Cyber Command of California Virus

TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Please print these instruction out so that you know what you are doing
  • Download OTLPENet.exe to your desktop
  • Download Farbar Recovery Scan Tool and save it to a flash drive.
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Wait for the CD to detect your hardware and load the operating system
  • Your system should now display a Reatogo desktop
    Note : as you are running from CD it is not exactly speedy
  • Insert the USB with FRST
  • Locate the flash drive with FRST and double click
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
mcnavychief

mcnavychief

New Member
Thread author
Verified
Nov 3, 2013
21
I have done those steps with USB and CD.
I put the CD in and started and ensured the BIOS was set to start with CD.
It went straight to starting windows.
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Then you probably did something wrong, I cannot help you until I get the logs. Is it branded PC, how did you set the BIOS, can I get tge picture to see...
 
mcnavychief

mcnavychief

New Member
Thread author
Verified
Nov 3, 2013
21
Thanks for hanging in there with me.

What is tge picture?

It is a Dell Latitude Laptop that has the Virus.
BIOS Boot setup is:
CD/DVD
USB
Internal HDD
Diskette Drive
Onboard NIC

I also see that Boot List option is set to Legacy. (other option is UEFI)

So i did all over again.
On another computer I made a new CD.

I put in the infected Laptop and Went to boot from CD with file OTLPNet file.
A black screen came up with: "Select Boot Device Failed. Press any key to reboot the system."

Thoughts???
 
mcnavychief

mcnavychief

New Member
Thread author
Verified
Nov 3, 2013
21
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-11-03 20:06:21
-----------------------------
20:06:21.199 OS Version: Windows x64 6.1.7601 Service Pack 1
20:06:21.199 Number of processors: 8 586 0x2A07
20:06:21.199 ComputerName: HKZ27R1 UserName:
20:06:21.994 Initialize success
20:06:36.767 AVAST engine download error: 0
20:06:49.185 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:06:49.185 Disk 0 Vendor: ST925031 D005 Size: 238475MB BusType: 8
20:06:49.310 Disk 0 MBR read successfully
20:06:49.310 Disk 0 MBR scan
20:06:49.310 Disk 0 Windows 7 default MBR code
20:06:49.325 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
20:06:49.325 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 10944 MB offset 81920
20:06:49.341 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 227488 MB offset 22495232
20:06:49.372 Disk 0 scanning C:\Windows\system32\drivers
20:07:01.197 Service scanning
20:07:22.164 Modules scanning
20:07:22.164 Disk 0 trace - called modules:
20:07:22.226 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStorV.sys hal.dll
20:07:22.226 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800887f790]
20:07:22.242 3 CLASSPNP.SYS[fffff88001b0343f] -> nt!IofCallDriver -> [0xfffffa8007a779a0]
20:07:22.257 5 stdcfltn.sys[fffff8800168cd12] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007723050]
20:07:22.257 Scan finished successfully
20:07:47.748 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
20:07:47.748 The log file has been saved successfully to "E:\aswMBR.txt"

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013
Ran by mciccione (administrator) on HKZ27R1 on 03-11-2013 19:57:57
Running from E:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Microsoft Corporation) c:\PROGRA~1\MICROS~1\msseces.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [LogMeIn GUI] - C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [2041192 2013-03-11] ()
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Users\mciccione\AppData\Roaming\Other.res [77824 2013-08-28] () <==== ATTENTION
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EEventManager] - C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] - C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe [502912 2012-02-29] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] - C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe [863360 2012-02-29] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [LTCM Client] - C:\Program Files (x86)\LTCM Client\ltcmClient.exe [2756864 2011-04-07] (Leader Technologies Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-19] (Apple Inc.)
HKU\UpdatusUser\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [30720 2010-11-20] (Microsoft Corporation)
HKU\User\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [30720 2010-11-20] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll [245872 2013-03-11] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll [201576 2013-03-11] (NVIDIA Corporation)
Startup: C:\Users\mciccione\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpM3Util.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKCU - DefaultScope {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb128/?search={searchTerms}&loc=IB_DS&a=6OyTOmZLn2&i=26
SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb128/?search={searchTerms}&loc=IB_DS&a=6OyTOmZLn2&i=26
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-x32: E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\EPSON Software\E-Web Print\ewps_tb.dll (SEIKO EPSON CORPORATION)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: No Name - {DCC39ACE-709B-44EA-B062-5F6BE2774644} - No File
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\EPSON Software\E-Web Print\ewps_tb.dll (SEIKO EPSON CORPORATION)
Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 68.190.192.35

