Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
NSA MoneyPack Virus: Kopersksy Will Not Work
Message
<blockquote data-quote="scotty" data-source="post: 135780" data-attributes="member: 12798"><p>Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2013 03</p><p>Ran by SYSTEM on REATOGO on 16-09-2013 19:39:43</p><p>Running from G:\</p><p>Microsoft Windows XP (X86) OS Language: English(US)</p><p>Internet Explorer Version 8</p><p>Boot Mode: Recovery</p><p></p><p>The current controlset is ControlSet001</p><p><strong>ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.</strong></p><p></p><p>==================== Registry (Whitelisted) ==================</p><p></p><p>HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [ ] ()</p><p>HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [118784 2006-03-23] (Intel Corporation)</p><p>HKLM\...\Run: [CTSVolFE] - C:\Program Files\Creative\Mixer\CTSVolFE.exe [57344 2005-02-23] (Creative Technology Ltd)</p><p>HKLM\...\Run: [IDTSysTrayApp] - C:\Windows\sttray.exe [405504 2007-09-05] (IDT, Inc.)</p><p>HKLM\...\Run: [PCMService] - C:\Program Files\Dell\Media Experience\PCMService.exe [290816 2004-04-11] (CyberLink Corp.)</p><p>HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [244208 2008-05-14] (Sonic Solutions)</p><p>HKLM\...\Run: [VSOCheckTask] - "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask</p><p>HKLM\...\Run: [LXCICATS] - rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16</p><p>HKLM\...\Run: [lxcimon.exe] - C:\Program Files\Lexmark 7300 Series\lxcimon.exe [205744 2007-02-01] (Lexmark International, Inc.)</p><p>HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 7300 Series\ezprint.exe [103344 2007-02-01] (Lexmark International Inc.)</p><p>HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.)</p><p>HKLM\...\Run: [mcui_exe] - "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey</p><p>HKLM\...\Run: [Nike+ Connect] - C:\Program Files\Nike\Nike+ Connect\Nike+ Connect daemon.exe [299008 2010-10-01] (Nike)</p><p>HKLM\...\Run: [TuneClone] - C:\Program Files\TuneClone\TuneClone.exe [4550656 2012-02-24] (TuneClone.COM)</p><p>HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] ()</p><p>HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)</p><p>HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-09-10] (Apple Inc.)</p><p>HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k</p><p>HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)</p><p>HKLM\...\Policies\Explorer: [NoCDBurning] 0</p><p>HKU\Administrator\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)</p><p>HKU\Caroline\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)</p><p>HKU\Caroline\...\Run: [ISUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [ 2007-08-30] (Macrovision Corporation)</p><p>HKU\Caroline\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-11-29] (Apple Inc.)</p><p>HKU\Default User\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)</p><p>HKU\Guest\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-11-29] (Apple Inc.)</p><p>HKU\Scott & Shannon\...\Run: [SpybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [ 2009-03-05] (Safer-Networking Ltd.)</p><p>HKU\Scott & Shannon\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation)</p><p>HKU\Scott & Shannon\...\Run: [Skype] - "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun</p><p>HKU\Scott & Shannon\...\Run: [Google Update] - [x]</p><p>HKU\Shannon & Scott\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation)</p><p>Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk</p><p>ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)</p><p>Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk</p><p>ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)</p><p>Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk</p><p>ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)</p><p>Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk</p><p>ShortcutTarget: NkbMonitor.exe.lnk -> C:\Program Files\Nikon\PictureProject\NkbMonitor.exe (Nikon Corporation)</p><p>Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WDDMStatus.lnk</p><p>ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)</p><p>Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WDSmartWare.lnk</p><p>ShortcutTarget: WDSmartWare.lnk -> C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)</p><p>Startup: C:\Documents and Settings\Scott & Shannon\Start Menu\Programs\Startup\bbnh8zq4.lnk</p><p>ShortcutTarget: bbnh8zq4.lnk -> C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\4qz8hnbb.plz ()</p><p></p><p>========================== Services (Whitelisted) =================</p><p></p><p>S2 lxci_device; C:\WINDOWS\system32\lxcicoms.exe [537520 2007-02-02] ( )</p><p>S2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [88176 2011-02-16] (McAfee, Inc.)</p><p>S2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.)</p><p>S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.)</p><p>S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.)</p><p>S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.)</p><p>S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [364216 2010-10-07] (McAfee, Inc.)</p><p>S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.)</p><p>S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [171168 2010-10-14] (McAfee, Inc.)</p><p>S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [188136 2010-10-14] (McAfee, Inc.)</p><p>S2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [141792 2010-10-14] (McAfee, Inc.)</p><p>S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] ()</p><p>S2 RoxLiveShare10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [309744 2008-05-14] (Sonic Solutions)</p><p>S2 WDDMService; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [98304 2009-10-14] (WDC)</p><p>S2 WDSmartWareBackgroundService; C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [20480 2009-06-16] (Memeo)</p><p>S2 winmgmt; C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\4qz8hnbb.plz [97792 2013-09-15] ()</p><p>S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"</p><p>S2 SessionLauncher; </p><p>S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{e3cec3e3-20bb-a330-872e-791214cf1545}\ \ \???\{e3cec3e3-20bb-a330-872e-791214cf1545}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)</p><p></p><p>==================== Drivers (Whitelisted) ====================</p><p></p><p>S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [55840 2010-10-14] (McAfee, Inc.)