Jump to content

More Users infected by trojan/malware (cryptolocker)

andrewihearu
 Share

Recommended Posts

andrewihearu

andrewihearu

Posted
Posted

Got the first user done now on to the next.  

 

I ran FBAR since the DDS won't run on it.

 

I then ran Rogue Killer

 

I then ran MBAR Recovery---Cleared out 17 malware

 

Rogue Killer showed the same virus' that the other user had.  Zero access.

 

It cleaned those but they are still showing.  Here are my logs lets get dirty!!!!

 

 Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-09-2013 02

Ran by Steve (administrator) on EWPC34 on 01-10-2013 17:37:49
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(CrypKey (Canada) Ltd.) C:\Windows\system32\crypserv.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dropbox, Inc.) C:\Users\steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
() C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_168_ActiveX.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [qiaapa] - C:\Users\steve\qiaapa.exe /x
HKCU\...\Run: [pebqoxxetxuz] - C:\Users\steve\pebqoxxetxuz.exe
HKCU\...\Run: [Regedit32] - C:\Windows\system32\regedit.exe
HKCU\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_168_ActiveX.exe -update activex [815496 2013-09-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [McAfeeUpdaterUI] - C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [333376 2011-11-15] (McAfee, Inc.)
HKLM-x32\...\Run: [shStatEXE] - C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [215656 2012-08-14] (McAfee, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
Startup: C:\Users\steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\steve\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {70906543-5DF0-4755-BD44-1AEEB3D11800} URL = http://www.bing.com/search?q={searchTerms}&form=DLSDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - DefaultScope {70906543-5DF0-4755-BD44-1AEEB3D11800} URL = http://www.bing.com/search?q={searchTerms}&form=DLSDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - DefaultScope {70906543-5DF0-4755-BD44-1AEEB3D11800} URL = 
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130815165912.dll (McAfee, Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130815165912.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.11
Tcpip\..\Interfaces\{7CA5C1B3-33F2-4338-91F8-0A5E53932B1F}: [NameServer]192.168.1.11
 