FireFox:
========
FF ProfilePath: C:\Users\mciccione\AppData\Roaming\Mozilla\Firefox\Profiles\rckbcfep.default
FF user.js: detected! => C:\Users\mciccione\AppData\Roaming\Mozilla\Firefox\Profiles\rckbcfep.default\user.js
FF NewTab: hxxp://mystart.incredibar.com/mb128?a=6OyTOmZLn2&i=26
FF DefaultSearchEngine: MyStart Search
FF SelectedSearchEngine: MyStart Search
FF Homepage: www.msn.com
FF Keyword.URL: hxxp://mystart.incredibar.com/mb128/?loc=IB_DS&a=6OyTOmZLn2&&i=26&search=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_117.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\mciccione\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\mciccione\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\mciccione\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\mciccione\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\mciccione\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\mciccione\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Users\mciccione\AppData\Roaming\Mozilla\Firefox\Profiles\rckbcfep.default\searchplugins\MyStart Search.xml
FF SearchPlugin: C:\Users\mciccione\AppData\Roaming\Mozilla\Firefox\Profiles\rckbcfep.default\searchplugins\SweetIM Search.xml
FF Extension: incredibar.com - C:\Users\mciccione\AppData\Roaming\Mozilla\Firefox\Profiles\rckbcfep.default\Extensions\ffxtlbr@incredibar.com
FF Extension: freehdsport - C:\Users\mciccione\AppData\Roaming\Mozilla\Firefox\Profiles\rckbcfep.default\Extensions\freehdsport@freehdsport.tv.xpi
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] - C:\Program Files\IB Updater\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] - C:\Program Files\IB Updater\Firefox
FF HKLM-x32\...\Firefox\Extensions: [e-webprint@epson.com] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.79\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\gcswf32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Talk Plugin) - C:\Users\mciccione\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
CHR Plugin: (Google Talk Plugin Video Accelerator) - C:\Users\mciccione\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Java(TM) Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (American) - C:\Users\MCICCI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\afgmhojfhpbafccgjblpdddfghgdcbph\1_0
CHR Extension: (https://www.facebook.com/) - C:\Users\MCICCI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\celnaknmndcdcjcagffhbhciignkeokb\2013.10.29.43861_0
CHR Extension: (http://aafes.sndsurvey.com/LogIn.aspx) - C:\Users\MCICCI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coeeojhakblmldfkbcjpklablgbgaebf\2013.9.4.42832_0
CHR Extension: (Skype Click to Call) - C:\Users\MCICCI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.13.0.13771_0
CHR Extension: (https://www.salesnow.com/login.aspx) - C:\Users\MCICCI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfmlddkcihelpfoibdgolcijhicchmbl\2013.8.23.50865_0
CHR Extension: (Google Wallet) - C:\Users\MCICCI~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\IB Updater\source.crx
CHR HKLM-x32\...\Chrome\Extension: [bgnnidmnbdkmhfkjgdnngciimpdgohok] - C:\Program Files (x86)\FirstRowSportApp.com\stv11.crx
CHR HKLM-x32\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\IB Updater\source.crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2013-10-28] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2013-10-28] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-08-12] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-08-12] (Microsoft Corporation)
S2 O2SDIOAssist; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE [48128 2011-01-18] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-28] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [284448 2013-03-11] (NVIDIA Corporation)
S3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [47104 2010-05-25] ()
S3 SWNC5E00; C:\Windows\System32\DRIVERS\SWNC5E00.sys [285696 2010-05-25] (Sierra Wireless Inc.)
S1 dxdzefth; \??\C:\Windows\system32\drivers\dxdzefth.sys [x]
S1 elsyxpol; \??\C:\Windows\system32\drivers\elsyxpol.sys [x]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