</p><p>S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1166972 2006-03-23] (Intel Corporation)</p><p>S3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-29] (Initio Corporation)</p><p>S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [95600 2010-10-14] (McAfee, Inc.)</p><p>S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [152960 2010-10-14] (McAfee, Inc.)</p><p>S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [52104 2010-10-14] (McAfee, Inc.)</p><p>S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [313288 2010-10-14] (McAfee, Inc.)</p><p>S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [386840 2010-10-14] (McAfee, Inc.)</p><p>S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [88544 2010-10-14] (McAfee, Inc.)</p><p>S3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [88544 2010-10-14] (McAfee, Inc.)</p><p>S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [84264 2010-10-14] (McAfee, Inc.)</p><p>S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)</p><p>S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2010-02-17] (McAfee, Inc.)</p><p>S1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [84072 2010-10-14] (McAfee, Inc.)</p><p>S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)</p><p>S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)</p><p>S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1022040 2005-08-17] (SigmaTel, Inc.)</p><p>S0 tclondrv; C:\Windows\System32\DRIVERS\tclondrv.sys [28776 2012-02-24] (TuneClone Software)</p><p>S3 bvrp_pci; No ImagePath</p><p>S4 IntelIde; No ImagePath</p><p>S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)</p><p>S0 TfFsMon; system32\drivers\TfFsMon.sys [x]</p><p>S3 TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys [x]</p><p>S0 TfSysMon; system32\drivers\TfSysMon.sys [x]</p><p></p><p>==================== NetSvcs (Whitelisted) ===================</p><p></p><p></p><p>==================== One Month Created Files and Folders ========</p><p></p><p>2013-09-16 19:39 - 2013-09-16 19:39 - 00000000 ____D C:\FRST</p><p>2013-09-15 16:27 - 2013-09-15 16:27 - 00016181 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\evr.exe</p><p>2013-09-15 15:50 - 2013-09-16 18:57 - 00000000 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.ctrl</p><p>2013-09-15 15:49 - 2013-09-16 18:57 - 95025368 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.pff</p><p>2013-09-15 15:49 - 2013-09-15 15:49 - 00097792 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\4qz8hnbb.plz</p><p>2013-09-15 13:43 - 2013-09-15 13:43 - 00005120 ___SH C:\Documents and Settings\Scott & Shannon\My Documents\Thumbs.db</p><p>2013-09-11 21:10 - 2013-09-11 21:34 - 00083456 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma Poster.pub</p><p>2013-09-11 04:23 - 2013-09-11 04:25 - 00026489 _____ C:\Windows\KB2870699-IE8.log</p><p>2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876315$</p><p>2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876217$</p><p>2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2864063$</p><p>2013-09-11 03:40 - 2013-09-11 04:20 - 00036800 _____ C:\Windows\KB2876315.log</p><p>2013-09-11 03:40 - 2013-09-11 04:19 - 00035823 _____ C:\Windows\KB2876217.log</p><p>2013-09-11 03:39 - 2013-09-11 04:19 - 00035918 _____ C:\Windows\KB2864063.log</p><p>2013-08-28 21:43 - 2013-08-28 21:43 - 00000000 ____D C:\Documents and Settings\Scott & Shannon\My Documents\My Karaoke</p><p>2013-08-28 04:00 - 2013-08-28 04:00 - 00005480 _____ C:\Windows\KB2834904-v2.log</p><p>2013-08-28 04:00 - 2013-08-28 04:00 - 00000000 __HDC C:\Windows\$NtUninstallKB2834904-v2_WM11$</p><p>2013-08-25 21:24 - 2013-08-25 21:24 - 00000000 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma's Homework.txt</p><p></p><p>==================== One Month Modified Files and Folders =======</p><p></p><p>2013-09-16 19:39 - 2013-09-16 19:39 - 00000000 ____D C:\FRST</p><p>2013-09-16 18:57 - 2013-09-15 15:50 - 00000000 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.ctrl</p><p>2013-09-16 18:57 - 2013-09-15 15:49 - 95025368 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.pff</p><p>2013-09-16 18:57 - 2009-10-18 15:48 - 00000049 _____ C:\Windows\wiaservc.log</p><p>2013-09-16 08:32 - 2009-10-18 15:48 - 00000159 _____ C:\Windows\wiadebug.log</p><p>2013-09-16 03:27 - 2013-06-15 08:50 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0</p><p>2013-09-15 22:14 - 2009-10-18 23:53 - 02083479 _____ C:\Windows\WindowsUpdate.log</p><p>2013-09-15 22:14 - 2009-10-18 21:17 - 00000178 ___SH C:\Documents and Settings\Scott & Shannon\ntuser.ini</p><p>2013-09-15 20:32 - 2009-10-18 21:17 - 00031944 _____ C:\Windows\SchedLgU.Txt</p><p>2013-09-15 16:27 - 2013-09-15 16:27 - 00016181 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\evr.exe</p><p>2013-09-15 15:49 - 2013-09-15 15:49 - 00097792 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\4qz8hnbb.plz</p><p>2013-09-15 15:49 - 2011-12-09 23:37 - 00000000 ____D C:\Documents and Settings\Scott & Shannon\Local Settings\Application Data\Google</p><p>2013-09-15 15:49 - 2007-04-22 23:39 - 00000000 ____D C:\Program Files\Google</p><p>2013-09-15 15:09 - 2007-06-16 22:53 - 00000000 ____D C:\Program Files\Respondus LockDown Browser</p><p>2013-09-15 14:22 - 2007-11-11 16:20 - 00000000 ____D C:\Program Files\Lx_cats</p><p>2013-09-15 13:43 - 2013-09-15 13:43 - 00005120 ___SH C:\Documents and Settings\Scott & Shannon\My Documents\Thumbs.db</p><p>2013-09-14 04:04 - 2010-01-11 19:52 - 00000000 ____D C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help</p><p>2013-09-14 00:33 - 2013-02-17 15:47 - 00081211 _____ C:\Windows\System32\KT_CMS.dmp</p><p>2013-09-13 23:56 - 2012-10-21 21:17 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe</p><p>2013-09-13 23:56 - 2012-10-21 21:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl</p><p>2013-09-11 21:34 - 2013-09-11 21:10 - 00083456 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma Poster.pub</p><p>2013-09-11 04:41 - 2009-10-18 15:44 - 00324320 _____ C:\Windows\System32\FNTCACHE.DAT</p><p>2013-09-11 04:25 - 2013-09-11 04:23 - 00026489 _____ C:\Windows\KB2870699-IE8.log</p><p>2013-09-11 04:25 - 2011-04-01 21:24 - 00479279 _____ C:\Windows\setupapi.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 03077739 _____ C:\Windows\FaxSetup.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 01495661 _____ C:\Windows\ocgen.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 01180777 _____ C:\Windows\tsoc.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 00855011 _____ C:\Windows\comsetup.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 00519452 _____ C:\Windows\ntdtcsetup.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 00487599 _____ C:\Windows\iis6.