Win32/sirefif infection

OCD · Nov 29, 2013

Hi NutherStamper,

I will eventually go with a different firewall as soon as I check out the ones you recommended.

Well then if you like why not make the switch now. Doing a complete uninstall will make removing all parts of Zone Alarm easier.

Please download one of these first, then uninstall Zone Alarm via the uninstall feature (if it has one) or via the Control Panel. Reboot, then proceed to install the new Firewall.

Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.

After you have installed the new Firewall run a fresh scan with OTL. (Lop & Purity options can be skipped)

NutherStamper · Nov 29, 2013

After checking out the three recommended I find armor is only a 30 day trail and I don't want to upgrade it online, Comodo sounds too complicated so I think I would like to go and buy a firewall program or suite at a local store and install that. But it will take me a while to do so as I want to do some investigation. I just want to make sure I will understand it and be able to work with it.
So in the meantime could be continue?

OCD · Nov 30, 2013

Hi NutherStamper,

Sure we can give it a go!

What we will do will be to remove the toolbar and the BHO. Then when you get settled on a new Firewall, just uninstall Zone Alarm and you should be fine.

Also, if you can remove the toolbar from your add-ons do that as well. You might not be able to until you do the full uninstall. If not just wait until then and confirm the add-on has been removed also.

Run OTL.exe

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:OTL
O2 - BHO: (Zonealarm Helper Object) - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\bh\zonealarm.dll (Check Point Software Technologies LTD)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmTlbr.dll (Check Point Software Technologies LTD)

:Files
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmApp.dll 
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmEng.dll
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmsrv.exe
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmTlbr.dll
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\bh\zonealarm.dll
C:\Program Files (x86)\CheckPoint\Install\zatb.exe
 
:Commands
[purity]
[createrestorepoint]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then re-run OTL and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

=========================

In your next post please provide the following:

OTL fix log

Fresh OTL.txt

NutherStamper · Nov 30, 2013

Ok ran the OTL fix (and the ZA toolbar and BHO are no longer in my add on's)

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}\ deleted successfully.
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\bh\zonealarm.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}\ deleted successfully.
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmTlbr.dll moved successfully.
========== FILES ==========
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmApp.dll moved successfully.
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmEng.dll moved successfully.
C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmsrv.exe moved successfully.
File\Folder C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\zonealarmTlbr.dll not found.
File\Folder C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.21.15\bh\zonealarm.dll not found.
C:\Program Files (x86)\CheckPoint\Install\zatb.exe moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gateway
->Temp folder emptied: 72851 bytes
->Temporary Internet Files folder emptied: 1458872 bytes
->Flash cache emptied: 553 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 137958 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 11292013_205611

Files\Folders moved on Reboot...
C:\Users\Gateway\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Gateway\AppData\Local\Temp\~DF2627FE0B13DB445C.TMP moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.
File\Folder C:\Windows\temp\ZLT06b7a.TMP not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

NutherStamper · Nov 30, 2013

Fresh OTL log:

OTL logfile created on: 11/29/2013 9:02:34 PM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Gateway\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.68 Gb Total Physical Memory | 2.32 Gb Available Physical Memory | 63.21% Memory free
7.35 Gb Paging File | 5.91 Gb Available in Paging File | 80.38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 577.70 Gb Total Space | 534.98 Gb Free Space | 92.60% Space Free | Partition Type: NTFS

Computer Name: GATEWAY-PC | User Name: Gateway | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Gateway\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe (Check Point Software Technologies, Ltd.)
PRC - C:\Program Files (x86)\AOL Desktop 9.6\waol.exe (AOL Inc.)
PRC - C:\Program Files (x86)\AOL Desktop 9.6\shellmon.exe (AOL Inc.)
PRC - C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\Launch Manager\LMworker.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe (NewTech Infosystems, Inc.)
PRC - C:\Program Files (x86)\Common Files\AOL\1319763878\ee\aolsoftware.exe (AOL Inc.)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe (Acer Incorporated)
PRC - C:\Program Files (x86)\Common Files\AOL\acs\AOLacsd.exe (AOL LLC)

========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\AOL Desktop 9.6\zlib.dll ()
MOD - C:\Program Files (x86)\Launch Manager\CdDirIo.dll ()

