roadrunner23
New member
Yes, I am sad to report that I am still getting those error messages when I sign into that user account.:sad:
Another Win64:Siref Infection
- Thread starter roadrunner23
- Start date
- Status
jeffce
Emeritus
FRST
Download Farbar Recovery Scan Tool64 and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
To enter System Recovery Options by using Windows installation disc:
On the System Recovery Options menu you will get the following options:
Download Farbar Recovery Scan Tool64 and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
- Select Command Prompt
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive. - The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
roadrunner23
New member
Here is FRST.txt:
Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
Ran by SYSTEM at 22-08-2012 18:20:13
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe [656920 2011-02-01] (PDF Complete Inc)
HKLM-x32\...\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-23] (CANON INC.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Gaines2\...\Run: [mstnr] rundll32.exe "C:\Users\Gaines2\AppData\Roaming\mstnr.dll",HrFindInetTimeZone [x]
HKU\Gaines2\...\Run: [Cosmi] rundll32.exe C:\Users\Gaines2\AppData\Local\Cosmi\poliexrp.dll,GetImporterInterface [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
==================== Services (Whitelisted) ======
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
========================== Drivers (Whitelisted) =============
3 catchme; \??\C:\ComboFix\catchme.sys [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-08-21 16:57 - 2012-08-21 16:57 - 00003868 ____A C:\Users\Brad2\Desktop\08212012_195451.log
2012-08-20 16:03 - 2012-08-20 16:03 - 00051622 ____A C:\Users\Brad2\Desktop\OTL8-20-12.Txt
2012-08-20 15:49 - 2012-08-21 16:56 - 00000112 ____A C:\Windows\setupact.log
2012-08-20 15:49 - 2012-08-20 15:49 - 00000000 ____A C:\Windows\setuperr.log
2012-08-20 15:34 - 2012-08-20 15:34 - 00000000 ____D C:\Users\Brad2\AppData\Roaming\CyberLink
2012-08-20 15:33 - 2012-08-20 15:34 - 06118990 ____A (LIGHTNING UK!) C:\Users\Brad2\Desktop\SetupImgBurn_2.5.7.0.exe
2012-08-20 15:31 - 2012-08-20 15:31 - 198965248 ____A C:\Users\Brad2\Desktop\drweb-livecd-600.iso
2012-08-15 15:39 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 15:39 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 15:39 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 15:39 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 15:39 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 15:39 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 15:39 - 2012-06-26 23:06 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 15:39 - 2012-06-26 23:06 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 15:39 - 2012-06-26 23:06 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 15:39 - 2012-06-26 23:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 15:39 - 2012-06-26 23:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 15:39 - 2012-06-26 23:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 15:39 - 2012-06-26 21:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 15:39 - 2012-06-26 21:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 15:39 - 2012-06-26 21:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 15:39 - 2012-06-26 21:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 15:39 - 2012-06-26 21:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 15:39 - 2012-06-26 21:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 15:39 - 2012-06-26 20:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 15:39 - 2012-06-26 20:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 15:39 - 2012-06-15 21:16 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 15:39 - 2012-06-15 21:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 15:39 - 2012-06-15 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 15:39 - 2012-06-15 20:26 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 15:39 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 15:39 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 15:39 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 15:39 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 15:39 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 15:39 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 15:39 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-14 15:46 - 2012-08-14 15:46 - 00048078 ____A C:\Users\Brad2\Desktop\OTL8-14-12.Txt
2012-08-14 15:36 - 2012-08-14 15:36 - 00013516 ____A C:\Users\Brad2\Desktop\OTL 08142012_183053.txt
2012-08-14 15:30 - 2012-08-14 15:30 - 00000000 ____D C:\_OTL
2012-08-14 11:32 - 2012-08-14 11:32 - 09232584 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-13 14:30 - 2012-08-13 14:30 - 00083738 ____A C:\Users\Brad2\Desktop\Extras.Txt