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 00154405 _____ C:\Windows\msgsocm.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 00133550 _____ C:\Windows\ocmsn.log</p><p>2013-09-11 04:25 - 2009-10-18 15:45 - 00001374 _____ C:\Windows\imsins.log</p><p>2013-09-11 04:24 - 2009-10-19 08:47 - 00331569 _____ C:\Windows\updspapi.log</p><p>2013-09-11 04:23 - 2009-06-16 08:24 - 00000000 ____D C:\Windows\ie8updates</p><p>2013-09-11 04:20 - 2013-09-11 03:40 - 00036800 _____ C:\Windows\KB2876315.log</p><p>2013-09-11 04:20 - 2009-10-18 15:45 - 00001374 _____ C:\Windows\imsins.BAK</p><p>2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876315$</p><p>2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876217$</p><p>2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2864063$</p><p>2013-09-11 04:19 - 2013-09-11 03:40 - 00035823 _____ C:\Windows\KB2876217.log</p><p>2013-09-11 04:19 - 2013-09-11 03:39 - 00035918 _____ C:\Windows\KB2864063.log</p><p>2013-09-11 04:02 - 2013-08-15 04:36 - 00000000 ____D C:\Windows\System32\MRT</p><p>2013-09-11 04:01 - 2009-10-19 08:54 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe</p><p>2013-09-03 23:14 - 2011-04-02 10:03 - 00001945 _____ C:\Windows\epplauncher.mif</p><p>2013-09-03 21:33 - 2011-04-02 09:45 - 00000000 ____D C:\Program Files\Microsoft Security Client</p><p>2013-08-28 21:43 - 2013-08-28 21:43 - 00000000 ____D C:\Documents and Settings\Scott & Shannon\My Documents\My Karaoke</p><p>2013-08-28 04:00 - 2013-08-28 04:00 - 00005480 _____ C:\Windows\KB2834904-v2.log</p><p>2013-08-28 04:00 - 2013-08-28 04:00 - 00000000 __HDC C:\Windows\$NtUninstallKB2834904-v2_WM11$</p><p>2013-08-25 21:24 - 2013-08-25 21:24 - 00000000 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma's Homework.txt</p><p></p><p>ZeroAccess:</p><p>C:\Windows\assembly\GAC\Desktop.ini</p><p></p><p>Files to move or delete:</p><p>====================</p><p>ZeroAccess:</p><p>C:\Documents and Settings\Scott & Shannon\Local Settings\Application Data\Google\Desktop\Install</p><p>ZeroAccess:</p><p>C:\Program Files\Google\Desktop\Install</p><p></p><p></p><p>Some content of TEMP:</p><p>====================</p><p>C:\Documents and Settings\Scott & Shannon\Local Settings\Temp\21374812193529.exe</p><p>C:\Documents and Settings\Scott & Shannon\Local Settings\Temp\pgvcpssdcdyerejdxws.bfg</p><p>C:\Documents and Settings\Scott and Shannon\Local Settings\Temp\d.exe</p><p></p><p></p><p>==================== Known DLLs (Whitelisted) ============</p><p></p><p></p><p>==================== Bamital & volsnap Check =================</p><p></p><p>C:\Windows\explorer.exe => MD5 is legit</p><p>C:\Windows\System32\winlogon.exe => MD5 is legit</p><p>C:\Windows\System32\svchost.exe => MD5 is legit</p><p>C:\Windows\System32\services.exe => MD5 is legit</p><p>C:\Windows\System32\User32.dll => MD5 is legit</p><p>C:\Windows\System32\userinit.exe => MD5 is legit</p><p>C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit</p><p>C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client</p><p></p><p>==================== EXE ASSOCIATION =====================</p><p></p><p>HKLM\...\.exe: exefile => OK</p><p>HKLM\...\exefile\DefaultIcon: %1 => OK</p><p>HKLM\...\exefile\open\command: "%1" %* => OK</p><p></p><p>==================== Restore Points (XP) =====================</p><p></p><p>RP: -> 2013-09-15 04:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1134 </p><p></p><p>RP: -> 2013-09-14 04:53 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1133 </p><p></p><p>RP: -> 2013-09-14 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1132 </p><p></p><p>RP: -> 2013-09-13 04:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1131 </p><p></p><p>RP: -> 2013-09-13 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1130 </p><p></p><p>RP: -> 2013-09-12 04:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1129 </p><p></p><p>RP: -> 2013-09-12 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1128 </p><p></p><p>RP: -> 2013-09-11 04:01 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1127 </p><p></p><p>RP: -> 2013-09-10 21:47 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1126 </p><p></p><p>RP: -> 2013-09-10 02:10 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1125 </p><p></p><p>RP: -> 2013-09-09 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1124 </p><p></p><p>RP: -> 2013-09-08 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1123 </p><p></p><p>RP: -> 2013-09-07 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1122 </p><p></p><p>RP: -> 2013-09-06 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1121 </p><p></p><p>RP: -> 2013-09-05 21:43 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1120 </p><p></p><p>RP: -> 2013-09-04 21:45 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1119 </p><p></p><p>RP: -> 2013-09-04 08:57 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1118 </p><p></p><p>RP: -> 2013-09-03 08:32 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1117 </p><p></p><p>RP: -> 2013-09-03 05:13 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1116 </p><p></p><p>RP: -> 2013-09-03 02:06 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1115 </p><p></p><p>RP: -> 2013-09-02 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1114 </p><p></p><p>RP: -> 2013-09-01 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1113 </p><p></p><p>RP: -> 2013-08-31 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1112 </p><p></p><p>RP: -> 2013-08-30 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1111 </p><p></p><p>RP: -> 2013-08-29 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1110 </p><p></p><p>RP: -> 2013-08-28 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1109 </p><p></p><p>RP: -> 2013-08-28 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1108 </p><p></p><p>RP: -> 2013-08-27 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1107 </p><p></p><p>RP: -> 2013-08-27 02:06 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1106 </p><p></p><p>RP: -> 2013-08-26 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1105 </p><p></p><p>RP: -> 2013-08-25 05:17 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1104 </p><p></p><p>RP: -> 2013-08-24 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1103 </p><p></p><p>RP: -> 2013-08-23 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1102 </p><p></p><p>RP: -> 2013-08-22 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1101 </p><p></p><p>RP: -> 2013-08-21 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1100 </p><p></p><p>RP: -> 