Error(0) reading file: "C:\Windows\system32\ "
2013-11-03 19:57 - 2013-11-03 19:57 - 00000000 ____D C:\FRST
2013-11-03 19:51 - 2013-11-03 19:51 - 00000648 _____ C:\Users\mciccione\Desktop\OTLPENet(1) - Shortcut.lnk
2013-11-03 19:47 - 2013-11-03 19:47 - 00069458 _____ C:\Users\mciccione\Desktop\OTL.Txt
2013-11-03 14:06 - 2013-11-03 14:06 - 74186752 _____ C:\Windows\system32\config\software.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 22282240 _____ C:\Windows\system32\config\system.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 00262144 _____ C:\Windows\system32\config\security.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 00262144 _____ C:\Windows\system32\config\sam.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 00262144 _____ C:\Windows\system32\config\default.bhv
2013-11-03 13:47 - 2013-11-03 13:47 - 00000000 ____D C:\$Anvi Rescue Disk$
2013-11-01 06:41 - 2013-11-01 06:41 - 00010619 _____ C:\Users\mciccione\Desktop\SDS Mess Halls.xlsx
2013-10-30 06:26 - 2013-10-31 08:10 - 00012033 _____ C:\Users\mciccione\Desktop\EGG Copeative Sheet USF SD NOV 2013.xlsx
2013-10-30 05:11 - 2013-10-31 05:12 - 00000000 ____D C:\Users\mciccione\Desktop\CARGILL SOCAL
2013-10-28 08:01 - 2013-10-31 04:40 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Qucao
2013-10-28 08:01 - 2013-10-30 04:14 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ecna
2013-10-28 08:01 - 2013-10-28 08:01 - 00122880 _____ C:\Users\mciccione\AppData\Roaming\verison.dll
2013-10-28 08:01 - 2013-10-28 08:01 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Rociif
2013-10-28 08:01 - 2013-10-28 08:01 - 00000000 _____ C:\Users\mciccione\8189166.exe
2013-10-26 08:11 - 2013-10-26 17:35 - 00001465 _____ C:\Users\mciccione\Sti_Trace.log
2013-10-26 08:11 - 2013-10-26 08:12 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Canon
2013-10-26 08:06 - 2013-10-26 08:06 - 00000988 _____ C:\Users\Public\Desktop\CanoScan Toolbox 4.9.lnk
2013-10-26 08:06 - 2013-10-26 08:06 - 00000000 ____D C:\Program Files (x86)\Canon
2013-10-26 08:04 - 2013-10-26 08:04 - 00000000 ___HD C:\CanoScan
2013-10-26 08:04 - 2006-03-24 09:46 - 00331776 _____ (CANON INC.) C:\Windows\system32\CNQL1212.dll
2013-10-26 08:04 - 2006-03-02 09:07 - 00064512 _____ (CANON INC.) C:\Windows\system32\CNQU111.DLL
2013-10-26 07:57 - 2013-10-26 07:57 - 00000000 ____D C:\Users\mciccione\AppData\Local\DriverTuner
2013-10-23 06:08 - 2013-10-23 06:09 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-23 06:08 - 2013-10-23 06:09 - 00000000 ____D C:\Program Files\iTunes
2013-10-23 06:08 - 2013-10-23 06:09 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-10-23 06:08 - 2013-10-23 06:08 - 00000000 ____D C:\Program Files\iPod
2013-10-22 16:35 - 2013-10-23 05:17 - 00021045 _____ C:\Users\mciccione\Desktop\DODAAC Ships List OCT 2013.xlsx
2013-10-22 06:09 - 2013-10-22 07:24 - 00000000 ____D C:\Users\mciccione\AppData\Local\CrashDumps
2013-10-22 05:49 - 2013-10-22 10:37 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Xenaebdi
2013-10-22 05:49 - 2013-10-22 10:37 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Okkeynit
2013-10-21 18:59 - 2013-10-22 10:37 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ulanewa
2013-10-21 18:58 - 2013-10-22 08:57 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ifyxeku
2013-10-21 18:54 - 2013-10-22 10:37 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Qareecg
2013-10-21 18:53 - 2013-10-22 10:37 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Dyaxwyux
2013-10-21 18:51 - 2013-10-22 10:37 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ehcymiu
2013-10-21 18:50 - 2013-10-22 08:52 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Iqdyydm
2013-10-21 18:11 - 2013-10-22 14:13 - 00000000 ____D C:\Users\mciccione\AppData\Local\Acro Software Inc
2013-10-16 17:40 - 2013-10-16 18:09 - 00038912 _____ C:\Users\mciccione\Desktop\Beale AFB Opening training order.xls
2013-10-11 08:29 - 2013-10-14 10:14 - 00043520 _____ C:\Users\mciccione\Desktop\WMC at USF San Fran Catalog 07 OCT 2013.xls
2013-10-09 05:00 - 2013-09-22 15:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-10-09 05:00 - 2013-09-22 15:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-10-09 05:00 - 2013-09-22 15:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-10-09 05:00 - 2013-09-22 14:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-10-09 05:00 - 2013-09-22 14:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-10-09 05:00 - 2013-09-22 14:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-10-09 05:00 - 2013-09-22 14:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-10-09 05:00 - 2013-09-22 14:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-10-09 05:00 - 2013-09-20 19:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-10-09 05:00 - 2013-09-20 19:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-10-09 05:00 - 2013-09-20 18:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-10-09 05:00 - 2013-09-20 18:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-09 02:01 - 2013-10-09 02:01 - 00000000 ____D C:\24c7baefad118b12ed54b8ef09