========== Services (SafeList) ==========

SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (ePowerSvc) -- C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe (Acer Incorporated)
SRV:64bit: - (Updater Service) -- C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe (Acer Group)
SRV:64bit: - (TurboBoost) -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe (Intel(R) Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (vsmon) -- C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe (Check Point Software Technologies LTD)
SRV - (ZAPrivacyService) -- C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe (Check Point Software Technologies, Ltd.)
SRV - (DsiWMIService) -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek System Inc.)
SRV - (NTI IScheduleSvc) -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe (NewTech Infosystems, Inc.)
SRV - (NOBU) -- C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe (Symantec Corporation)
SRV - (GameConsoleService) -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (Nero BackItUp Scheduler 4.0) -- c:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (GREGService) -- C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe (Acer Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (AOL ACS) -- C:\Program Files (x86)\Common Files\AOL\acs\AOLacsd.exe (AOL LLC)

========== Driver Services (SafeList) ==========

DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (Vsdatant) -- C:\Windows\SysNative\drivers\vsdatant.sys (Check Point Software Technologies LTD)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (WRkrn) -- C:\Windows\SysNative\drivers\WRkrn.sys (Webroot)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (k57nd60a) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (TurboB) -- C:\Windows\SysNative\drivers\TurboB.sys ()
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (HECIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (L1E) -- C:\Windows\SysNative\drivers\L1E62x64.sys (Atheros Communications, Inc.)
DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\drivers\BCMWL664.SYS (Broadcom Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (NTIDrvr) -- C:\Windows\SysNative\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV:64bit: - (UBHelper) -- C:\Windows\SysNative\drivers\UBHelper.sys (NewTech Infosystems Corporation)
DRV:64bit: - (wanatw) -- C:\Windows\SysNative\drivers\wanatw64.sys (America Online, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=MAGW
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AGWTDF&pc=MAGW&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=MAGW
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com
IE - HKCU\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {71B47759-455C-49A5-8470-DAECAECD8139}
IE - HKCU\..\SearchScopes\{71B47759-455C-49A5-8470-DAECAECD8139}: "URL" = http://search.zonealarm.com/search?src=sp&tbid=goughDev3&Lan=en&q={searchTerms}&gu=1ca8d8d1f53640149a92790f0d006f62&tu=10G9y008k2B0CO0&sku=&tstsId=&ver=&&r=41
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=5.0: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox [2011/07/06 16:08:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/07/06 16:08:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/07/06 16:08:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker

[2013/06/26 09:40:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

O1 HOSTS File: ([2013/11/09 09:16:26 | 000,450,660 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 15467 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (@C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (Alcor Micro Corp.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [AOL Fast Start] C:\Program Files (x86)\AOL Desktop 9.6\AOL.EXE (AOL Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{54344F18-F937-4512-ABA3-F3D5F88B58B2}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/11/29 20:58:15 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\gOCcTtxN.sys
[2013/11/29 14:33:52 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\xstsnfMB.sys
[2013/11/29 12:59:05 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\DRruYoBQ.sys
[2013/11/29 10:46:59 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\RhqyaXHk.sys
[2013/11/28 11:09:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2013/11/28 11:09:32 | 000,000,000 | -H-D | C] -- C:\Windows\AxInstSV
[2013/11/28 08:50:36 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\FQSltsEg.sys
[2013/11/28 08:40:46 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\sXZMJJlJ.sys
[2013/11/28 08:33:15 | 000,000,000 | ---D | C] -- C:\Users\Gateway\AppData\Roaming\Malwarebytes
[2013/11/28 08:33:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/11/28 08:33:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/11/28 08:33:02 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/11/28 08:33:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/11/28 08:32:28 | 000,000,000 | ---D | C] -- C:\Users\Gateway\AppData\Local\Programs
[2013/11/28 08:29:15 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\gvUCvPTR.sys
[2013/11/28 08:25:42 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Gateway\Desktop\TFC.exe
[2013/11/28 08:21:14 | 010,285,040 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Gateway\Desktop\mbam-setup-1.75.0.1300.exe
[2013/11/27 19:36:28 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\ZPthFARi.sys
[2013/11/27 19:31:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Viewpoint
[2013/11/27 19:31:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Viewpoint
[2013/11/27 19:21:41 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/11/27 19:14:28 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\zHXiWUlq.sys
[2013/11/27 19:08:11 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\qlLcfemZ.sys
[2013/11/27 16:48:36 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\nFxkDuxA.sys
[2013/11/27 16:44:05 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\rRoRclXb.sys
[2013/11/27 16:37:19 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\GYSqTvDM.sys
[2013/11/27 16:32:34 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/11/27 16:30:26 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\ZAGugwrS.sys
[2013/11/27 16:27:48 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/11/27 16:25:39 | 001,034,531 | ---- | C] (Thisisu) -- C:\Users\Gateway\Desktop\JRT.exe
[2013/11/27 16:15:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2013/11/27 16:14:43 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2013/11/27 16:14:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2013/11/27 16:05:09 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\YkcgezEK.sys
[2013/11/27 15:50:32 | 000,054,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\WdfLdr.sys
[2013/11/27 15:50:32 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wdfres.dll
[2013/11/27 15:36:13 | 000,194,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFPlatform.dll
[2013/11/27 15:36:12 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFx.dll
[2013/11/27 15:36:12 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFHost.exe
[2013/11/27 15:36:12 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFCoinstaller.dll
[2013/11/27 15:32:00 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2013/11/27 15:17:55 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\flNdTVxr.sys
[2013/11/27 15:12:16 | 001,462,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2013/11/27 15:12:16 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2013/11/27 08:48:08 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Gateway\Desktop\OTL.exe
[2013/11/27 08:37:04 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Gateway\Desktop\aswMBR.exe
[2013/11/26 13:48:28 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\NNcfgjdK.sys
[2013/11/20 15:47:05 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\Gateway\Documents\spybotsd162 new.exe
[2013/11/20 15:36:10 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\GVRnYNiz.sys
[2013/11/20 03:06:35 | 002,462,696 | ---- | C] (Check Point Software Technologies LTD) -- C:\Users\Gateway\Documents\zafwSetupWeb_120_104_000.exe
[2013/11/20 02:30:12 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\ptHkzOmn.sys
[2013/11/19 09:49:25 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\PhCqpvSu.sys
[2013/11/19 09:41:22 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\EfIVngcY.sys
[2013/11/19 09:37:24 | 005,497,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013/11/19 09:37:23 | 003,958,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013/11/19 09:37:23 | 003,902,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013/11/19 09:37:22 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2013/11/19 09:37:22 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2013/11/19 09:37:22 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2013/11/19 09:28:06 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\yzfzZiiz.sys
[2013/11/19 09:19:14 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\RHMmvERY.sys
[2013/11/19 09:11:52 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\nDKFYDSZ.sys
[2013/11/19 09:03:30 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\EWkhVxVk.sys
[2013/11/19 08:55:48 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\bLMkglRo.sys
[2013/11/19 08:47:12 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\Bhbkwwrt.sys
[2013/11/19 08:39:57 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\PfrIQbGi.sys
[2013/11/19 08:32:45 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\tcJsGJfQ.sys
[2013/11/19 08:30:33 | 000,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\imagehlp.dll
[2013/11/19 08:30:33 | 000,022,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fs_rec.sys
[2013/11/19 08:24:38 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\ZFlZrLAC.sys
[2013/11/19 08:15:48 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\rrcSAHsi.sys
[2013/11/19 08:13:43 | 003,138,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2013/11/19 08:13:42 | 002,691,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2013/11/19 08:13:42 | 000,131,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\aaclient.dll
[2013/11/19 08:13:41 | 000,158,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aaclient.dll
[2013/11/19 08:13:41 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tsgqec.dll