2013-08-20 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1099 </p><p></p><p>RP: -> 2013-08-20 02:05 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1098 </p><p></p><p>RP: -> 2013-08-19 05:13 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1097 </p><p></p><p>RP: -> 2013-08-18 20:20 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1096 </p><p></p><p>RP: -> 2013-08-18 05:15 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1095 </p><p></p><p>RP: -> 2013-08-17 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1094 </p><p></p><p>RP: -> 2013-08-16 05:15 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1093 </p><p></p><p>RP: -> 2013-08-16 04:08 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1092 </p><p></p><p>RP: -> 2013-08-15 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1091 </p><p></p><p>RP: -> 2013-08-14 09:01 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1090 </p><p></p><p>RP: -> 2013-08-13 08:59 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1089 </p><p></p><p>RP: -> 2013-08-13 01:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1088 </p><p></p><p>RP: -> 2013-08-12 09:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1087 </p><p></p><p>RP: -> 2013-08-11 09:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1086 </p><p></p><p>RP: -> 2013-08-10 09:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1085 </p><p></p><p>RP: -> 2013-08-09 22:56 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1084 </p><p></p><p>RP: -> 2013-08-08 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1083 </p><p></p><p>RP: -> 2013-08-07 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1082 </p><p></p><p>RP: -> 2013-08-06 22:27 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1081 </p><p></p><p>RP: -> 2013-08-06 01:57 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1080 </p><p></p><p>RP: -> 2013-08-05 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1079 </p><p></p><p>RP: -> 2013-08-04 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1078 </p><p></p><p>RP: -> 2013-08-03 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1077 </p><p></p><p>RP: -> 2013-08-02 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1076 </p><p></p><p>RP: -> 2013-08-01 22:23 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1075 </p><p></p><p>RP: -> 2013-07-31 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1074 </p><p></p><p>RP: -> 2013-07-30 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1073 </p><p></p><p>RP: -> 2013-07-30 01:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1072 </p><p></p><p>RP: -> 2013-07-29 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1071 </p><p></p><p>RP: -> 2013-07-28 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1070 </p><p></p><p>RP: -> 2013-07-27 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1069 </p><p></p><p>RP: -> 2013-07-26 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1068 </p><p></p><p>RP: -> 2013-07-25 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1067 </p><p></p><p>RP: -> 2013-07-24 22:28 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1066 </p><p></p><p>RP: -> 2013-07-23 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1065 </p><p></p><p>RP: -> 2013-07-23 01:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1064 </p><p></p><p>RP: -> 2013-07-22 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1063 </p><p></p><p>RP: -> 2013-07-21 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1062 </p><p></p><p>RP: -> 2013-07-20 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1061 </p><p></p><p>RP: -> 2013-07-19 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1060 </p><p></p><p>RP: -> 2013-07-19 21:17 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1059 </p><p></p><p>RP: -> 2013-07-18 20:26 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1058 </p><p></p><p>RP: -> 2013-07-17 20:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1057 </p><p></p><p>RP: -> 2013-07-16 20:26 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1056 </p><p></p><p>RP: -> 2013-07-16 01:40 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1055 </p><p></p><p>RP: -> 2013-07-15 20:28 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1054 </p><p></p><p>RP: -> 2013-07-15 09:05 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1053 </p><p></p><p>RP: -> 2013-07-14 05:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1052 </p><p></p><p>RP: -> 2013-07-13 05:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1051 </p><p></p><p>RP: -> 2013-07-12 05:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1050 </p><p></p><p>RP: -> 2013-07-12 04:37 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1049 </p><p></p><p>RP: -> 2013-07-11 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1048 </p><p></p><p>RP: -> 2013-07-10 14:50 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1047 </p><p></p><p>RP: -> 2013-07-10 02:41 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1046 </p><p></p><p>RP: -> 2013-07-09 02:21 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1045 </p><p></p><p>RP: -> 2013-07-08 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1044 </p><p></p><p>RP: -> 2013-07-07 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1043 </p><p></p><p>RP: -> 2013-07-06 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1042 </p><p></p><p>RP: -> 2013-07-05 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1041 </p><p></p><p>RP: -> 2013-07-04 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1040 </p><p></p><p>RP: -> 2013-07-03 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1039 </p><p></p><p>RP: -> 2013-07-02 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1038 </p><p></p><p>RP: -> 2013-07-02 02:21 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1037 </p><p></p><p>RP: -> 2013-07-01 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1036 </p><p></p><p>RP: -> 2013-06-30 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1035 </p><p></p><p>RP: -> 2013-06-29 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1034 </p><p></p><p>RP: -> 2013-06-28 22:59 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1033 </p><p></p><p>RP: -> 2013-06-28 09:51 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1032 </p><p></p><p>RP: -> 2013-06-27 09:18 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1031 </p><p></p><p>RP: -> 2013-06-26 08:52 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1030 </p><p></p><p>RP: -> 2013-06-25 10:03 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1029 </p><p></p><p>RP: -> 