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccKASubmit.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccmsgfrm.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccpriv.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccprovep.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ccprovsp.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\compdet.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\eiss.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ezavlic.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\license.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\setup.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\SQLite3.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\unicows.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\ytb\ytbsetup.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\brand.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\calic.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccemail.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccguifrm.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccguifrmres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccissimg.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccissprd.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccissres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccpriv.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ccupdif.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\eiss.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ISSImages.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\Issresource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\libeay32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\license.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\log4cplusU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\scx86\ssleay32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caccproductcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caccresourcecau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caccupdatecau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caccusdkcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caenroll.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caisshelpcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caissproductcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caissresourcecau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caisstutorial.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caOSCheck.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\capcfix.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\casc.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caschelp.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\cashellSubmitFilePlugin.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\cauconfig.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\cauconnect.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caumessage.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caupackage.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\caupdate.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\cawsc.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\CAX86CommonCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccdynamiccontent.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccemail.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccidhelp.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccipc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccisd.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\cclogconfig.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccproxysrvc.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccscheduler.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccschedulersvc.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccshellext.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccsubmit.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccsystemreport.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccsystemreport.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccupdate.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ccupdif.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\commonbo.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\libeay32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\libetpki_openssl_crypto.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\log4cplusU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\msvcp80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\msvcr80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\QUICKTOUR.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\SQLite3.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\ssleay32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\vcredist_x64.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\vcredist_x86.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\xalan-c_1_10.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\xalan_messages_1_10.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\xerces-c_2_7.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\xsec_1_2_0.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\Plugins\CaIssCompetitorCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\lang\en\caissproduct.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\lang\en\caissresource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\lang\en\ccshellresource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\hnv\ipthread.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\hnv\libetpki2.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\hnv\libetpki2_thread.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\hnv\libetpki_openssl_crypto.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\hnv\libetpki_openssl_ssl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\sc\hips\hips_cc.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\rrtb\smartinstallAllinOne.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\ccguifrm.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\ccmsgfrmImages.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\ISSImages.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\brand.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\ccguifrmres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\ccissprd.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\ccissres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\ccmsgfrmres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\ccUpgradeRes.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\res\lang\en\Issresource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwinst.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\CaFWKnownAppsCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwproductcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwsdkcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\ccinstaller.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\ccsrfw.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\HIPS_SDK\CAPF.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\CacheClean.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\cafwHelper.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\capfUpgrade.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\capolicyupdater.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\caPrivacyBO.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\ePFBPLAAE.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\ePFBPLAR.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\ePFBPLFW.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\ePFBPLMA.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\ePFBPLNAM.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafwgui-bin\ePFBPLSbx.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pfw\cafw.Other\KnownApps.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\caPCBo.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\CaPCProductCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\ccsrpc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\cfgca32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\cfgmig32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\cfgmig32.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\GeneratePCReport.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\pc\parentalcontrols.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\BackupProduct.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\BonesResource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\CA01041WebUpdate.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\CA01041WebUpdateResources.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\CABMInst.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\CADNAUpdater.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\CAISSLicMod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ccinstaller.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Compression.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\cryptocme2.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Differencing.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\DNABones.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\DNABonesProxy.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ipthread.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\jetpki.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\KEYLIB32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\libetpki2.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\libetpki2_thread.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\libetpki_openssl_crypto.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\libetpki_openssl_ssl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\liblog_api.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\MFC71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\MFC71LU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\mfc80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\MSLUP71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\MSLUR71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\msvcp71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\msvcp80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\msvcr71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\msvcr80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\regsvr32.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\RxTrace.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\SciLexer.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptToJSConverter.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\SKCA32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\unicows.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Setup\BackupProductRes.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Setup\CABMInst.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Setup\ccinstaller.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Self Extractor Files\SelfExtractingShell.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Self Extractor Files\SelfExtractingShellResources.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\DNACertStore.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\DNAPrinter.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\DNAScriptExtension.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\DNASystemExt.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\FTBAB.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\OutlookExtension.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ScriptExtensions\TaskExtension.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\LibraryUpdate\LibraryUpdate.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\lang\en\BackupProductRes.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\lang\en\BonesResource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\lang\en\DNAEngineResource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041Controls9x.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041ControlsNT.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041Enumerators.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041LDAPAccess.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041SecurityAccess.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041Status.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\CA01041XMLBuffer.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DeadSystemMaster.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAAccountProfile9x.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAAccountProfileNT.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNACatalogImpl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAEngineImpl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAFileImpl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAMachineLocator.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAMassMigration.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAScript.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAScriptJS.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNASecurity.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\DNAShortcutMap.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\HttpFileImpl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\js32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\libcurl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\MAEngineImpl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\MAEngineResource.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\OptionsAccessor.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\SpanningFile.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\Components\SuluEF.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ccupdate\plugins\CABnMSDKCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\dm\ccupdate\plugins\CaDNABMProductCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\AntiSpamCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\AntiSpamPBO.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\AntiSpamResCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\ccsras.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\CLucene.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\msvcr71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q-Update.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.de.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.de.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.es.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.es.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.fr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.fr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.it.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.it.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.ja.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.ja.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.sc.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.sc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.tc.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.tc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.tr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\Q.tr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QDB.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QOE.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QOEApp.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QOEHook.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.de.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.de.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.es.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.es.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.fr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.fr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.it.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.it.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.ja.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.ja.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.sc.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.sc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.tc.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.tc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.tr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\QUpdate.tr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\unzip.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\winspamcatcher64.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\AntiSpamPBO.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\CLucene.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\msvcr71.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.de.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.de.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.es.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.es.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.fr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.fr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.it.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.it.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.ja.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.ja.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.sc.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.sc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.tc.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.tc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.tr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\Q.tr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QAddin.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QDB.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QOL.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.de.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.es.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.fr.brandca.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.fr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.it.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.ja.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.sc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.tc.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\QUpdate.tr.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\as\x86\winspamcatcher.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\caaphimages.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\caaphishbo.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\caaphproductCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\caaphresourceCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\caaphsdkCAU.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\caaphupd.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\CAIEToolBar.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\ccsraph.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\sitefilter.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\caaphimages.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\caaphishbo.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\caaphupd.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\CAIEToolBar.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\sitefilter.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\lang\en\caaphres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\x86\FireFox\components\CAFxToolBar.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\aph\lang\en\caaphres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\aminst.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\atl80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caambl.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamclscan.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamdatcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamengcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caaminstallcci.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamisafecau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamproductcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamrtdrvcau.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamscanner.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\caamshlext.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ccidprod.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ccinstaller.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ccsram.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\isafe.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ISafeIf.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ISafeIf64.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ISafInst.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ISafInst64.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\ISafServ.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\msvcp80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\msvcr80.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\VetRedir.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\VetRedir64.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\lang\en\ISafProd.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\lang\en\ISafProd64.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\amrt.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\AMS_Update.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\arclib.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\CAAMSvc.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\cruxcrypto_1_0.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\crux_1_0.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\Flipster.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icudt34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icuin34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icuio34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icule34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\iculx34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icutest.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icutu34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\icuuc34.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\libeay32.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\libetpki_openssl_crypto.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\MalwareAPI.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\vete.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\xalan-c_1_10.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\xalan_messages_1_10.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\xerces-c_2_7.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\xsec_1_2_0.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\Plugins\AMS_Plugin.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\x64\am\engine\Plugins\Signatures_Plugin.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\ccguifrm.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\ccissimg.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\setup.exe
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\scx86\lang\en\brand.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\scx86\lang\en\ccguifrmres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\scx86\lang\en\ccissprd.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\scx86\lang\en\ccissres.dll
C:\Users\Schaub\AppData\Local\Temp\ISSTempFiles\launcher\scx86\lang\en\ccUpgradeRes.dll
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\YahooToolbar\YahooToolbar.exe
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\YahooToolbar\ydetect.exe
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\Sendori\SendoriSetupx12202.exe
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\PCSpeedBoost\PCSpeedBoost3.exe
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\FilesAccess\Install_FilesAccess.exe
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\FFC\FastFreeConverter.exe
C:\Users\Schaub\AppData\Local\Temp\ExtremeMediaPlayer\ExtremeMediaPlayer\Setup_ExtremeMediaPlayer.exe
C:\Users\Schaub\AppData\Local\Temp\BD56.dir\InstallFlashPlayer.exe
C:\Users\Schaub\AppData\Local\Temp\BD37.dir\InstallFlashPlayer.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\autoruns.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\Eset.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\HCL32.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\HCL64.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\HijackThis.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\mbam.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\MGADiag.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\oscdimg.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\psexec.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\regini.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\SetACL.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\subinacl.exe
C:\Users\Schaub\AppData\Local\Temp\afolder\TDSSKiller.exe
C:\Users\Schaub\AppData\Local\Temp\955C.dir\InstallFlashPlayer.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-29 14:30:55
Restore point made on: 2013-08-04 16:00:28
Restore point made on: 2013-08-11 16:00:23
Restore point made on: 2013-08-14 14:00:31
Restore point made on: 2013-08-18 16:00:25
Restore point made on: 2013-08-26 12:30:54
Restore point made on: 2013-09-06 04:30:51