2013-10-08 22:33 - 2013-09-13 17:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2013-10-08 22:33 - 2013-09-07 18:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-10-08 22:33 - 2013-09-07 18:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
2013-10-08 22:33 - 2013-09-07 18:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2013-10-08 22:33 - 2013-08-28 18:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-10-08 22:33 - 2013-08-28 18:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-10-08 22:33 - 2013-08-28 18:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2013-10-08 22:33 - 2013-08-28 18:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-10-08 22:33 - 2013-08-28 18:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2013-10-08 22:33 - 2013-08-28 17:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-10-08 22:33 - 2013-08-28 17:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-10-08 22:33 - 2013-08-28 17:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-10-08 22:33 - 2013-08-28 17:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2013-10-08 22:33 - 2013-08-28 17:50 - 00077824 _____ C:\Users\mciccione\AppData\Roaming\Other.res
2013-10-08 22:33 - 2013-08-28 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-10-08 22:33 - 2013-08-28 17:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2013-10-08 22:33 - 2013-08-28 16:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-10-08 22:33 - 2013-08-28 16:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-10-08 22:33 - 2013-08-28 16:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-10-08 22:33 - 2013-08-28 16:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-10-08 22:33 - 2013-08-27 17:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-10-08 22:33 - 2013-08-01 04:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2013-10-08 22:33 - 2013-07-20 02:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-08 22:33 - 2013-07-20 02:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-08 22:33 - 2013-07-12 02:41 - 00185344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbvideo.sys
2013-10-08 22:33 - 2013-07-12 02:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys
2013-10-08 22:33 - 2013-07-04 04:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2013-10-08 22:33 - 2013-07-04 04:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2013-10-08 22:33 - 2013-07-04 04:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll
2013-10-08 22:33 - 2013-07-04 03:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2013-10-08 22:33 - 2013-07-04 03:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2013-10-08 22:33 - 2013-07-04 03:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2013-10-08 22:33 - 2013-07-04 02:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2013-10-08 22:33 - 2013-07-02 20:40 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbscan.sys
2013-10-08 22:33 - 2013-07-02 20:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2013-10-08 22:33 - 2013-07-02 20:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys
2013-10-08 22:33 - 2013-06-25 14:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2013-10-08 22:33 - 2013-06-05 21:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2013-10-08 22:33 - 2013-06-05 21:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2013-10-08 22:33 - 2013-06-05 21:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2013-10-08 22:33 - 2013-06-05 21:47 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2013-10-08 22:33 - 2013-06-05 20:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2013-10-08 22:33 - 2013-06-05 20:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2013-10-08 22:33 - 2013-06-05 20:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2013-10-08 22:33 - 2013-06-05 19:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2013-10-08 22:33 - 2013-06-05 19:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-10-08 22:33 - 2013-06-05 19:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-10-08 22:29 - 2013-09-04 04:12 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2013-10-08 22:29 - 2013-09-04 04:11 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2013-10-08 22:29 - 2013-09-04 04:11 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2013-10-08 22:29 - 2013-09-04 04:11 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2013-10-08 22:29 - 2013-09-04 04:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2013-10-08 22:29 - 2013-09-04 04:11 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2013-10-08 22:29 - 2013-09-04 04:11 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2013-10-08 22:29 - 2013-08-27 17:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\scavengeui.dll
2013-10-07 07:48 - 2013-10-16 20:41 - 00213504 _____ C:\Users\mciccione\Desktop\USF San Fran Catalog 07 OCT 2013.xls
2013-10-04 05:53 - 2013-10-04 05:53 - 00018370 _____ C:\Users\mciccione\Documents\REGIONAL CONTACT LISTING JUN2013.xlsx