2012-08-13 14:28 - 2012-08-21 17:03 - 00049074 ____A C:\Users\Brad2\Desktop\OTL.Txt
2012-08-13 14:22 - 2012-08-13 14:22 - 00596992 ____A (OldTimer Tools) C:\Users\Brad2\Desktop\OTL.exe
2012-08-12 17:44 - 2012-08-12 17:44 - 00000706 ____A C:\Users\Brad2\Desktop\SystemLook.txt
2012-08-12 17:43 - 2012-08-12 17:43 - 00165376 ____A C:\Users\Brad2\Desktop\SystemLook_x64.exe
2012-08-12 14:32 - 2012-08-12 14:32 - 00001016 ____A C:\Users\Brad2\Desktop\checkup.txt
2012-08-12 14:28 - 2012-08-12 14:28 - 00881494 ____A C:\Users\Brad2\Desktop\SecurityCheck.exe
2012-08-11 09:16 - 2012-08-11 09:16 - 00000094 ____A C:\Users\Brad2\Desktop\ESET8-11-12.txt
2012-08-10 19:06 - 2012-08-10 19:06 - 00000000 ____D C:\FRST
2012-08-09 16:56 - 2012-08-09 16:56 - 00000200 ____A C:\Users\Brad2\Desktop\Eset.txt
2012-08-09 14:37 - 2012-08-09 14:37 - 00000000 ____D C:\Program Files (x86)\ESET
2012-08-08 16:40 - 2012-08-08 16:40 - 00014807 ____A C:\ComboFix.txt
2012-08-08 16:28 - 2012-08-08 16:40 - 00000000 ____D C:\Qoobox
2012-08-08 16:28 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-08 16:28 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-08 16:28 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-08 16:27 - 2012-08-08 16:27 - 04727110 ____R (Swearware) C:\Users\Brad2\Desktop\ComboFix.exe
2012-08-07 14:26 - 2012-08-07 14:26 - 00001726 ____A C:\Users\Brad2\Desktop\aswMBR.txt
2012-08-07 14:22 - 2012-08-07 14:26 - 00000512 ____A C:\Users\Brad2\Desktop\MBR.dat
2012-08-07 14:21 - 2012-08-07 14:21 - 04731392 ____A (AVAST Software) C:\Users\Brad2\Desktop\aswMBR.exe
2012-08-02 07:45 - 2012-08-02 07:45 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-08-02 07:44 - 2012-08-02 07:44 - 00227824 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-02 07:44 - 2012-07-05 19:06 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-08-02 07:43 - 2012-08-02 07:43 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-02 07:37 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-08-02 07:37 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-08-02 06:00 - 2012-08-02 06:00 - 00003533 ____A C:\Users\Brad2\Desktop\Attach.zip
2012-08-02 05:59 - 2012-08-02 05:59 - 00010548 ____A C:\Users\Brad2\Desktop\Attach.txt
2012-08-02 05:55 - 2012-08-02 05:55 - 00607260 ____R (Swearware) C:\Users\Brad2\Desktop\dds.scr
2012-08-01 15:06 - 2012-08-11 08:50 - 00000000 ____D C:\Users\Gaines2\AppData\Local\Cosmi
2012-07-31 18:42 - 2012-07-31 18:42 - 00185344 ____A C:\Users\Gaines2\Desktop\Week 8 - ARM 55 2010 final class.ppt
============ 3 Months Modified Files ========================
2012-08-22 15:16 - 2011-08-06 23:05 - 01227144 ____A C:\Windows\WindowsUpdate.log
2012-08-22 15:15 - 2009-07-13 21:13 - 00783160 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-22 15:12 - 2012-06-19 04:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-21 17:03 - 2012-08-21 17:03 - 00049074 ____A C:\Users\Brad2\Desktop\08-21-12OTL.Txt
2012-08-21 17:03 - 2012-08-13 14:28 - 00049074 ____A C:\Users\Brad2\Desktop\OTL.Txt
2012-08-21 17:03 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-21 17:03 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-21 16:57 - 2012-08-21 16:57 - 00003868 ____A C:\Users\Brad2\Desktop\08212012_195451.log
2012-08-21 16:56 - 2012-08-20 15:49 - 00000112 ____A C:\Windows\setupact.log
2012-08-21 16:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-20 16:03 - 2012-08-20 16:03 - 00051622 ____A C:\Users\Brad2\Desktop\OTL8-20-12.Txt
2012-08-20 15:49 - 2012-08-20 15:49 - 00000000 ____A C:\Windows\setuperr.log
2012-08-20 15:34 - 2012-08-20 15:33 - 06118990 ____A (LIGHTNING UK!) C:\Users\Brad2\Desktop\SetupImgBurn_2.5.7.0.exe
2012-08-20 15:31 - 2012-08-20 15:31 - 198965248 ____A C:\Users\Brad2\Desktop\drweb-livecd-600.iso
2012-08-16 00:23 - 2009-07-13 20:45 - 00416472 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 00:00 - 2011-08-07 11:34 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-14 15:46 - 2012-08-14 15:46 - 00048078 ____A C:\Users\Brad2\Desktop\OTL8-14-12.Txt
2012-08-14 15:36 - 2012-08-14 15:36 - 00013516 ____A C:\Users\Brad2\Desktop\OTL 08142012_183053.txt
2012-08-14 11:32 - 2012-08-14 11:32 - 09232584 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-14 11:32 - 2012-03-31 17:25 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-14 11:32 - 2011-08-15 05:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-13 14:30 - 2012-08-13 14:30 - 00083738 ____A C:\Users\Brad2\Desktop\Extras.Txt
2012-08-13 14:22 - 2012-08-13 14:22 - 00596992 ____A (OldTimer Tools) C:\Users\Brad2\Desktop\OTL.exe
2012-08-12 17:44 - 2012-08-12 17:44 - 00000706 ____A C:\Users\Brad2\Desktop\SystemLook.txt