[2013/11/19 08:13:41 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tsgqec.dll
[2013/11/19 08:13:29 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usb8023.sys
[2013/11/19 08:13:26 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2013/11/19 08:13:26 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2013/11/19 08:13:26 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2013/11/19 08:13:26 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013/11/19 08:13:25 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2013/11/19 08:13:25 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013/11/19 08:13:25 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2013/11/19 08:13:25 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/11/19 08:13:25 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/11/19 08:13:24 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2013/11/19 08:13:24 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013/11/19 08:13:24 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2013/11/19 08:13:24 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013/11/19 08:13:24 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013/11/19 08:13:23 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2013/11/19 08:13:23 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2013/11/19 08:13:22 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2013/11/19 08:13:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2013/11/19 08:13:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2013/11/19 08:13:21 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2013/11/19 08:13:21 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2013/11/19 08:13:21 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2013/11/19 08:13:21 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2013/11/19 08:13:21 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2013/11/19 08:13:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2013/11/19 08:13:20 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013/11/19 08:11:56 | 000,287,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2013/11/19 08:11:48 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc-nz.rs
[2013/11/19 08:11:48 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc-nz.rs
[2013/11/19 08:11:48 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\csrr.rs
[2013/11/19 08:11:47 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\fpb.rs
[2013/11/19 08:11:47 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysNative\fpb.rs
[2013/11/19 08:11:47 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegibbfc.rs
[2013/11/19 08:11:47 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegibbfc.rs
[2013/11/19 08:11:47 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysNative\csrr.rs
[2013/11/19 08:11:47 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cob-au.rs
[2013/11/19 08:11:47 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cob-au.rs
[2013/11/19 08:11:47 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\usk.rs
[2013/11/19 08:11:47 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysNative\usk.rs
[2013/11/19 08:11:47 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\grb.rs
[2013/11/19 08:11:47 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\djctq.rs
[2013/11/19 08:11:47 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysNative\djctq.rs
[2013/11/19 08:11:46 | 002,745,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll
[2013/11/19 08:11:46 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wpc.dll
[2013/11/19 08:11:46 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysNative\grb.rs
[2013/11/19 08:11:46 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-pt.rs
[2013/11/19 08:11:46 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-pt.rs
[2013/11/19 08:11:46 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi.rs
[2013/11/19 08:11:46 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi.rs
[2013/11/19 08:11:45 | 000,308,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Wpc.dll
[2013/11/19 08:11:44 | 002,576,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll
[2013/11/19 08:11:42 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\esrb.rs
[2013/11/19 08:11:42 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysNative\esrb.rs
[2013/11/19 08:11:42 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc.rs
[2013/11/19 08:11:42 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc.rs
[2013/11/19 08:11:42 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-fi.rs
[2013/11/19 08:11:42 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-fi.rs
[2013/11/19 08:11:41 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cero.rs
[2013/11/19 08:11:41 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cero.rs
[2013/11/19 08:07:39 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\ANkYJdBb.sys
[2013/11/19 08:06:27 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2013/11/19 08:04:59 | 000,095,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\synceng.dll
[2013/11/19 08:04:59 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\synceng.dll
[2013/11/19 08:04:58 | 000,850,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/11/19 08:04:58 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/11/19 08:04:58 | 000,609,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/11/19 08:04:49 | 001,739,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2013/11/19 07:51:51 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\drKitRof.sys
[2013/11/19 07:49:36 | 001,446,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
[2013/11/19 07:49:35 | 000,395,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\webio.dll
[2013/11/19 07:49:35 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\webio.dll
[2013/11/19 07:49:35 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspicli.dll
[2013/11/19 07:49:35 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspisrv.dll
[2013/11/19 07:49:35 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secur32.dll
[2013/11/19 07:49:25 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\packager.dll
[2013/11/19 07:49:25 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\packager.dll
[2013/11/19 07:42:47 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\IbaqcxwF.sys
[2013/11/18 02:57:01 | 022,791,896 | ---- | C] (Microsoft Corporation) -- C:\Users\Gateway\Desktop\Windows-KB890830-x64-V5.6.exe
[2013/11/18 02:38:45 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\KxzRAfDT.sys
[2013/11/14 17:08:52 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\AObrlJiW.sys
[2013/11/12 19:32:08 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\lqPzNizH.sys
[2013/11/10 08:06:38 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\vbmVTJdr.sys
[2013/11/08 09:35:25 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\xyPGyqUk.sys
[2013/11/03 17:49:29 | 000,111,080 | ---- | C] (Webroot) -- C:\Windows\SysNative\drivers\XrdphSqK.sys
[2013/11/01 14:08:35 | 000,000,000 | ---D | C] -- C:\Users\Gateway\Documents\CraftClassesNovember