==================== One Month Modified Files and Folders =======

2013-11-03 19:57 - 2013-11-03 19:57 - 00000000 ____D C:\FRST
2013-11-03 19:51 - 2013-11-03 19:51 - 00000648 _____ C:\Users\mciccione\Desktop\OTLPENet(1) - Shortcut.lnk
2013-11-03 19:47 - 2013-11-03 19:47 - 00069458 _____ C:\Users\mciccione\Desktop\OTL.Txt
2013-11-03 19:31 - 2009-07-13 21:13 - 00747928 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-03 19:24 - 2012-02-24 07:59 - 01146117 _____ C:\Windows\WindowsUpdate.log
2013-11-03 19:12 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-03 19:12 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-03 19:11 - 2012-06-20 17:51 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-11-03 19:08 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-03 19:08 - 2009-07-13 20:51 - 00051888 _____ C:\Windows\setupact.log
2013-11-03 19:07 - 2012-02-24 12:02 - 00000000 ____D C:\ProgramData\NVIDIA
2013-11-03 19:03 - 2012-06-20 17:51 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-11-03 18:19 - 2012-02-27 06:47 - 00000000 ____D C:\Users\administrator
2013-11-03 18:19 - 2012-02-27 06:19 - 00000000 ____D C:\Users\mciccione
2013-11-03 18:19 - 2012-02-24 12:11 - 00000000 ____D C:\Windows\SysWOW64\NV
2013-11-03 18:19 - 2012-02-24 12:11 - 00000000 ____D C:\Windows\system32\NV
2013-11-03 18:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-11-03 16:20 - 2012-04-06 15:31 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-03 14:06 - 2013-11-03 14:06 - 74186752 _____ C:\Windows\system32\config\software.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 22282240 _____ C:\Windows\system32\config\system.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 00262144 _____ C:\Windows\system32\config\security.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 00262144 _____ C:\Windows\system32\config\sam.bhv
2013-11-03 14:06 - 2013-11-03 14:06 - 00262144 _____ C:\Windows\system32\config\default.bhv
2013-11-03 13:47 - 2013-11-03 13:47 - 00000000 ____D C:\$Anvi Rescue Disk$
2013-11-03 09:05 - 2012-03-17 14:45 - 00003966 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{767CA9B1-94A7-4D40-A7E3-B9AFB22BACC4}
2013-11-03 07:58 - 2012-03-21 17:42 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1058691569-1557305187-1555467426-1152UA.job
2013-11-03 07:22 - 2012-02-27 08:48 - 00000000 ____D C:\ProgramData\LogMeIn
2013-11-02 06:30 - 2012-02-27 08:43 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Skype
2013-11-02 06:26 - 2012-03-01 13:00 - 00000000 ____D C:\Users\mciccione\Documents\Outlook Files
2013-11-02 06:25 - 2013-02-19 07:31 - 101903715 _____ C:\Users\mciccione\AppData\Local\SN_Outlook2007.log
2013-11-02 05:56 - 2012-03-21 17:42 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1058691569-1557305187-1555467426-1152Core.job
2013-11-01 11:59 - 2012-02-29 14:44 - 00000000 ____D C:\Users\mciccione\Documents\My Discovery Files
2013-11-01 06:41 - 2013-11-01 06:41 - 00010619 _____ C:\Users\mciccione\Desktop\SDS Mess Halls.xlsx
2013-10-31 08:10 - 2013-10-30 06:26 - 00012033 _____ C:\Users\mciccione\Desktop\EGG Copeative Sheet USF SD NOV 2013.xlsx
2013-10-31 05:12 - 2013-10-30 05:11 - 00000000 ____D C:\Users\mciccione\Desktop\CARGILL SOCAL
2013-10-31 04:40 - 2013-10-28 08:01 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Qucao
2013-10-30 08:16 - 2012-07-25 10:47 - 00000000 ____D C:\Users\mciccione\Desktop\NAPA NSN LSN
2013-10-30 05:36 - 2012-03-12 14:41 - 00000000 ____D C:\Users\mciccione\AppData\Local\CutePDF Writer
2013-10-30 04:14 - 2013-10-28 08:01 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ecna
2013-10-29 14:05 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-10-28 15:38 - 2012-07-08 11:48 - 00000000 ____D C:\Windows\System32\Tasks\Games
2013-10-28 15:38 - 2012-02-27 06:19 - 00000000 ___RD C:\Users\mciccione\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-10-28 13:19 - 2012-03-01 17:02 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Apple Computer
2013-10-28 13:19 - 2012-03-01 17:00 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-10-28 13:05 - 2013-09-27 16:45 - 00000000 ____D C:\Users\mciccione\AppData\Local\9BF90948-A34F-40B9-88B0-29D87E2DA71D.aplzod