2013-06-25 02:27 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1028 </p><p></p><p>RP: -> 2013-06-24 10:06 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1027 </p><p></p><p>RP: -> 2013-06-23 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1026 </p><p></p><p>RP: -> 2013-06-22 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1025 </p><p></p><p>RP: -> 2013-06-21 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1024 </p><p></p><p>RP: -> 2013-06-20 08:33 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1023 </p><p></p><p>RP: -> 2013-06-19 08:33 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1022 </p><p></p><p>RP: -> 2013-06-18 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1021 </p><p></p><p>RP: -> 2013-06-18 02:23 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1020 </p><p></p><p>RP: -> 2009-10-18 18:05 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1109 </p><p></p><p>RP: -> 2009-10-17 17:17 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1108 </p><p></p><p>RP: -> 2009-10-16 13:34 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1107 </p><p></p><p>RP: -> 2009-10-15 13:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1106 </p><p></p><p>RP: -> 2009-10-13 23:33 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1105 </p><p></p><p>RP: -> 2009-10-13 17:58 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1104 </p><p></p><p>RP: -> 2009-10-12 08:55 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1103 </p><p></p><p>RP: -> 2009-10-11 08:38 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102 </p><p></p><p>RP: -> 2009-10-09 19:50 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1101 </p><p></p><p>RP: -> 2009-10-08 19:29 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100 </p><p></p><p>RP: -> 2009-10-06 21:49 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1099 </p><p></p><p>RP: -> 2009-10-04 22:12 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1098 </p><p></p><p>RP: -> 2009-10-03 21:56 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1097 </p><p></p><p>RP: -> 2009-10-02 20:58 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1096 </p><p></p><p>RP: -> 2009-09-30 10:34 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1095 </p><p></p><p>RP: -> 2009-09-29 07:55 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1094 </p><p></p><p>RP: -> 2009-09-27 23:23 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1093 </p><p></p><p>RP: -> 2009-09-26 22:52 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1092 </p><p></p><p>RP: -> 2009-09-25 22:45 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1091 </p><p></p><p>RP: -> 2009-09-24 22:02 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1090 </p><p></p><p>RP: -> 2009-09-23 21:58 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1089 </p><p></p><p>RP: -> 2009-09-22 21:35 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1088 </p><p></p><p>RP: -> 2009-09-21 20:09 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1087 </p><p></p><p>RP: -> 2009-09-20 18:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1086 </p><p></p><p>RP: -> 2009-09-19 18:26 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1085 </p><p></p><p>RP: -> 2009-09-18 18:14 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1084 </p><p></p><p>RP: -> 2009-09-17 17:40 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1083 </p><p></p><p>RP: -> 2009-09-16 08:54 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1082 </p><p></p><p>RP: -> 2009-09-14 22:53 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1081 </p><p></p><p>RP: -> 2009-09-13 21:32 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1080 </p><p></p><p>RP: -> 2009-09-12 20:36 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1079 </p><p></p><p>RP: -> 2009-09-11 20:03 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1078 </p><p></p><p>RP: -> 2009-09-10 19:44 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1077 </p><p></p><p>RP: -> 2009-09-09 17:29 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1076 </p><p></p><p>RP: -> 2009-09-08 13:52 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1075 </p><p></p><p>RP: -> 2009-09-07 21:09 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1074 </p><p></p><p>RP: -> 2009-09-06 20:15 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1073 </p><p></p><p>RP: -> 2009-09-05 19:19 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1072 </p><p></p><p>RP: -> 2009-09-04 18:27 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1071 </p><p></p><p>RP: -> 2009-09-02 22:57 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1070 </p><p></p><p>RP: -> 2009-09-01 22:02 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1069 </p><p></p><p>RP: -> 2009-08-31 21:14 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1068 </p><p></p><p>RP: -> 2009-08-30 20:21 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1067 </p><p></p><p>RP: -> 2009-08-29 19:35 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1066 </p><p></p><p>RP: -> 2009-08-28 19:33 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1065 </p><p></p><p>RP: -> 2009-08-27 19:24 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1064 </p><p></p><p>RP: -> 2009-08-25 23:15 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1063 </p><p></p><p>RP: -> 2009-08-24 21:14 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1062 </p><p></p><p>RP: -> 2009-08-22 23:30 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1061 </p><p></p><p>RP: -> 2009-08-22 10:11 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1060 </p><p></p><p>RP: -> 2009-08-20 21:47 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1059 </p><p></p><p>RP: -> 2009-08-19 21:38 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1058 </p><p></p><p>RP: -> 2009-08-18 21:06 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1057 </p><p></p><p>RP: -> 2009-08-17 20:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1056 </p><p></p><p>RP: -> 2009-08-16 19:48 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1055 </p><p></p><p>RP: -> 2009-08-15 17:57 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1054 </p><p></p><p>RP: -> 2009-08-14 17:50 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1053 </p><p></p><p>RP: -> 2009-08-13 08:33 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1052 </p><p></p><p>RP: -> 2009-08-11 23:18 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1051 </p><p></p><p>RP: -> 2009-08-10 23:10 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1050 </p><p></p><p>RP: -> 2009-08-09 