2012-08-12 17:43 - 2012-08-12 17:43 - 00165376 ____A C:\Users\Brad2\Desktop\SystemLook_x64.exe
2012-08-12 14:32 - 2012-08-12 14:32 - 00001016 ____A C:\Users\Brad2\Desktop\checkup.txt
2012-08-12 14:28 - 2012-08-12 14:28 - 00881494 ____A C:\Users\Brad2\Desktop\SecurityCheck.exe
2012-08-11 09:16 - 2012-08-11 09:16 - 00000094 ____A C:\Users\Brad2\Desktop\ESET8-11-12.txt
2012-08-09 16:56 - 2012-08-09 16:56 - 00000200 ____A C:\Users\Brad2\Desktop\Eset.txt
2012-08-09 15:15 - 2012-04-16 15:15 - 00000332 ____A C:\Windows\Tasks\HPCeeScheduleForBrad2.job
2012-08-08 16:40 - 2012-08-08 16:40 - 00014807 ____A C:\ComboFix.txt
2012-08-08 16:36 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-08-08 16:27 - 2012-08-08 16:27 - 04727110 ____R (Swearware) C:\Users\Brad2\Desktop\ComboFix.exe
2012-08-07 14:26 - 2012-08-07 14:26 - 00001726 ____A C:\Users\Brad2\Desktop\aswMBR.txt
2012-08-07 14:26 - 2012-08-07 14:22 - 00000512 ____A C:\Users\Brad2\Desktop\MBR.dat
2012-08-07 14:21 - 2012-08-07 14:21 - 04731392 ____A (AVAST Software) C:\Users\Brad2\Desktop\aswMBR.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00227824 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-02 06:00 - 2012-08-02 06:00 - 00003533 ____A C:\Users\Brad2\Desktop\Attach.zip
2012-08-02 05:59 - 2012-08-02 05:59 - 00010548 ____A C:\Users\Brad2\Desktop\Attach.txt
2012-08-02 05:55 - 2012-08-02 05:55 - 00607260 ____R (Swearware) C:\Users\Brad2\Desktop\dds.scr
2012-07-31 18:42 - 2012-07-31 18:42 - 00185344 ____A C:\Users\Gaines2\Desktop\Week 8 - ARM 55 2010 final class.ppt
2012-07-21 10:57 - 2011-12-31 10:05 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-18 10:15 - 2012-08-15 15:39 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-05 19:06 - 2012-08-02 07:44 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 19:06 - 2011-08-28 12:29 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-04 14:16 - 2012-08-15 15:39 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 15:39 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 15:39 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 15:39 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 15:39 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 10:46 - 2011-08-28 06:21 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-26 23:06 - 2012-08-15 15:39 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-26 23:06 - 2012-08-15 15:39 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-26 23:06 - 2012-08-15 15:39 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-26 23:03 - 2012-08-15 15:39 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-26 23:03 - 2012-08-15 15:39 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-26 23:03 - 2012-08-15 15:39 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 21:53 - 2012-08-15 15:39 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-26 21:53 - 2012-08-15 15:39 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-26 21:53 - 2012-08-15 15:39 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-26 21:51 - 2012-08-15 15:39 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-26 21:51 - 2012-08-15 15:39 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-26 21:51 - 2012-08-15 15:39 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-26 20:53 - 2012-08-15 15:39 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 20:10 - 2012-08-15 15:39 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-15 21:16 - 2012-08-15 15:39 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 21:15 - 2012-08-15 15:39 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-15 20:26 - 2012-08-15 15:39 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 20:26 - 2012-08-15 15:39 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-06-08 21:43 - 2012-07-11 13:48 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 13:48 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 05:49 - 2012-06-06 05:49 - 01070152 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-06-05 22:06 - 2012-07-11 13:48 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 13:48 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 13:48 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 13:48 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 13:48 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 13:48 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 16:42 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 16:42 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 16:42 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-08 16:41 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-08 16:41 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-11 13:48 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 13:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 13:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 13:48 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 13:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 13:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 13:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 13:48 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 13:48 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 21%