2013-10-28 10:42 - 2012-02-24 12:10 - 00042354 _____ C:\Windows\PFRO.log
2013-10-28 08:43 - 2012-02-27 08:47 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2013-10-28 08:42 - 2012-02-27 08:48 - 00107368 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll
2013-10-28 08:42 - 2012-02-27 08:48 - 00092488 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2013-10-28 08:42 - 2012-02-27 08:48 - 00035656 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2013-10-28 08:01 - 2013-10-28 08:01 - 00122880 _____ C:\Users\mciccione\AppData\Roaming\verison.dll
2013-10-28 08:01 - 2013-10-28 08:01 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Rociif
2013-10-28 08:01 - 2013-10-28 08:01 - 00000000 _____ C:\Users\mciccione\8189166.exe
2013-10-28 08:01 - 2012-03-21 17:42 - 00000000 ____D C:\Users\mciccione\AppData\Local\Google
2013-10-26 20:53 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system32\NDF
2013-10-26 17:35 - 2013-10-26 08:11 - 00001465 _____ C:\Users\mciccione\Sti_Trace.log
2013-10-26 08:12 - 2013-10-26 08:11 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Canon
2013-10-26 08:06 - 2013-10-26 08:06 - 00000988 _____ C:\Users\Public\Desktop\CanoScan Toolbox 4.9.lnk
2013-10-26 08:06 - 2013-10-26 08:06 - 00000000 ____D C:\Program Files (x86)\Canon
2013-10-26 08:06 - 2012-02-24 11:55 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-10-26 08:04 - 2013-10-26 08:04 - 00000000 ___HD C:\CanoScan
2013-10-26 07:57 - 2013-10-26 07:57 - 00000000 ____D C:\Users\mciccione\AppData\Local\DriverTuner
2013-10-24 04:58 - 2012-08-24 11:57 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Mozilla
2013-10-23 06:09 - 2013-10-23 06:08 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-23 06:09 - 2013-10-23 06:08 - 00000000 ____D C:\Program Files\iTunes
2013-10-23 06:09 - 2013-10-23 06:08 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-10-23 06:08 - 2013-10-23 06:08 - 00000000 ____D C:\Program Files\iPod
2013-10-23 05:17 - 2013-10-22 16:35 - 00021045 _____ C:\Users\mciccione\Desktop\DODAAC Ships List OCT 2013.xlsx
2013-10-22 14:18 - 2013-02-27 08:06 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-10-22 14:14 - 2013-02-20 09:36 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Epson
2013-10-22 14:14 - 2012-11-10 13:45 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FirstRowSportApp.com
2013-10-22 14:14 - 2012-03-06 09:14 - 00000000 ____D C:\Users\User\Desktop\EDI
2013-10-22 14:14 - 2012-02-27 06:19 - 00000000 ___RD C:\Users\mciccione\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-10-22 14:14 - 2012-02-27 06:19 - 00000000 ___RD C:\Users\mciccione\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-10-22 14:14 - 2012-02-27 06:19 - 00000000 ___RD C:\Users\mciccione\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-10-22 14:14 - 2012-02-24 05:04 - 00000000 ___RD C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-10-22 14:14 - 2012-02-24 05:04 - 00000000 ___RD C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-10-22 14:14 - 2012-02-24 05:04 - 00000000 ___RD C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-10-22 14:14 - 2012-02-24 05:04 - 00000000 ___RD C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-10-22 14:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-10-22 14:13 - 2013-10-21 18:11 - 00000000 ____D C:\Users\mciccione\AppData\Local\Acro Software Inc
2013-10-22 14:13 - 2013-10-02 21:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-22 14:13 - 2013-09-16 15:45 - 00000000 ____D C:\Users\mciccione\AppData\Local\Citrix
2013-10-22 14:13 - 2013-03-13 11:29 - 00000000 ____D C:\Users\mciccione\ADMX
2013-10-22 14:13 - 2013-03-13 11:29 - 00000000 ____D C:\Users\mciccione\Admin
2013-10-22 14:13 - 2012-05-21 12:40 - 00000000 ____D C:\Users\mciccione\AppData\Local\join.me
2013-10-22 14:13 - 2012-02-27 08:43 - 00000000 ____D C:\ProgramData\Skype
2013-10-22 14:13 - 2012-02-27 07:46 - 00000000 ____D C:\Users\mciccione\AppData\Local\Microsoft Help
2013-10-22 14:13 - 2012-02-27 07:46 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-22 14:12 - 2012-02-24 11:59 - 00000000 ____D C:\Users\User\AppData\Local\Dell