22:59 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1049 </p><p></p><p>RP: -> 2009-08-09 10:23 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1048 </p><p></p><p>RP: -> 2009-08-09 00:08 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1047 </p><p></p><p>RP: -> 2009-08-08 09:50 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1046 </p><p></p><p>RP: -> 2009-08-06 23:00 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1045 </p><p></p><p>RP: -> 2009-08-05 20:34 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1044 </p><p></p><p>RP: -> 2009-08-04 20:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1043 </p><p></p><p>RP: -> 2009-08-03 18:54 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1042 </p><p></p><p>RP: -> 2009-08-02 12:37 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1041 </p><p></p><p>RP: -> 2009-08-01 10:08 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1040 </p><p></p><p>RP: -> 2009-07-31 08:23 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1039 </p><p></p><p>RP: -> 2009-07-30 00:35 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1038 </p><p></p><p>RP: -> 2009-07-29 19:41 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1037 </p><p></p><p>RP: -> 2009-07-28 19:05 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1036 </p><p></p><p>RP: -> 2009-07-27 10:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1035 </p><p></p><p>RP: -> 2009-07-26 09:47 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1034 </p><p></p><p>RP: -> 2009-07-25 09:46 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1033 </p><p></p><p>RP: -> 2009-07-23 23:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1032 </p><p></p><p>RP: -> 2009-07-22 22:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1031 </p><p></p><p>RP: -> 2009-07-21 21:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1030 </p><p></p><p>RP: -> 2009-07-20 20:27 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1029 </p><p></p><p></p><p>==================== Memory info =========================== </p><p></p><p>Percentage of memory in use: 13%</p><p>Total physical RAM: 2038.08 MB</p><p>Available physical RAM: 1763.36 MB</p><p>Total Pagefile: 1868.75 MB</p><p>Available Pagefile: 1799.91 MB</p><p>Total Virtual: 2047.88 MB</p><p>Available Virtual: 1993.54 MB</p><p></p><p>==================== Drives ================================</p><p></p><p>Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS</p><p>Drive c: () (Fixed) (Total:108.59 GB) (Free:4.39 GB) NTFS ==>[Drive with boot components (Windows XP)]</p><p>Drive d: (My Book) (Fixed) (Total:930.86 GB) (Free:654.06 GB) NTFS</p><p>Drive e: (Backup) (Fixed) (Total:37.24 GB) (Free:37.17 GB) NTFS</p><p>Drive f: (WD SmartWare) (CDROM) (Total:0.63 GB) (Free:0 GB) UDF</p><p>Drive g: (USB DISK) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT</p><p>Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS</p><p></p><p>==================== MBR & Partition Table ==================</p><p></p><p>========================================================</p><p>Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: D0F4738C)</p><p>Partition 1: (Not Active) - (Size=31 MB) - (Type=DE)</p><p>Partition 2: (Active) - (Size=109 GB) - (Type=07 NTFS)</p><p>Partition 3: (Not Active) - (Size=37 GB) - (Type=07 NTFS)</p><p>Partition 4: (Not Active) - (Size=3 GB) - (Type=DB)</p><p></p><p>========================================================</p><p>Disk: 1 (MBR Code: Windows XP) (Size: 931 GB) (Disk ID: 0002AE3F)</p><p>Partition 1: (Not Active) - (Size=931 GB) - (Type=07 NTFS)</p><p></p><p>========================================================</p><p>Disk: 2 (MBR Code: Windows XP) (Size: 64 MB) (Disk ID: C3072E18)</p><p>Partition 1: (Not Active) - (Size=63 MB) - (Type=06)</p><p></p><p>==================== End Of Log ============================</p><p></p><p></p><p>Ok, please do this on another PC. </p><p></p><ul> <li data-xf-list-type="ul">Download <a href="http://oldtimer.geekstogo.com/OTLPENet.exe" target="_blank">OTLPENet.exe</a> to your desktop</li> <li data-xf-list-type="ul">Download <a href="http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/" target="_blank">Farbar Recovery Scan Tool</a> and save it to a flash drive.<br /> </li> <li data-xf-list-type="ul">Ensure that you have a blank CD in the drive</li> <li data-xf-list-type="ul">Double click<strong> OTLPENet.exe</strong> and this will then open imgburn to burn the file to CD</li> <li data-xf-list-type="ul">Reboot your infected system using the boot CD you just created.<br /> Note : If you do not know how to set your computer to boot from CD follow the steps <a href="http://www.hiren.info/pages/bios-boot-cdrom" target="_blank">here</a></li> <li data-xf-list-type="ul">Wait for the CD to detect your hardware and load the operating system</li> <li data-xf-list-type="ul">Your system should now display a Reatogo desktop<br /> <strong>Note : as you are running from CD it is not exactly speedy</strong></li> <li data-xf-list-type="ul">Insert the USB with FRST</li> <li data-xf-list-type="ul">Locate the flash drive with FRST and double click</li> <li data-xf-list-type="ul">The tool will start to run.</li> <li data-xf-list-type="ul">When the tool opens click Yes to disclaimer.</li> <li data-xf-list-type="ul">Press <strong>Scan</strong> button.</li> <li data-xf-list-type="ul">It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.</li> </ul></blockquote><p>[/QUOTE]</p>
[QUOTE="scotty, post: 135780, member: 12798"] Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2013 03 Ran by SYSTEM on REATOGO on 16-09-2013 19:39:43 Running from G:\ Microsoft Windows XP (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Recovery The current controlset is ControlSet001 [b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b] ==================== Registry (Whitelisted) ================== HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [ ] () HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [118784 2006-03-23] (Intel Corporation) HKLM\...\Run: [CTSVolFE] - C:\Program Files\Creative\Mixer\CTSVolFE.exe [57344 2005-02-23] (Creative Technology Ltd) HKLM\...\Run: [IDTSysTrayApp] - C:\Windows\sttray.exe [405504 2007-09-05] (IDT, Inc.) HKLM\...\Run: [PCMService] - C:\Program Files\Dell\Media Experience\PCMService.exe [290816 2004-04-11] (CyberLink Corp.) HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe [244208 2008-05-14] (Sonic Solutions) HKLM\...\Run: [VSOCheckTask] - "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask HKLM\...