Total physical RAM: 3839.29 MB
Available physical RAM: 3030.23 MB
Total Pagefile: 3837.48 MB
Available Pagefile: 3002.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:920.18 GB) (Free:869.52 GB) NTFS
2 Drive e: (HP_RECOVERY) (Fixed) (Total:11.23 GB) (Free:1.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:14.9 GB) (Free:14.85 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
10 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 14 GB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 920 GB 101 MB
Partition 3 Primary 11 GB 920 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 920 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 11 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 14 GB Healthy
==================================================================================
Last Boot: 2012-08-17 17:15
======================= End Of Log ==========================
Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
Ran by SYSTEM at 22-08-2012 18:20:13
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe [656920 2011-02-01] (PDF Complete Inc)
HKLM-x32\...\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-23] (CANON INC.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Gaines2\...\Run: [mstnr] rundll32.exe "C:\Users\Gaines2\AppData\Roaming\mstnr.dll",HrFindInetTimeZone [x]
HKU\Gaines2\...\Run: [Cosmi] rundll32.exe C:\Users\Gaines2\AppData\Local\Cosmi\poliexrp.dll,GetImporterInterface [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
==================== Services (Whitelisted) ======
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
========================== Drivers (Whitelisted) =============
3 catchme; \??\C:\ComboFix\catchme.sys [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-08-21 16:57 - 2012-08-21 16:57 - 00003868 ____A C:\Users\Brad2\Desktop\08212012_195451.log
2012-08-20 16:03 - 2012-08-20 16:03 - 00051622 ____A C:\Users\Brad2\Desktop\OTL8-20-12.Txt
2012-08-20 15:49 - 2012-08-21 16:56 - 00000112 ____A C:\Windows\setupact.log
2012-08-20 15:49 - 2012-08-20 15:49 - 00000000 ____A C:\Windows\setuperr.log
2012-08-20 15:34 - 2012-08-20 15:34 - 00000000 ____D C:\Users\Brad2\AppData\Roaming\CyberLink
2012-08-20 15:33 - 2012-08-20 15:34 - 06118990 ____A (LIGHTNING UK!) C:\Users\Brad2\Desktop\SetupImgBurn_2.5.7.0.exe
2012-08-20 15:31 - 2012-08-20 15:31 - 198965248 ____A C:\Users\Brad2\Desktop\drweb-livecd-600.iso
2012-08-15 15:39 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 15:39 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 15:39 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 15:39 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 15:39 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 15:39 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 15:39 - 2012-06-26 23:06 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 15:39 - 2012-06-26 23:06 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 15:39 - 2012-06-26 23:06 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 15:39 - 2012-06-26 23:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 15:39 - 2012-06-26 23:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 15:39 - 2012-06-26 23:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 15:39 - 2012-06-26 23:02 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 15:39 - 2012-06-26 21:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 15:39 - 2012-06-26 21:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 15:39 - 2012-06-26 21:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 15:39 - 2012-06-26 21:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 15:39 - 2012-06-26 21:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 15:39 - 2012-06-26 21:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 15:39 - 2012-06-26 21:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 15:39 - 2012-06-26 20:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 15:39 - 2012-06-26 20:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 15:39 - 2012-06-15 21:16 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 15:39 - 2012-06-15 21:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 15:39 - 2012-06-15 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 15:39 - 2012-06-15 20:26 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 15:39 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 15:39 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 15:39 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 15:39 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 15:39 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 15:39 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 15:39 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-14 15:46 - 2012-08-14 15:46 - 00048078 ____A C:\Users\Brad2\Desktop\OTL8-14-12.Txt