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/11/29 21:05:32 | 000,017,600 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/11/29 21:05:32 | 000,017,600 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/11/29 21:02:52 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/11/29 21:02:52 | 000,624,178 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/11/29 21:02:52 | 000,106,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/11/29 20:58:15 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\gOCcTtxN.sys
[2013/11/29 20:58:10 | 000,000,754 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2013/11/29 20:58:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/11/29 20:58:02 | 2960,519,168 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/29 14:33:52 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\xstsnfMB.sys
[2013/11/29 12:59:05 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\DRruYoBQ.sys
[2013/11/29 10:46:59 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\RhqyaXHk.sys
[2013/11/28 08:50:36 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\FQSltsEg.sys
[2013/11/28 08:40:47 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\sXZMJJlJ.sys
[2013/11/28 08:33:06 | 000,001,116 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/28 08:29:15 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\gvUCvPTR.sys
[2013/11/28 08:25:47 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Gateway\Desktop\TFC.exe
[2013/11/28 08:21:27 | 010,285,040 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Gateway\Desktop\mbam-setup-1.75.0.1300.exe
[2013/11/27 19:36:28 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\ZPthFARi.sys
[2013/11/27 19:14:28 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\zHXiWUlq.sys
[2013/11/27 19:08:11 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\qlLcfemZ.sys
[2013/11/27 16:48:36 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\nFxkDuxA.sys
[2013/11/27 16:44:06 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\rRoRclXb.sys
[2013/11/27 16:37:19 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\GYSqTvDM.sys
[2013/11/27 16:30:26 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\ZAGugwrS.sys
[2013/11/27 16:25:53 | 001,034,531 | ---- | M] (Thisisu) -- C:\Users\Gateway\Desktop\JRT.exe
[2013/11/27 16:21:36 | 001,091,882 | ---- | M] () -- C:\Users\Gateway\Desktop\AdwCleaner.exe
[2013/11/27 16:13:11 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/11/27 16:05:10 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\YkcgezEK.sys
[2013/11/27 15:17:55 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\flNdTVxr.sys
[2013/11/27 15:17:46 | 000,275,712 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/11/27 09:13:44 | 000,000,566 | ---- | M] () -- C:\Users\Gateway\Desktop\MBR.zip
[2013/11/27 09:08:47 | 000,000,512 | ---- | M] () -- C:\Users\Gateway\Desktop\MBR.dat
[2013/11/27 08:48:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Gateway\Desktop\OTL.exe
[2013/11/27 08:37:07 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Gateway\Desktop\aswMBR.exe
[2013/11/27 08:34:06 | 000,891,200 | ---- | M] () -- C:\Users\Gateway\Desktop\SecurityCheck.exe
[2013/11/26 13:48:28 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\NNcfgjdK.sys
[2013/11/20 15:47:08 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\Gateway\Documents\spybotsd162 new.exe
[2013/11/20 15:36:10 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\GVRnYNiz.sys
[2013/11/20 03:06:39 | 002,462,696 | ---- | M] (Check Point Software Technologies LTD) -- C:\Users\Gateway\Documents\zafwSetupWeb_120_104_000.exe
[2013/11/20 02:30:12 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\ptHkzOmn.sys
[2013/11/19 09:49:25 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\PhCqpvSu.sys
[2013/11/19 09:41:22 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\EfIVngcY.sys
[2013/11/19 09:28:06 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\yzfzZiiz.sys
[2013/11/19 09:19:14 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\RHMmvERY.sys
[2013/11/19 09:11:52 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\nDKFYDSZ.sys
[2013/11/19 09:03:30 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\EWkhVxVk.sys
[2013/11/19 08:55:48 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\bLMkglRo.sys
[2013/11/19 08:47:12 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\Bhbkwwrt.sys
[2013/11/19 08:39:57 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\PfrIQbGi.sys
[2013/11/19 08:32:45 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\tcJsGJfQ.sys
[2013/11/19 08:24:38 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\ZFlZrLAC.sys
[2013/11/19 08:15:48 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\rrcSAHsi.sys
[2013/11/19 08:07:39 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\ANkYJdBb.sys
[2013/11/19 07:51:51 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\drKitRof.sys
[2013/11/19 07:42:47 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\IbaqcxwF.sys
[2013/11/18 02:57:01 | 022,791,896 | ---- | M] (Microsoft Corporation) -- C:\Users\Gateway\Desktop\Windows-KB890830-x64-V5.6.exe
[2013/11/18 02:38:45 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\KxzRAfDT.sys
[2013/11/16 14:54:42 | 002,264,591 | ---- | M] () -- C:\Users\Gateway\Documents\Identity_Theft_Resource_Guide.pdf
[2013/11/14 17:08:52 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\AObrlJiW.sys
[2013/11/12 19:32:08 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\lqPzNizH.sys
[2013/11/10 08:06:38 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\vbmVTJdr.sys
[2013/11/10 07:32:49 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/11/10 07:32:48 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/11/09 09:16:26 | 000,450,660 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/11/08 09:35:25 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\xyPGyqUk.sys
[2013/11/03 17:49:29 | 000,111,080 | ---- | M] (Webroot) -- C:\Windows\SysNative\drivers\XrdphSqK.sys
[2013/11/01 14:08:35 | 001,300,208 | ---- | M] () -- C:\Users\Gateway\Documents\CraftClassesNovember.zip
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/11/28 08:33:06 | 000,001,116 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/27 16:21:27 | 001,091,882 | ---- | C] () -- C:\Users\Gateway\Desktop\AdwCleaner.exe
[2013/11/27 15:50:35 | 000,000,003 | ---- | C] () -- C:\Windows\SysNative\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
[2013/11/27 15:36:12 | 000,000,003 | ---- | C] () -- C:\Windows\SysNative\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
[2013/11/27 09:13:44 | 000,000,566 | ---- | C] () -- C:\Users\Gateway\Desktop\MBR.zip
[2013/11/27 09:08:47 | 000,000,512 | ---- | C] () -- C:\Users\Gateway\Desktop\MBR.dat
[2013/11/27 08:33:54 | 000,891,200 | ---- | C] () -- C:\Users\Gateway\Desktop\SecurityCheck.exe
[2013/11/16 14:54:37 | 002,264,591 | ---- | C] () -- C:\Users\Gateway\Documents\Identity_Theft_Resource_Guide.pdf
[2013/11/01 14:08:28 | 001,300,208 | ---- | C] () -- C:\Users\Gateway\Documents\CraftClassesNovember.zip