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 5885.12 MB
Available physical RAM: 5167.61 MB
Total Pagefile: 5883.27 MB
Available Pagefile: 5160.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (WIN7) (Fixed) (Total:372.61 GB) (Free:311.36 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:550.9 GB) (Free:292.84 GB) NTFS
Drive e: (ASUS DeskTop PC RDVD) (CDROM) (Total:3.42 GB) (Free:0 GB) CDFS
Drive f: (DRIVEKEY II) (Fixed) (Total:0.48 GB) (Free:0.29 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 79E1CD5E)
Partition 1: (Not Active) - (Size=8 GB) - (Type=1B)
Partition 2: (Active) - (Size=373 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=551 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 489 MB) (Disk ID: CB90D973)
Partition 1: (Not Active) - (Size=489 MB) - (Type=01)

LastRegBack: 2013-09-06 05:20

==================== End Of Log ============================

[MrCharlie]

Please use the default font when posting logs...Thank You

--------------------

 

You are badly infected!!

Please read the following information first.
 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR
If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.


New window that comes up.


~~~~~~~~~~~~~~~~~~~~~~~

Note: YOU MUST RUN THIS!!!!!!<---------------------------------
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall
If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.


MrC

[NotHelpDesk]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-09-2013
Ran by SYSTEM at 2013-09-06 12:32:12 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKU\Schaub\...\Winlogon: [shell] explorer.exe,C:\Users\Schaub\AppData\Roaming\cache.dat [85504 2013-07-08] ()
C:\$Recycle.Bin\S-1-5-21-1494064449-4088994902-3394997980-1000\$50854cd7a391e12e52c45b5f0efcb4f5
C:\$Recycle.Bin\S-1-5-18\$50854cd7a391e12e52c45b5f0efcb4f5
C:\Program Files (x86)\Google\Desktop\Install\{50854cd7-a391-e12e-52c4-5b5f0efcb4f5}
C:\Windows\svchost.exe
C:\Users\Schaub\6270217.exe
C:\Users\Schaub\azrqoynbzhizmejxpfdcrxth.exe
C:\Users\Schaub\AppData\Roaming\cache.dat
C:\Users\Schaub\AppData\Roaming\cache.ini

*****************

HKU\Schaub\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\$Recycle.Bin\S-1-5-21-1494064449-4088994902-3394997980-1000\$50854cd7a391e12e52c45b5f0efcb4f5 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$50854cd7a391e12e52c45b5f0efcb4f5 => Moved successfully.
C:\Program Files (x86)\Google\Desktop\Install\{50854cd7-a391-e12e-52c4-5b5f0efcb4f5} => Moved successfully.
C:\Windows\svchost.exe => Moved successfully.
C:\Users\Schaub\6270217.exe => Moved successfully.
C:\Users\Schaub\azrqoynbzhizmejxpfdcrxth.exe => Moved successfully.
C:\Users\Schaub\AppData\Roaming\cache.dat => Moved successfully.
C:\Users\Schaub\AppData\Roaming\cache.ini => Moved successfully.

==== End of Fixlog ====

[MrCharlie]

Did it boot normally??  MrC

[NotHelpDesk]

It did!  And I am now running the MBAR utility.  So far it has found one piece of Malware.  C:\windows\temp\483010.exe [Trojan.Agent.ED]

[MrCharlie]

OK, make sure you run the fixdamage tool .....MrC

[NotHelpDesk]

I am in the process of cleaning up the Internet Cache on this computer and the temporary files folder too.   I will then re-run the MBAR utility again and then the fixdamage tool.  So far it seems to be working as expected.  I will need to stop in 2 more hours and will have to get back on this first thing Monday morning.

 

Thank you VERY MUCH for your assistance with this problem!!! 

[MrCharlie]

Not a problem for me...MrC

[NotHelpDesk]

Good Morning MrC!  I am happy to report that the MBAR utility did not find any additional malware.  I then ran the fixdamage.exe program and rebooted.  Things appear to be back to normal.  Thank you very much for your assistance with this issue.

[MrCharlie]

So you're OK now??

 

MrC

[NotHelpDesk]

Yes.  The computer is back in working order.  Thank you.

[MrCharlie]

OK......

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.