2013-10-22 14:12 - 2009-07-13 23:45 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-10-22 14:11 - 2012-04-23 11:23 - 00000000 ____D C:\Users\mciccione\Documents\Fax
2013-10-22 14:11 - 2012-03-26 19:06 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Avery
2013-10-22 14:11 - 2012-02-29 14:34 - 00000000 ____D C:\Users\mciccione\Desktop\WORKING FOLDER MASTER
2013-10-22 14:11 - 2012-02-27 08:54 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Adobe
2013-10-22 14:11 - 2012-02-27 06:19 - 00000000 ____D C:\Users\mciccione\AppData\Local\VirtualStore
2013-10-22 14:10 - 2012-08-29 06:17 - 00000000 ____D C:\Users\mciccione\AppData\Local\Mozilla
2013-10-22 14:08 - 2012-02-27 08:46 - 00000000 ____D C:\Users\mciccione\AppData\Local\Apps\2.0
2013-10-22 10:37 - 2013-10-22 05:49 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Xenaebdi
2013-10-22 10:37 - 2013-10-22 05:49 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Okkeynit
2013-10-22 10:37 - 2013-10-21 18:59 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ulanewa
2013-10-22 10:37 - 2013-10-21 18:54 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Qareecg
2013-10-22 10:37 - 2013-10-21 18:53 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Dyaxwyux
2013-10-22 10:37 - 2013-10-21 18:51 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ehcymiu
2013-10-22 08:57 - 2013-10-21 18:58 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Ifyxeku
2013-10-22 08:52 - 2013-10-21 18:50 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Iqdyydm
2013-10-22 07:24 - 2013-10-22 06:09 - 00000000 ____D C:\Users\mciccione\AppData\Local\CrashDumps
2013-10-21 18:45 - 2013-02-26 05:55 - 00000000 ____D C:\Users\mciccione\AppData\Roaming\Leader Technologies
2013-10-16 20:41 - 2013-10-07 07:48 - 00213504 _____ C:\Users\mciccione\Desktop\USF San Fran Catalog 07 OCT 2013.xls
2013-10-16 18:09 - 2013-10-16 17:40 - 00038912 _____ C:\Users\mciccione\Desktop\Beale AFB Opening training order.xls
2013-10-15 04:53 - 2012-03-21 17:42 - 00003902 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1058691569-1557305187-1555467426-1152UA
2013-10-15 04:53 - 2012-03-21 17:42 - 00003506 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1058691569-1557305187-1555467426-1152Core
2013-10-14 10:14 - 2013-10-11 08:29 - 00043520 _____ C:\Users\mciccione\Desktop\WMC at USF San Fran Catalog 07 OCT 2013.xls
2013-10-11 06:37 - 2013-09-01 16:50 - 00000000 ____D C:\Users\mciccione\Desktop\NEW GOALS
2013-10-11 06:15 - 2013-08-08 20:25 - 00000000 ____D C:\Users\mciccione\Desktop\Hawaii SEPT 2013
2013-10-11 05:58 - 2013-07-02 04:58 - 00000000 ____D C:\Users\mciccione\Desktop\RICHARD Working
2013-10-11 02:01 - 2012-02-27 07:06 - 00001945 _____ C:\Windows\epplauncher.mif
2013-10-11 02:00 - 2013-07-29 07:06 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-11 02:00 - 2013-07-29 07:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-10-09 14:56 - 2012-06-20 17:51 - 00003900 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-09 14:56 - 2012-06-20 17:51 - 00003648 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-09 12:28 - 2009-07-13 20:45 - 00300040 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-09 12:27 - 2012-09-22 12:40 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-09 12:27 - 2012-09-22 12:40 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-09 11:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-10-09 10:08 - 2013-02-20 09:34 - 00000000 ____D C:\Program Files (x86)\EPSON Software
2013-10-09 09:29 - 2012-02-29 17:07 - 00000000 ____D C:\Users\mciccione\Documents\My Scans
2013-10-09 04:53 - 2013-07-15 17:15 - 00000000 ____D C:\Windows\system32\MRT
2013-10-09 04:51 - 2012-02-27 07:44 - 80541720 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-10-09 02:01 - 2013-10-09 02:01 - 00000000 ____D C:\24c7baefad118b12ed54b8ef09
2013-10-08 15:20 - 2012-04-06 15:31 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-08 15:20 - 2012-04-06 15:30 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-08 15:20 - 2012-02-27 08:53 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-04 05:53 - 2013-10-04 05:53 - 00018370 _____ C:\Users\mciccione\Documents\REGIONAL CONTACT LISTING JUN2013.xlsx