2012-08-14 15:36 - 2012-08-14 15:36 - 00013516 ____A C:\Users\Brad2\Desktop\OTL 08142012_183053.txt
2012-08-14 15:30 - 2012-08-14 15:30 - 00000000 ____D C:\_OTL
2012-08-14 11:32 - 2012-08-14 11:32 - 09232584 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-13 14:30 - 2012-08-13 14:30 - 00083738 ____A C:\Users\Brad2\Desktop\Extras.Txt
2012-08-13 14:28 - 2012-08-21 17:03 - 00049074 ____A C:\Users\Brad2\Desktop\OTL.Txt
2012-08-13 14:22 - 2012-08-13 14:22 - 00596992 ____A (OldTimer Tools) C:\Users\Brad2\Desktop\OTL.exe
2012-08-12 17:44 - 2012-08-12 17:44 - 00000706 ____A C:\Users\Brad2\Desktop\SystemLook.txt
2012-08-12 17:43 - 2012-08-12 17:43 - 00165376 ____A C:\Users\Brad2\Desktop\SystemLook_x64.exe
2012-08-12 14:32 - 2012-08-12 14:32 - 00001016 ____A C:\Users\Brad2\Desktop\checkup.txt
2012-08-12 14:28 - 2012-08-12 14:28 - 00881494 ____A C:\Users\Brad2\Desktop\SecurityCheck.exe
2012-08-11 09:16 - 2012-08-11 09:16 - 00000094 ____A C:\Users\Brad2\Desktop\ESET8-11-12.txt
2012-08-10 19:06 - 2012-08-10 19:06 - 00000000 ____D C:\FRST
2012-08-09 16:56 - 2012-08-09 16:56 - 00000200 ____A C:\Users\Brad2\Desktop\Eset.txt
2012-08-09 14:37 - 2012-08-09 14:37 - 00000000 ____D C:\Program Files (x86)\ESET
2012-08-08 16:40 - 2012-08-08 16:40 - 00014807 ____A C:\ComboFix.txt
2012-08-08 16:28 - 2012-08-08 16:40 - 00000000 ____D C:\Qoobox
2012-08-08 16:28 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-08 16:28 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-08 16:28 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-08 16:28 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-08 16:27 - 2012-08-08 16:27 - 04727110 ____R (Swearware) C:\Users\Brad2\Desktop\ComboFix.exe
2012-08-07 14:26 - 2012-08-07 14:26 - 00001726 ____A C:\Users\Brad2\Desktop\aswMBR.txt
2012-08-07 14:22 - 2012-08-07 14:26 - 00000512 ____A C:\Users\Brad2\Desktop\MBR.dat
2012-08-07 14:21 - 2012-08-07 14:21 - 04731392 ____A (AVAST Software) C:\Users\Brad2\Desktop\aswMBR.exe
2012-08-02 07:45 - 2012-08-02 07:45 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-08-02 07:44 - 2012-08-02 07:44 - 00227824 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-02 07:44 - 2012-07-05 19:06 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-08-02 07:43 - 2012-08-02 07:43 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-02 07:37 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-08-02 07:37 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-08-02 06:00 - 2012-08-02 06:00 - 00003533 ____A C:\Users\Brad2\Desktop\Attach.zip
2012-08-02 05:59 - 2012-08-02 05:59 - 00010548 ____A C:\Users\Brad2\Desktop\Attach.txt
2012-08-02 05:55 - 2012-08-02 05:55 - 00607260 ____R (Swearware) C:\Users\Brad2\Desktop\dds.scr
2012-08-01 15:06 - 2012-08-11 08:50 - 00000000 ____D C:\Users\Gaines2\AppData\Local\Cosmi
2012-07-31 18:42 - 2012-07-31 18:42 - 00185344 ____A C:\Users\Gaines2\Desktop\Week 8 - ARM 55 2010 final class.ppt
============ 3 Months Modified Files ========================
2012-08-22 15:16 - 2011-08-06 23:05 - 01227144 ____A C:\Windows\WindowsUpdate.log
2012-08-22 15:15 - 2009-07-13 21:13 - 00783160 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-22 15:12 - 2012-06-19 04:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-21 17:03 - 2012-08-21 17:03 - 00049074 ____A C:\Users\Brad2\Desktop\08-21-12OTL.Txt
2012-08-21 17:03 - 2012-08-13 14:28 - 00049074 ____A C:\Users\Brad2\Desktop\OTL.Txt
2012-08-21 17:03 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-21 17:03 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-21 16:57 - 2012-08-21 16:57 - 00003868 ____A C:\Users\Brad2\Desktop\08212012_195451.log
2012-08-21 16:56 - 2012-08-20 15:49 - 00000112 ____A C:\Windows\setupact.log
2012-08-21 16:56 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-20 16:03 - 2012-08-20 16:03 - 00051622 ____A C:\Users\Brad2\Desktop\OTL8-20-12.Txt
2012-08-20 15:49 - 2012-08-20 15:49 - 00000000 ____A C:\Windows\setuperr.log
2012-08-20 15:34 - 2012-08-20 15:33 - 06118990 ____A (LIGHTNING UK!) C:\Users\Brad2\Desktop\SetupImgBurn_2.5.7.0.exe
2012-08-20 15:31 - 2012-08-20 15:31 - 198965248 ____A C:\Users\Brad2\Desktop\drweb-livecd-600.iso
2012-08-16 00:23 - 2009-07-13 20:45 - 00416472 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 00:00 - 2011-08-07 11:34 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-14 15:46 - 2012-08-14 15:46 - 00048078 ____A C:\Users\Brad2\Desktop\OTL8-14-12.Txt