========== ZeroAccess Check ==========

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 00:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 20:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

OCD · Nov 30, 2013

Hi NutherStamper,

Got a few that slipped by.

Run OTL.exe

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:OTL
IE - HKCU\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {71B47759-455C-49A5-8470-DAECAECD8139}
IE - HKCU\..\SearchScopes\{71B47759-455C-49A5-8470-DAECAECD8139}: "URL" = http://search.zonealarm.com/search?src=sp&tbid=goughDev3&Lan=en&q={searchTerms}&gu=1ca8d8d1f53640149a92790f0d006f62&tu=10G9y008k2B0CO0&sku=&tstsId=&ver=&&r=41
 
:Commands
[purity]
[createrestorepoint]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done

=========================

In your next post please provide the following:

OTL fix log

How's the computer running?

NutherStamper · Nov 30, 2013

OTL fix log:
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{91da5e8a-3318-4f8c-b67e-5964de3ab546} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{71B47759-455C-49A5-8470-DAECAECD8139}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71B47759-455C-49A5-8470-DAECAECD8139}\ not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gateway
->Temp folder emptied: 34485 bytes
->Temporary Internet Files folder emptied: 508600 bytes
->Flash cache emptied: 553 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 43978 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 11302013_081819

Files\Folders moved on Reboot...
C:\Users\Gateway\AppData\Local\Temp\CMLS--2013-11-30--08-18-21.log moved successfully.
C:\Users\Gateway\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Gateway\AppData\Local\Temp\~DF497D5471759509FF.TMP moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.
File\Folder C:\Windows\temp\ZLT011ac.TMP not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

NutherStamper · Nov 30, 2013

computer seems to run a little faster. I was looking at the Fresh OTL log I posted last night. There are some Hosts files (O1) that look like somewhere I don't want to go. Are these blocked host files that I'm looking at?

OCD · Nov 30, 2013

Hi NutherStamper,

I was looking at the Fresh OTL log I posted last night. There are some Hosts files (O1) that look like somewhere I don't want to go. Are these blocked host files that I'm looking at

Yes, those sites are blocked. As in the example below:

O1 - Hosts: 127.0.0.1 100sexlinks.com

The loop-back address to your computer is 127.0.0.1, if you tried to visit the 100sexlinks.com website your Hosts file would loop the search back to your own machine to try and resolve the search.