ZeroAccess:
C:\Windows\Installer\{509ff5ec-1cf1-d1f1-3803-794194987c49}

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1058691569-1557305187-1555467426-1152\$509ff5ec1cf1d1f13803794194987c49

Files to move or delete:
====================
ZeroAccess:
C:\Users\mciccione\AppData\Local\Google\Desktop\Install
C:\Users\mciccione\8189166.exe


Some content of TEMP:
====================
C:\Users\mciccione\AppData\Local\Temp\b34btbztdb0vavaw.exe
C:\Users\mciccione\AppData\Local\Temp\BrokerMediumIntegrity.exe
C:\Users\mciccione\AppData\Local\Temp\converter.exe
C:\Users\mciccione\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\mciccione\AppData\Local\Temp\GenericUninstall.exe
C:\Users\mciccione\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\mciccione\AppData\Local\Temp\Setup.exe
C:\Users\mciccione\AppData\Local\Temp\SkypeSetup.exe
C:\Users\mciccione\AppData\Local\Temp\uninstaller.exe
C:\Users\mciccione\AppData\Local\Temp\US_en_Avery_AW40.exe
C:\Users\mciccione\AppData\Local\Temp\vVpDlfy.exe
C:\Users\mciccione\AppData\Local\Temp\vVpDlfy0.exe
C:\Users\mciccione\AppData\Local\Temp\WSSetup.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-10-31 09:16

==================== End Of Log ============================
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)

Open FRST, and click Fix. Attach me that report after FRST finishes...


[attachment=6151]

Then try to boot Windows normally...
 

Attachments

  • fixlist.txt
    3.2 KB · Views: 88
mcnavychief

mcnavychief

New Member
Thread author
Verified
Nov 3, 2013
21
Thanks again so much...
So, i want to be clear on how i got the files you asked for.
It was not via a boot USB. that was not working for me.

I was able to go in to my computer when opened it with Safe Mode with Prompts.
I typed in the prompt "Explorer" and it opened in safe mode where i could open the USB from the Start Tab.
I loaded the files on the USB on another computer and opened in the infected computer and did the check.
So that how I got the files.
Now. Am I to do similar?
The fixlist.txt you sent me and the and the FRST file are on my USB drive. When I open the FRST and press FIX it says:
No fixlist.txt found.
The fixlist.txt should be made and saved in the same directory the tool is located.
Am i supposed to add it into the FRST somehow?
I have a screen shot I saved to a word.doc. For some reason i do not see how to send attachment or add to this thread.
 
mcnavychief

mcnavychief

New Member
Thread author
Verified
Nov 3, 2013
21
YOU ARE THE MAN!!!!
So much thanks...

Attached is the fixlog for your review.

A couple of things.
There are several things that look different now in the Task Bar Start Menu ETC...

Is there anything else I should do to ensure all is operating correctly.
I assume I will need to do a scan
 
mcnavychief

mcnavychief

New Member
Thread author
Verified
Nov 3, 2013
21
Attached is the new FRST
FYI,
When I right click to make a new (desktop) folder it shows "empty"
My start up items are gone (empty) and when right click on a program "pin to start menu" nothing happens. The "run" command in start up menu is also gone.
When checking the check box in customize start menu, nothing happens either, actually the tick in the box just disappears again.
 

Similar threads

Adrian Ścibor
    • Like
    • +Reputation
    • Hundred Points
AVLab.pl Cyber Transparency Audit Q2 2024 - "Transparency First. Then Trust"
Replies
6
Views
506
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor
Sandbox Breaker
    • Like
    • Hundred Points
Serious Discussion Cyber Triage
Replies
6
Views
436
General Security Discussions
Sandbox Breaker
Sandbox Breaker
NooX
    • Like
  • Locked
Unsigned WinTab32.dll in \System32
Replies
3
Views
272
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top