==================== Services (Whitelisted) =================
 
R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [132672 2011-11-15] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [202376 2012-09-25] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [210056 2012-08-14] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [170440 2012-09-25] (McAfee, Inc.)
R2 Crypkey License; crypserv.exe [x]
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\   \...\???\{a1ce90b9-ce6e-68cc-984c-2ff0f48cb27a}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [169192 2012-09-25] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [282736 2012-09-25] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [673624 2012-09-25] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [101200 2012-09-25] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [305280 2012-09-25] (McAfee, Inc.)
R1 NetworkX; C:\Windows\system32\ckldrv.sys [28664 2008-03-17] ()
S3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [x]
U3 mfeavfk01; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-01 17:37 - 2013-10-01 17:37 - 00000000 ____D C:\FRST
2013-09-24 10:34 - 2013-09-24 10:34 - 00007727 _____ C:\Users\steve\Desktop\RKreport[0]_S_09242013_103422steve.txt
2013-09-24 10:33 - 2013-09-24 10:35 - 00000000 ____D C:\Users\steve\Desktop\RK_Quarantine
2013-09-24 10:17 - 2013-09-24 10:28 - 00001668 _____ C:\Users\steve\Desktop\Antivirus Security Pro.lnk
2013-09-24 10:17 - 2013-09-24 10:28 - 00000118 _____ C:\Users\steve\Desktop\Antivirus Security Pro support.url
2013-09-24 10:17 - 2013-09-24 10:17 - 00000000 ____D C:\Users\steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-09-24 07:23 - 2013-09-29 05:03 - 00000000 ____D C:\ProgramData\ph373g33
2013-09-13 12:23 - 2013-09-13 12:23 - 00003029 _____ C:\Users\steve\Desktop\Microsoft Outlook 2010.lnk
2013-09-13 12:17 - 2013-09-13 12:17 - 00000128 _____ C:\CKINFO.TXT
2013-09-13 12:17 - 2013-09-13 12:17 - 00000004 _____ C:\Windows\vx86036.dat
2013-09-13 12:17 - 2013-09-13 12:17 - 00000000 ____D C:\ProgramData\CrypKey
2013-09-13 12:16 - 2013-09-24 10:27 - 00001401 _____ C:\Windows\errord.log
2013-09-13 12:16 - 2013-09-24 10:27 - 00000248 _____ C:\Windows\error.log
2013-09-13 12:16 - 2013-09-13 12:17 - 00001680 _____ C:\Windows\system32\esnecil.ind
2013-09-13 12:16 - 2013-09-13 12:17 - 00000000 ____D C:\Program Files\Stellar Phoenix Outlook PST Repair
2013-09-13 12:16 - 2013-09-13 12:16 - 00000068 _____ C:\Windows\Crypkey.ini
2013-09-13 12:16 - 2008-05-07 16:29 - 00122880 _____ (CrypKey (Canada) Ltd.) C:\Windows\system32\Crypserv.exe
2013-09-13 12:16 - 2008-03-17 10:12 - 00028664 _____ C:\Windows\system32\Ckldrv.sys
2013-09-13 12:16 - 1999-06-18 13:49 - 00165888 _____ (Kenonic Controls) C:\Windows\Ckconfig.exe
2013-09-13 12:16 - 1996-05-03 09:21 - 00027648 ____R C:\Windows\Setup_ck.exe
2013-09-13 12:16 - 1996-05-03 07:36 - 00018432 _____ C:\Windows\Setup_ck.dll
2013-09-13 12:16 - 1995-07-04 10:33 - 00011776 _____ C:\Windows\Ckrfresh.exe
2013-09-13 12:08 - 2013-09-13 12:08 - 00000000 ____D C:\Windows\PCHEALTH
2013-09-13 12:05 - 2013-09-13 12:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2013-09-13 12:05 - 2013-09-13 12:05 - 00000000 __RHD C:\MSOCache
2013-09-13 12:05 - 2013-09-13 12:05 - 00000000 ____D C:\Program Files\Microsoft Office
2013-09-13 12:05 - 2013-09-13 12:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2013-09-13 11:39 - 2013-09-13 11:39 - 00001415 _____ C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-09-13 11:39 - 2013-09-13 11:39 - 00000000 ____D C:\Users\chris\AppData\Roaming\Roxio
2013-09-13 11:39 - 2013-09-13 11:39 - 00000000 ____D C:\Users\chris\AppData\Roaming\McAfee
2013-09-13 11:38 - 2013-09-13 11:39 - 00001449 _____ C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-13 11:38 - 2013-09-13 11:39 - 00000000 ___RD C:\Users\chris\Virtual Machines
2013-09-13 11:38 - 2013-09-13 11:39 - 00000000 ___RD C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-13 11:38 - 2013-09-13 11:39 - 00000000 ___RD C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-13 11:38 - 2013-09-13 11:38 - 00000020 ___SH C:\Users\chris\ntuser.ini
2013-09-13 11:38 - 2013-09-13 11:38 - 00000000 ____D C:\Users\chris\AppData\Local\VirtualStore
2013-09-13 11:38 - 2013-09-13 11:38 - 00000000 ____D C:\Users\chris