But if the IP was for the real 100sexlinks.com website, and I don't know what that is but let's just say 66.102.0.0 (not real, but Google's IP) then your computer would resolve the search and direct you to that website.

01 - Hosts: 66.102.0.0 100sexlinks.com - this entry would direct you to the sexlinks website if the IP was legitimate (really Google)

01 - Hosts: 127.0.0.1 google.com - this entry would block Google

I hope that explains it a little better.

Do you have any issues we haven't addressed yet?

NutherStamper · Nov 30, 2013

Thanks for that explanation. Makes sense.

I think you've covered any of my questions. How are we looking?

OCD · Nov 30, 2013

Hi NutherStamper,

How are we looking?

Logs are looking good. :bigthumb: If she seems to running OK for you we can clean up and send you on your way.

Let me know if we have addressed all your issues.

NutherStamper · Nov 30, 2013

On the laptop I think we've addressed all the issues. But I'm wondering if something is going on with the desktop computer that started the original problem. I've been doing Windows updates on the desktop computer and it's taking a very long time to reboot the computer. During the reboot I notice that mscorsvw.exe (there's 3 of them) runs alot and takes up almost 100% of resources. I don't know if that's normal or not. In light of the recent infection I'm wondering if something else is still in there? Or am I just being paranoid? I'm still doing Windows updates on that machine so I'm hoping once it's done it will take care of anything but it just seems odd it's running so much. Sorry to take up so much of your time but that constant running worries me.
I did run Malwarebyes and it came up clean.

OCD · Nov 30, 2013

Hi NutherStamper,

During the reboot I notice that mscorsvw.exe (there's 3 of them) runs alot and takes up almost 100% of resources. I don't know if that's normal or not.

Here is a post that might explain what is happening better than I can. After reading, finish getting all the Windows updates and see if the problem subsides. If so let me know and we'll have a look at the other computer.

=========================

Here is the clean-up procedure for the laptop. Complete the steps outlined in the top portion to remove the tools and logs we produced. The bottom section are recommendations, not mandatory steps.

We have a few items to take care of before we get to the All Clean Speech.

=========================

Uninstall Combofix

The following will implement important cleanup procedures as well as reset System Restore points:

Click on the Start button

and then in the Search field enter combofix /uninstall, as shown in the image below with the blue arrow.
Please note that there is a space between combofix and /uninstall.

Once you have typed this in, press Enter on your keyboard. A Open File security warning will appear asking if you are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by a dialog box stating that ComboFix has been uninstalled.

=========================

Clean up with OTL:

Right-click OTL.exe select "Run as Administrator" to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

=========================

Removing/Uninstalling AdwCleaner:

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Click on the Uninstall button.
Click Yes when asked are you sure you want to uninstall.
Both AdwCleaner.exe, its folder and all logs will be removed.

=========================

You can now delete any tools and/or logs remaining on your desktop.

=========================

Disable Java in Web Browsers

There is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.
More information can be found here: http://www.techsupportforum.com/forums/f50/disable-java-in-browsers-683721.html

Click on the Start button and then click on the Control Panel option.
In the Control Panel Search enter Java Control Panel.
Click on the Java icon to open the Java Control Panel.

Disable Java through the Java Control Panel

In the Java Control Panel, click on the Security tab.
Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
Click OK in the Java Plug-in confirmation window.
Restart the browser for changes to take effect.

=========================

With the above items taken care of let's move on to the All Clean part of the process.

The following procedures are recommendations for helping to keep your system running smoothly. If you are currently satisfied with how your system is running some or all of these may not pertain to you. Impliment what you need.

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Make your Mozilla Firefox more secure - This can be done by adding these add-ons:

Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

Free Anti-Virus

Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.

Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

NutherStamper · Nov 30, 2013

Thanks for the info on that process. I did update a whole lot of .net framework stuff so I should probably let it sit for a while I guess. I'm down to one of those process files now. I will let the desktop computer sit for a few hours and see if the constant running stops. I just have some optional stuff to update so I can hold off on that for now.

As for the laptop we never downloaded combofix so should I just go on removing the rest of the stuff? Thanks for the help and sorry for all the questions, alot of this stuff is new to me.

NutherStamper · Nov 30, 2013

forgot to add I don't have Java either.