\Run: [LXCICATS] - rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16 HKLM\...\Run: [lxcimon.exe] - C:\Program Files\Lexmark 7300 Series\lxcimon.exe [205744 2007-02-01] (Lexmark International, Inc.) HKLM\...\Run: [EzPrint] - C:\Program Files\Lexmark 7300 Series\ezprint.exe [103344 2007-02-01] (Lexmark International Inc.) HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.) HKLM\...\Run: [mcui_exe] - "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey HKLM\...\Run: [Nike+ Connect] - C:\Program Files\Nike\Nike+ Connect\Nike+ Connect daemon.exe [299008 2010-10-01] (Nike) HKLM\...\Run: [TuneClone] - C:\Program Files\TuneClone\TuneClone.exe [4550656 2012-02-24] (TuneClone.COM) HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] () HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.) HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-09-10] (Apple Inc.) HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Policies\Explorer: [NoCDBurning] 0 HKU\Administrator\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.) HKU\Caroline\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.) HKU\Caroline\...\Run: [ISUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [ 2007-08-30] (Macrovision Corporation) HKU\Caroline\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-11-29] (Apple Inc.) HKU\Default User\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.) HKU\Guest\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-11-29] (Apple Inc.) HKU\Scott & Shannon\...\Run: [SpybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [ 2009-03-05] (Safer-Networking Ltd.) HKU\Scott & Shannon\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation) HKU\Scott & Shannon\...\Run: [Skype] - "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun HKU\Scott & Shannon\...\Run: [Google Update] - [x] HKU\Shannon & Scott\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-13] (Microsoft Corporation) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk ShortcutTarget: NkbMonitor.exe.lnk -> C:\Program Files\Nikon\PictureProject\NkbMonitor.exe (Nikon Corporation) Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WDDMStatus.lnk ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC) Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WDSmartWare.lnk ShortcutTarget: WDSmartWare.lnk -> C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital) Startup: C:\Documents and Settings\Scott & Shannon\Start Menu\Programs\Startup\bbnh8zq4.lnk ShortcutTarget: bbnh8zq4.lnk -> C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\4qz8hnbb.plz () ========================== Services (Whitelisted) ================= S2 lxci_device; C:\WINDOWS\system32\lxcicoms.exe [537520 2007-02-02] ( ) S2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [88176 2011-02-16] (McAfee, Inc.) S2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.) S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.) S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.) S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.) S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [364216 2010-10-07] (McAfee, Inc.) S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [271480 2010-03-10] (McAfee, Inc.) S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [171168 2010-10-14] (McAfee, Inc.) S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [188136 2010-10-14] (McAfee, Inc.) S2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [141792 2010-10-14] (McAfee, Inc.) S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] () S2 RoxLiveShare10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [309744 2008-05-14] (Sonic Solutions) S2 WDDMService; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [98304 2009-10-14] (WDC) S2 WDSmartWareBackgroundService; C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [20480 2009-06-16] (Memeo) S2 winmgmt; C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\4qz8hnbb.plz [97792 2013-09-15] () S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" S2 SessionLauncher; S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{e3cec3e3-20bb-a330-872e-791214cf1545}\ \ \???\{e3cec3e3-20bb-a330-872e-791214cf1545}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ==================== Drivers (Whitelisted) ==================== S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [55840 2010-10-14] (McAfee, Inc.) S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1166972 2006-03-23] (Intel Corporation) S3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-29] (Initio Corporation) S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [95600 2010-10-14] (McAfee, Inc.) S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [152960 2010-10-14] (McAfee, Inc.) S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [52104 2010-10-14] (McAfee, Inc.) S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [313288 2010-10-14] (McAfee, Inc.) S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [386840 2010-10-14] (McAfee, Inc.) S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [88544 2010-10-14] (McAfee, Inc.) S3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [88544 2010-10-14] (McAfee, Inc.) S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [84264 2010-10-14] (McAfee, Inc.) S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.) S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2010-02-17] (McAfee, Inc.) S1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [84072 2010-10-14] (McAfee, Inc.) S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation) S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1022040 2005-08-17] (SigmaTel, Inc.) S0 tclondrv; C:\Windows\System32\DRIVERS\tclondrv.sys [28776 2012-02-24] (TuneClone Software) S3 bvrp_pci; No ImagePath S4 IntelIde; No ImagePath S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) S0 TfFsMon; system32\drivers\TfFsMon.sys [x] S3 TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys [x] S0 TfSysMon; system32\drivers\TfSysMon.