2013-09-13 11:38 - 2013-08-15 14:59 - 00000000 ____D C:\Users\chris\AppData\Local\Microsoft Help
2013-09-13 11:38 - 2013-08-15 11:01 - 00000000 ____D C:\Users\chris\AppData\Local\SoftThinks
2013-09-13 11:38 - 2009-07-13 21:54 - 00000000 ___RD C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-13 11:38 - 2009-07-13 21:49 - 00000000 ___RD C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-13 11:14 - 2013-09-13 11:14 - 00000000 ____D C:\Users\steve\AppData\Local\Microsoft Help
2013-09-13 10:21 - 2013-09-13 10:21 - 00000000 ____D C:\Program Files (x86)\Google
2013-09-13 07:56 - 2013-09-29 05:21 - 00000000 ____D C:\QUARANTINE
2013-09-13 07:56 - 2013-09-13 07:56 - 00000000 ____D C:\Users\steve\AppData\Local\Google
2013-09-12 16:49 - 2013-09-12 16:49 - 00000000 ____D C:\ProgramData\ESET
2013-09-12 14:58 - 2013-09-12 14:58 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\Macromedia
2013-09-12 14:58 - 2013-09-12 14:58 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\Adobe
2013-09-12 14:49 - 2013-09-13 11:30 - 00101360 _____ C:\Users\Administrator.EWPC32.000\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-12 14:48 - 2013-09-12 14:48 - 00001445 _____ C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-12 14:48 - 2013-09-12 14:48 - 00001411 _____ C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-09-12 14:48 - 2013-09-12 14:48 - 00000020 ___SH C:\Users\Administrator.EWPC32.000\ntuser.ini
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\Virtual Machines
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\Roxio
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\McAfee
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Users\Administrator.EWPC32.000
2013-09-12 14:48 - 2013-08-15 14:59 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Local\Microsoft Help
2013-09-12 14:48 - 2013-08-15 11:01 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Local\SoftThinks
2013-09-12 14:48 - 2009-07-13 21:54 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-12 14:48 - 2009-07-13 21:49 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-12 13:15 - 2013-07-31 07:17 - 17833472 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-12 13:15 - 2013-07-31 06:42 - 10926080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-12 13:15 - 2013-07-31 06:29 - 02312704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-12 13:15 - 2013-07-31 06:20 - 01346560 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-12 13:15 - 2013-07-31 06:19 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-12 13:15 - 2013-07-31 06:18 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-09-12 13:15 - 2013-07-31 06:17 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-09-12 13:15 - 2013-07-31 06:16 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-12 13:15 - 2013-07-31 06:14 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-09-12 13:15 - 2013-07-31 06:13 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-12 13:15 - 2013-07-31 06:13 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-09-12 13:15 - 2013-07-31 06:11 - 02147840 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-12 13:15 - 2013-07-31 06:11 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-12 13:15 - 2013-07-31 06:09 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-09-12 13:15 - 2013-07-31 06:08 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-12 13:15 - 2013-07-31 06:05 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-12 13:15 - 2013-07-31 03:30 - 12335104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-12 13:15 - 2013-07-31 03:05 - 09738752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-12 13:15 - 2013-07-31 03:00 - 01800704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-12 13:15 - 2013-07-31 02:53 - 01104896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-12 13:15 - 2013-07-31 02:52 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-09-12 13:15 - 2013-07-31 02:52 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-12 13:15 - 2013-07-31 02:51 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-09-12 13:15 - 2013-07-31 02:49 - 00065024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-12 13:15 - 2013-07-31 02:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-12 13:15 - 2013-07-31 02:48 - 00420864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-09-12 