2012-08-14 15:36 - 2012-08-14 15:36 - 00013516 ____A C:\Users\Brad2\Desktop\OTL 08142012_183053.txt
2012-08-14 11:32 - 2012-08-14 11:32 - 09232584 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-14 11:32 - 2012-03-31 17:25 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-14 11:32 - 2011-08-15 05:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-13 14:30 - 2012-08-13 14:30 - 00083738 ____A C:\Users\Brad2\Desktop\Extras.Txt
2012-08-13 14:22 - 2012-08-13 14:22 - 00596992 ____A (OldTimer Tools) C:\Users\Brad2\Desktop\OTL.exe
2012-08-12 17:44 - 2012-08-12 17:44 - 00000706 ____A C:\Users\Brad2\Desktop\SystemLook.txt
2012-08-12 17:43 - 2012-08-12 17:43 - 00165376 ____A C:\Users\Brad2\Desktop\SystemLook_x64.exe
2012-08-12 14:32 - 2012-08-12 14:32 - 00001016 ____A C:\Users\Brad2\Desktop\checkup.txt
2012-08-12 14:28 - 2012-08-12 14:28 - 00881494 ____A C:\Users\Brad2\Desktop\SecurityCheck.exe
2012-08-11 09:16 - 2012-08-11 09:16 - 00000094 ____A C:\Users\Brad2\Desktop\ESET8-11-12.txt
2012-08-09 16:56 - 2012-08-09 16:56 - 00000200 ____A C:\Users\Brad2\Desktop\Eset.txt
2012-08-09 15:15 - 2012-04-16 15:15 - 00000332 ____A C:\Windows\Tasks\HPCeeScheduleForBrad2.job
2012-08-08 16:40 - 2012-08-08 16:40 - 00014807 ____A C:\ComboFix.txt
2012-08-08 16:36 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-08-08 16:27 - 2012-08-08 16:27 - 04727110 ____R (Swearware) C:\Users\Brad2\Desktop\ComboFix.exe
2012-08-07 14:26 - 2012-08-07 14:26 - 00001726 ____A C:\Users\Brad2\Desktop\aswMBR.txt
2012-08-07 14:26 - 2012-08-07 14:22 - 00000512 ____A C:\Users\Brad2\Desktop\MBR.dat
2012-08-07 14:21 - 2012-08-07 14:21 - 04731392 ____A (AVAST Software) C:\Users\Brad2\Desktop\aswMBR.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00227824 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-02 07:44 - 2012-08-02 07:44 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-02 06:00 - 2012-08-02 06:00 - 00003533 ____A C:\Users\Brad2\Desktop\Attach.zip
2012-08-02 05:59 - 2012-08-02 05:59 - 00010548 ____A C:\Users\Brad2\Desktop\Attach.txt
2012-08-02 05:55 - 2012-08-02 05:55 - 00607260 ____R (Swearware) C:\Users\Brad2\Desktop\dds.scr
2012-07-31 18:42 - 2012-07-31 18:42 - 00185344 ____A C:\Users\Gaines2\Desktop\Week 8 - ARM 55 2010 final class.ppt
2012-07-21 10:57 - 2011-12-31 10:05 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-18 10:15 - 2012-08-15 15:39 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-05 19:06 - 2012-08-02 07:44 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 19:06 - 2011-08-28 12:29 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-04 14:16 - 2012-08-15 15:39 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 15:39 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 15:39 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 15:39 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 15:39 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 10:46 - 2011-08-28 06:21 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-26 23:06 - 2012-08-15 15:39 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-26 23:06 - 2012-08-15 15:39 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-26 23:06 - 2012-08-15 15:39 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-26 23:03 - 2012-08-15 15:39 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-26 23:03 - 2012-08-15 15:39 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-26 23:03 - 2012-08-15 15:39 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 23:02 - 2012-08-15 15:39 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 21:53 - 2012-08-15 15:39 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-26 21:53 - 2012-08-15 15:39 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-26 21:53 - 2012-08-15 15:39 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-26 21:51 - 2012-08-15 15:39 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-26 21:51 - 2012-08-15 15:39 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-26 21:51 - 2012-08-15 15:39 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 21:50 - 2012-08-15 15:39 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-26 20:53 - 2012-08-15 15:39 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 20:10 - 2012-08-15 15:39 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-15 21:16 - 2012-08-15 15:39 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 21:15 - 2012-08-15 15:39 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-15 20:26 - 2012-08-15 15:39 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 20:26 - 2012-08-15 15:39 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-06-08 21:43 - 2012-07-11 13:48 