OCD · Nov 30, 2013

Hi NutherStamper,

As for the laptop we never downloaded combofix so should I just go on removing the rest of the stuff? Thanks for the help and sorry for all the questions, alot of this stuff is new to me.

I apologize. I went back and looked at the beginning of the thread (the other computer). I had forgotten this was a different machine.

If any of the steps in my last post don't apply, then please just skip those.

Must be getting a little senile. :scratch:

NutherStamper · Dec 1, 2013

Well join the club. Don't know how you keep all this stuff straight to begin with. Anyway, the desktop computer seems to be fine now, guess it just needed to finish running all the updates.

As for the laptop things look good except I went to try to updated IE to IE10 and it says it can't because I'm missing Service Pack 1. I've done all the updates so not sure why this is happening. Related to infection? Or just missing something? I've cleaned up everything already so not sure where I should go with this. I remember the security check said I was missing service pack 1 when we started checking the laptop. But shouldn't all the updates have taken care of that?
Let me know.

NutherStamper · Dec 1, 2013

I was able to manually install service pack 1. Took a while. I don't know why it wasn't coming up when I scanned for Windows updates. After I got that all done I noticed new updates coming up (one of which I'm sure I loaded before) so I downloaded those as well. Haven't tried to upgrade to IE10 yet because I noticed that there is a process called consent.exe in the list of processes (it has no description attached to it). Size is 3,520k It has no user name either. Something going on? or is this a normal file? I was hoping this laptop was good to go but now I'm wondering. Thanks for your help.

NutherStamper · Dec 1, 2013

After getting Sp1 downloaded I decided to again check for more updates. There's 68 more. I'm going to go do all the updates necessary but in the meantime I had run adwcleaner again (just the scan). Log is below: Viewpoint software is necessary for my aol software but there's other stuff there I'm not sure what that is.

# AdwCleaner v3.013 - Report created 01/12/2013 at 10:25:23
# Updated 24/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Gateway - GATEWAY-PC
# Running from : C:\Users\Gateway\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Program Files (x86)\Viewpoint
Folder Found C:\ProgramData\Viewpoint

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7601.17514

*************************

AdwCleaner[R0].txt - [4039 octets] - [27/11/2013 16:32:38]
AdwCleaner[R1].txt - [1526 octets] - [01/12/2013 10:25:23]
AdwCleaner[S0].txt - [4210 octets] - [27/11/2013 16:33:48]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1646 octets] ##########

OCD · Dec 1, 2013

Hi NutherStamper,

Get all the updates for the laptop, reboot, then go back and see if any more become available. Once you think you have them all, upgrade to IE10, reboot then check performance.

You can also go into the Control Panel > Programs and Features > locate View Installed Updates in the left hand border and check and see if SP1 [Windows 7 Service Pack 1 (KB976932)] shows in the list. It may take a few minutes to fully list all updates.

=========================

I noticed that there is a process called consent.exe in the list of processes (it has no description attached to it). Size is 3,520k It has no user name either. Something going on? or is this a normal file?

The process known as Consent UI for administrative applications belongs to software Microsoft Windows Operating System or Betriebssystem Microsoft Windows by Microsoft (www.microsoft.com).

Consent.exe is enabled when you have UAC turned on. It launches when a non-windows program attempts to start up with administrator level access to files and system settings, and shows a message asking if you want to allow the program to load. This is an important file, do not delete it unless you're sure its a virus. If you want to disable it, turn off UAC and consent.exe will not load.

I'm assuming you're viewing this process from the Task Manager, correct?

We can also get the file scanned online to give you peace of mind, let me know.

=========================

Viewpoint software is necessary for my aol software but there's other stuff there I'm not sure what that is.

All the items listed from the AdwCleaner log are related to Viewpoint, so since you need Viewpoint for AOL to work I would leave those entries alone. The Internet Explorer entry under Browsers should be fine to leave, until you upgrade then if you want we can remove it.

Win32/sirefif infection

Malware Team-Emeritus

New member

Malware Team-Emeritus

New member

New member

Malware Team-Emeritus

New member

New member

Malware Team-Emeritus

New member

Malware Team-Emeritus

New member

Malware Team-Emeritus

New member

New member

Malware Team-Emeritus

New member

New member

New member

Malware Team-Emeritus