13:15 - 2013-07-31 02:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-09-12 13:15 - 2013-07-31 02:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-12 13:15 - 2013-07-31 02:46 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-12 13:15 - 2013-07-31 02:45 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-12 13:15 - 2013-07-31 02:45 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-09-12 13:15 - 2013-07-31 02:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-12 12:12 - 2013-08-07 18:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-09-12 12:12 - 2013-08-04 19:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys
2013-09-12 12:12 - 2013-08-01 19:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-09-12 12:12 - 2013-08-01 19:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-09-12 12:12 - 2013-08-01 19:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2013-09-12 12:12 - 2013-08-01 19:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-09-12 12:12 - 2013-08-01 19:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2013-09-12 12:12 - 2013-08-01 19:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-09-12 12:12 - 2013-08-01 19:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2013-09-12 12:12 - 2013-08-01 19:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-09-12 12:12 - 2013-08-01 19:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-09-12 12:12 - 2013-08-01 18:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-09-12 12:12 - 2013-08-01 18:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-09-12 12:12 - 2013-08-01 18:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-09-12 12:12 - 2013-08-01 18:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-09-12 12:12 - 2013-08-01 18:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 18:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-09-12 12:12 - 2013-08-01 17:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2013-09-12 12:12 - 2013-08-01 17:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-09-12 12:12 - 2013-08-01 17:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-09-12 12:12 - 2013-08-01 17:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-09-12 12:12 - 2013-08-01 17:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-09-12 12:12 - 2013-08-01 17:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 17:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 17:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 12:12 - 2013-08-01 17:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-12 12:11 - 2013-07-25 19:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-09-12 12:11 - 2013-07-25 19:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2013-09-12 12:11 - 2013-07-25 18:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-09-12 12:11 - 2013-07-25 18:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-09-12 11:00 - 2013-09-12 12:45 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-12 11:00 - 2013-09-12 11:00 - 00000000 ____D C:\Users\steve\AppData\Roaming\Malwarebytes
2013-09-12 11:00 - 2013-09-12 11:00 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-12 10:56 - 2013-09-12 10:56 - 00353044 _____ C:\Users\steve\Desktop\ListCrilock.txt
2013-09-11 15:26 - 2013-09-11 15:26 - 00103392 _____ C:\Users\Administrator.EWPC32\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-11 15:22 - 2013-09-12 12:45 - 00000000 ___RD C:\Users\Administrator.EWPC32\Virtual Machines
2013-09-11 15:22 - 2013-09-12 12:45 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-11 15:22 - 2013-09-12 12:45 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-11 15:22 - 2013-09-12 12:45 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-11 15:22 - 2013-09-12 12:45 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-11 15:22 - 2013-09-12 12:45 - 00000000 ____D C:\Users\Administrator.EWPC32
2013-09-11 15:22 - 2013-09-11 15:22 - 00000000 ____D C:\Users\Administrator.EWPC32\AppData\Roaming\Roxio
2013-09-11 15:22 - 2013-09-11 15:22 - 00000000 ____D C:\Users\Administrator.EWPC32\AppData\Roaming\McAfee
2013-09-11 15:22 - 2013-08-15 14:59 - 00000000 ____D C:\Users\Administrator.EWPC32\AppData\Local\Microsoft Help
2013-09-11 15:22 - 2013-08-15 11:01 - 00000000 ____D C:\Users\Administrator.EWPC32\AppData\Local\SoftThinks
 