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 13:48 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 05:49 - 2012-06-06 05:49 - 01070152 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-06-05 22:06 - 2012-07-11 13:48 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 13:48 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 13:48 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 13:48 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 13:48 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 13:48 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 16:42 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 16:42 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 16:42 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 16:42 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-08 16:41 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-08 16:41 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-11 13:48 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 13:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 13:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 13:48 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 13:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 13:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 13:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 13:48 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 13:48 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 21%
Total physical RAM: 3839.29 MB
Available physical RAM: 3030.23 MB
Total Pagefile: 3837.48 MB
Available Pagefile: 3002.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:920.18 GB) (Free:869.52 GB) NTFS
2 Drive e: (HP_RECOVERY) (Fixed) (Total:11.23 GB) (Free:1.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:14.9 GB) (Free:14.85 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
10 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 14 GB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 920 GB 101 MB
Partition 3 Primary 11 GB 920 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 920 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 11 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 14 GB Healthy
==================================================================================
Last Boot: 2012-08-17 17:15
======================= End Of Log ==========================
jeffce
Emeritus
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
roadrunner23
New member
System seems to be running fine, and no more error messages when logging into that user account. Thank you so much for your help!
Here is Fixlog.txt:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
Ran by SYSTEM at 2012-08-23 19:09:34 Run:2
Running from G:\
==============================================
HKEY_USERS\Gaines2\Software\Microsoft\Windows\CurrentVersion\Run\\mstnr Value deleted successfully.
HKEY_USERS\Gaines2\Software\Microsoft\Windows\CurrentVersion\Run\\Cosmi Value deleted successfully.
==== End of Fixlog ====
Here is Fixlog.txt:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
Ran by SYSTEM at 2012-08-23 19:09:34 Run:2
Running from G:\
==============================================
HKEY_USERS\Gaines2\Software\Microsoft\Windows\CurrentVersion\Run\\mstnr Value deleted successfully.
HKEY_USERS\Gaines2\Software\Microsoft\Windows\CurrentVersion\Run\\Cosmi Value deleted successfully.
==== End of Fixlog ====
roadrunner23
New member
Ok- everything seems to be running fine now. Thank you so much for your help!
jeffce
Emeritus
Providing there are no other malware related problems...
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN
SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!!
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
----------
Clean up with OTL:
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
If you didn't already have it I would keep Malwarebytes AntiMalware though.
Here are some tips to reduce the potential for spyware infection in the future:
1. Internet Explorer. Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN
SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
----------
Clean up with OTL:
- Right-click and Run as Administrator OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
If you didn't already have it I would keep Malwarebytes AntiMalware though.
Here are some tips to reduce the potential for spyware infection in the future:
1. Internet Explorer. Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Open Internet Explorer
- Click on Tools > Internet Options
- Press Security tab
- Select Internet zone then place check next to Enable Protected Mode if not already done
- Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
- Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
- Status