==================== One Month Modified Files and Folders =======
 
2013-10-01 17:37 - 2013-10-01 17:37 - 00000000 ____D C:\FRST
2013-10-01 17:33 - 2013-08-15 15:24 - 00000000 ____D C:\Users\steve\Documents\Outlook Files
2013-10-01 17:16 - 2013-08-15 13:30 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2013-09-29 13:32 - 2012-07-24 23:20 - 01470553 _____ C:\Windows\WindowsUpdate.log
2013-09-29 05:21 - 2013-09-13 07:56 - 00000000 ____D C:\QUARANTINE
2013-09-29 05:03 - 2013-09-24 07:23 - 00000000 ____D C:\ProgramData\ph373g33
2013-09-26 20:41 - 2009-07-13 21:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-26 20:41 - 2009-07-13 21:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-26 17:35 - 2013-08-15 14:08 - 00000000 ___RD C:\Users\steve\Dropbox
2013-09-26 17:35 - 2013-08-15 14:06 - 00000000 ____D C:\Users\steve\AppData\Roaming\Dropbox
2013-09-26 10:17 - 2013-08-15 14:01 - 00000000 ____D C:\Users\steve
2013-09-24 10:35 - 2013-09-24 10:33 - 00000000 ____D C:\Users\steve\Desktop\RK_Quarantine
2013-09-24 10:34 - 2013-09-24 10:34 - 00007727 _____ C:\Users\steve\Desktop\RKreport[0]_S_09242013_103422steve.txt
2013-09-24 10:33 - 2009-07-13 22:13 - 00793528 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-24 10:28 - 2013-09-24 10:17 - 00001668 _____ C:\Users\steve\Desktop\Antivirus Security Pro.lnk
2013-09-24 10:28 - 2013-09-24 10:17 - 00000118 _____ C:\Users\steve\Desktop\Antivirus Security Pro support.url
2013-09-24 10:28 - 2013-08-20 04:23 - 00000000 ____D C:\Users\steve\AppData\Roaming\Eshey
2013-09-24 10:27 - 2013-09-13 12:16 - 00001401 _____ C:\Windows\errord.log
2013-09-24 10:27 - 2013-09-13 12:16 - 00000248 _____ C:\Windows\error.log
2013-09-24 10:27 - 2010-11-20 20:47 - 00095358 _____ C:\Windows\PFRO.log
2013-09-24 10:27 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-24 10:27 - 2009-07-13 21:51 - 00032015 _____ C:\Windows\setupact.log
2013-09-24 10:27 - 2009-07-13 21:45 - 00461544 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-24 10:17 - 2013-09-24 10:17 - 00000000 ____D C:\Users\steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-09-19 03:04 - 2013-08-15 11:34 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-19 03:01 - 2009-07-13 19:34 - 00000478 _____ C:\Windows\win.ini
2013-09-13 13:36 - 2013-08-15 14:07 - 00126136 _____ C:\Users\steve\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-13 12:23 - 2013-09-13 12:23 - 00003029 _____ C:\Users\steve\Desktop\Microsoft Outlook 2010.lnk
2013-09-13 12:17 - 2013-09-13 12:17 - 00000128 _____ C:\CKINFO.TXT
2013-09-13 12:17 - 2013-09-13 12:17 - 00000004 _____ C:\Windows\vx86036.dat
2013-09-13 12:17 - 2013-09-13 12:17 - 00000000 ____D C:\ProgramData\CrypKey
2013-09-13 12:17 - 2013-09-13 12:16 - 00001680 _____ C:\Windows\system32\esnecil.ind
2013-09-13 12:17 - 2013-09-13 12:16 - 00000000 ____D C:\Program Files\Stellar Phoenix Outlook PST Repair
2013-09-13 12:16 - 2013-09-13 12:16 - 00000068 _____ C:\Windows\Crypkey.ini
2013-09-13 12:08 - 2013-09-13 12:08 - 00000000 ____D C:\Windows\PCHEALTH
2013-09-13 12:08 - 2013-09-13 12:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2013-09-13 12:08 - 2010-11-21 00:17 - 00000000 ____D C:\Windows\ShellNew
2013-09-13 12:07 - 2009-07-13 20:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-09-13 12:05 - 2013-09-13 12:05 - 00000000 __RHD C:\MSOCache
2013-09-13 12:05 - 2013-09-13 12:05 - 00000000 ____D C:\Program Files\Microsoft Office
2013-09-13 12:05 - 2013-09-13 12:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2013-09-13 11:39 - 2013-09-13 11:39 - 00001415 _____ C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-09-13 11:39 - 2013-09-13 11:39 - 00000000 ____D C:\Users\chris\AppData\Roaming\Roxio
2013-09-13 11:39 - 2013-09-13 11:39 - 00000000 ____D C:\Users\chris\AppData\Roaming\McAfee
2013-09-13 11:39 - 2013-09-13 11:38 - 00001449 _____ C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-13 11:39 - 2013-09-13 11:38 - 00000000 ___RD C:\Users\chris\Virtual Machines
2013-09-13 11:39 - 2013-09-13 11:38 - 00000000 ___RD C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-13 11:39 - 2013-09-13 11:38 - 00000000 ___RD C:\Users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-13 11:38 - 2013-09-13 11:38 - 00000020 ___SH C:\Users\chris\ntuser.ini
2013-09-13 11:38 - 2013-09-13 11:38 - 00000000 ____D C:\Users\chris\AppData\Local\VirtualStore
2013-09-13 11:38 - 2013-09-13 11:38 - 00000000 ____D C:\Users\chris
2013-09-13 11:38 - 2013-08-15 13:32 - 00002842 __RSH C:\ProgramData\ntuser.pol
2013-09-13 11:30 - 2013-09-12 14:49 - 00101360 _____ C:\Users\Administrator.EWPC32.000\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-13 11:14 - 2013-09-13 11:14 - 00000000 ____D C:\Users\steve\AppData\Local\Microsoft Help
2013-09-13 10:21 - 2013-09-13 10:21 - 00000000 ____D C:\Program Files (x86)\Google
2013-09-13 07:56 - 2013-09-13 07:56 - 00000000 ____D C:\Users\steve\AppData\Local\Google
2013-09-12 16:54 - 2012-07-24 21:26 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-12 16:54 - 2012-07-24 21:26 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-12 16:53 - 2013-08-15 14:01 - 00000000 ___RD C:\Users\steve\Virtual Machines
2013-09-12 16:53 - 2013-08-15 14:01 - 00000000 ___RD C:\Users\steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-12 16:53 - 2013-08-15 14:01 - 00000000 ___RD C:\Users\steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-12 16:49 - 2013-09-12 16:49 - 00000000 ____D C:\ProgramData\ESET
2013-09-12 14:58 - 2013-09-12 14:58 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\Macromedia
2013-09-12 14:58 - 2013-09-12 14:58 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\Adobe
2013-09-12 14:48 - 2013-09-12 14:48 - 00001445 _____ C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-12 14:48 - 2013-09-12 14:48 - 00001411 _____ C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-09-12 14:48 - 2013-09-12 14:48 - 00000020 ___SH C:\Users\Administrator.EWPC32.000\ntuser.ini
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\Virtual Machines
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ___RD C:\Users\Administrator.EWPC32.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\Roxio
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Users\Administrator.EWPC32.000\AppData\Roaming\McAfee
2013-09-12 14:48 - 2013-09-12 14:48 - 00000000 ____D C:\Users\Administrator.EWPC32.000
2013-09-12 13:59 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2013-09-12 13:18 - 2013-08-15 12:27 - 00000000 ____D C:\Windows\system32\MRT
2013-09-12 13:00 - 2013-08-19 09:36 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2013-09-12 13:00 - 2013-08-15 13:57 - 00000000 ____D C:\Users\Administrator
2013-09-12 13:00 - 2013-08-15 11:01 - 00000000 ____D C:\Users\usr
2013-09-12 13:00 - 2012-07-24 21:26 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2013-09-12 13:00 - 2012-07-24 21:26 - 00000000 ____D C:\Windows\system32\Macromed
2013-09-12 13:00 - 2009-07-13 20:20 - 00000000 __RSD C:\Windows\Media
2013-09-12 13:00 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\security
2013-09-12 13:00 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration
2013-09-12 13:00 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-12 12:45 - 2013-09-12 11:00 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-12 12:45 - 2013-09-11 15:22 - 00000000 ___RD C:\Users\Administrator.EWPC32\Virtual Machines
2013-09-12 12:45 - 2013-09-11 15:22 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-12 12:45 - 2013-09-11 15:22 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-12 12:45 - 2013-09-11 15:22 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-12 12:45 - 2013-09-11 15:22 - 00000000 ___RD C:\Users\Administrator.EWPC32\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-12 12:45 - 2013-09-11 15:22 - 00000000 ____D C:\Users\Administrator.EWPC32
2013-09-12 11:00 - 2013-09-12 11:00 - 00000000 ____D C:\Users\steve\AppData\Roaming\Malwarebytes
2013-09-12 11:00 - 2013-09-12 11:00 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-12 10:56 - 2013-09-12 10:56 - 00353044 _____ C:\Users\steve\Desktop\ListCrilock.txt
2013-09-11 15:26 - 2013-09-11 15:26 - 00103392 _____ C:\Users\Administrator.EWPC32\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-11 15:22 - 2013-09-11 15:22 - 00000000 ____D C:\Users\Administrator.EWPC32\AppData\Roaming\Roxio
2013-09-11 15:22 - 2013-09-11 15:22 - 00000000 ____D C:\Users\Administrator.EWPC32\AppData\Roaming\McAfee
2013-09-10 11:42 - 2013-08-15 14:03 - 00000000 ____D C:\Users\steve\AppData\Roaming\Macromedia
2013-09-01 17:08 - 2013-08-15 12:27 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\steve\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
 
 
Some content of TEMP:
====================
C:\Users\steve\AppData\Local\Temp\InstallFlashPlayer.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2013-10-01 00:54
 
==================== End Of Log ============================
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.