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-16 19:39 - 2013-09-16 19:39 - 00000000 ____D C:\FRST 2013-09-15 16:27 - 2013-09-15 16:27 - 00016181 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\evr.exe 2013-09-15 15:50 - 2013-09-16 18:57 - 00000000 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.ctrl 2013-09-15 15:49 - 2013-09-16 18:57 - 95025368 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.pff 2013-09-15 15:49 - 2013-09-15 15:49 - 00097792 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\4qz8hnbb.plz 2013-09-15 13:43 - 2013-09-15 13:43 - 00005120 ___SH C:\Documents and Settings\Scott & Shannon\My Documents\Thumbs.db 2013-09-11 21:10 - 2013-09-11 21:34 - 00083456 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma Poster.pub 2013-09-11 04:23 - 2013-09-11 04:25 - 00026489 _____ C:\Windows\KB2870699-IE8.log 2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876315$ 2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876217$ 2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2864063$ 2013-09-11 03:40 - 2013-09-11 04:20 - 00036800 _____ C:\Windows\KB2876315.log 2013-09-11 03:40 - 2013-09-11 04:19 - 00035823 _____ C:\Windows\KB2876217.log 2013-09-11 03:39 - 2013-09-11 04:19 - 00035918 _____ C:\Windows\KB2864063.log 2013-08-28 21:43 - 2013-08-28 21:43 - 00000000 ____D C:\Documents and Settings\Scott & Shannon\My Documents\My Karaoke 2013-08-28 04:00 - 2013-08-28 04:00 - 00005480 _____ C:\Windows\KB2834904-v2.log 2013-08-28 04:00 - 2013-08-28 04:00 - 00000000 __HDC C:\Windows\$NtUninstallKB2834904-v2_WM11$ 2013-08-25 21:24 - 2013-08-25 21:24 - 00000000 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma's Homework.txt ==================== One Month Modified Files and Folders ======= 2013-09-16 19:39 - 2013-09-16 19:39 - 00000000 ____D C:\FRST 2013-09-16 18:57 - 2013-09-15 15:50 - 00000000 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.ctrl 2013-09-16 18:57 - 2013-09-15 15:49 - 95025368 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\bbnh8zq4.pff 2013-09-16 18:57 - 2009-10-18 15:48 - 00000049 _____ C:\Windows\wiaservc.log 2013-09-16 08:32 - 2009-10-18 15:48 - 00000159 _____ C:\Windows\wiadebug.log 2013-09-16 03:27 - 2013-06-15 08:50 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0 2013-09-15 22:14 - 2009-10-18 23:53 - 02083479 _____ C:\Windows\WindowsUpdate.log 2013-09-15 22:14 - 2009-10-18 21:17 - 00000178 ___SH C:\Documents and Settings\Scott & Shannon\ntuser.ini 2013-09-15 20:32 - 2009-10-18 21:17 - 00031944 _____ C:\Windows\SchedLgU.Txt 2013-09-15 16:27 - 2013-09-15 16:27 - 00016181 ____T C:\Documents and Settings\All Users.WINDOWS\Application Data\evr.exe 2013-09-15 15:49 - 2013-09-15 15:49 - 00097792 _____ C:\Documents and Settings\All Users.WINDOWS\Application Data\4qz8hnbb.plz 2013-09-15 15:49 - 2011-12-09 23:37 - 00000000 ____D C:\Documents and Settings\Scott & Shannon\Local Settings\Application Data\Google 2013-09-15 15:49 - 2007-04-22 23:39 - 00000000 ____D C:\Program Files\Google 2013-09-15 15:09 - 2007-06-16 22:53 - 00000000 ____D C:\Program Files\Respondus LockDown Browser 2013-09-15 14:22 - 2007-11-11 16:20 - 00000000 ____D C:\Program Files\Lx_cats 2013-09-15 13:43 - 2013-09-15 13:43 - 00005120 ___SH C:\Documents and Settings\Scott & Shannon\My Documents\Thumbs.db 2013-09-14 04:04 - 2010-01-11 19:52 - 00000000 ____D C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help 2013-09-14 00:33 - 2013-02-17 15:47 - 00081211 _____ C:\Windows\System32\KT_CMS.dmp 2013-09-13 23:56 - 2012-10-21 21:17 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-09-13 23:56 - 2012-10-21 21:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-09-11 21:34 - 2013-09-11 21:10 - 00083456 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma Poster.pub 2013-09-11 04:41 - 2009-10-18 15:44 - 00324320 _____ C:\Windows\System32\FNTCACHE.DAT 2013-09-11 04:25 - 2013-09-11 04:23 - 00026489 _____ C:\Windows\KB2870699-IE8.log 2013-09-11 04:25 - 2011-04-01 21:24 - 00479279 _____ C:\Windows\setupapi.log 2013-09-11 04:25 - 2009-10-18 15:45 - 03077739 _____ C:\Windows\FaxSetup.log 2013-09-11 04:25 - 2009-10-18 15:45 - 01495661 _____ C:\Windows\ocgen.log 2013-09-11 04:25 - 2009-10-18 15:45 - 01180777 _____ C:\Windows\tsoc.log 2013-09-11 04:25 - 2009-10-18 15:45 - 00855011 _____ C:\Windows\comsetup.log 2013-09-11 04:25 - 2009-10-18 15:45 - 00519452 _____ C:\Windows\ntdtcsetup.log 2013-09-11 04:25 - 2009-10-18 15:45 - 00487599 _____ C:\Windows\iis6.log 2013-09-11 04:25 - 2009-10-18 15:45 - 00154405 _____ C:\Windows\msgsocm.log 2013-09-11 04:25 - 2009-10-18 15:45 - 00133550 _____ C:\Windows\ocmsn.log 2013-09-11 04:25 - 2009-10-18 15:45 - 00001374 _____ C:\Windows\imsins.log 2013-09-11 04:24 - 2009-10-19 08:47 - 00331569 _____ C:\Windows\updspapi.log 2013-09-11 04:23 - 2009-06-16 08:24 - 00000000 ____D C:\Windows\ie8updates 2013-09-11 04:20 - 2013-09-11 03:40 - 00036800 _____ C:\Windows\KB2876315.log 2013-09-11 04:20 - 2009-10-18 15:45 - 00001374 _____ C:\Windows\imsins.BAK 2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876315$ 2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2876217$ 2013-09-11 04:19 - 2013-09-11 04:19 - 00000000 __HDC C:\Windows\$NtUninstallKB2864063$ 2013-09-11 04:19 - 2013-09-11 03:40 - 00035823 _____ C:\Windows\KB2876217.log 2013-09-11 04:19 - 2013-09-11 03:39 - 00035918 _____ C:\Windows\KB2864063.log 2013-09-11 04:02 - 2013-08-15 04:36 - 00000000 ____D C:\Windows\System32\MRT 2013-09-11 04:01 - 2009-10-19 08:54 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-09-03 23:14 - 2011-04-02 10:03 - 00001945 _____ C:\Windows\epplauncher.mif 2013-09-03 21:33 - 2011-04-02 09:45 - 00000000 ____D C:\Program Files\Microsoft Security Client 2013-08-28 21:43 - 2013-08-28 21:43 - 00000000 ____D C:\Documents and Settings\Scott & Shannon\My Documents\My Karaoke 2013-08-28 04:00 - 2013-08-28 04:00 - 00005480 _____ C:\Windows\KB2834904-v2.log 2013-08-28 04:00 - 2013-08-28 04:00 - 00000000 __HDC C:\Windows\$NtUninstallKB2834904-v2_WM11$ 2013-08-25 21:24 - 2013-08-25 21:24 - 00000000 _____ C:\Documents and Settings\Scott & Shannon\My Documents\Emma's Homework.txt ZeroAccess: C:\Windows\assembly\GAC\Desktop.ini Files to move or delete: ==================== ZeroAccess: C:\Documents and Settings\Scott & Shannon\Local Settings\Application Data\Google\Desktop\Install ZeroAccess: C:\Program Files\Google\Desktop\Install Some content of TEMP: ==================== C:\Documents and Settings\Scott & Shannon\Local Settings\Temp\21374812193529.exe C:\Documents and Settings\Scott & Shannon\Local Settings\Temp\pgvcpssdcdyerejdxws.bfg C:\Documents and Settings\Scott and Shannon\Local Settings\Temp\d.exe ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points (XP) ===================== RP: -> 2013-09-15 04:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1134 RP: -> 2013-09-14 04:53 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1133 RP: -> 2013-09-14 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1132 RP: -> 2013-09-13 04:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1131 RP: -> 2013-09-13 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1130 RP: -> 2013-09-12 04:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1129 RP: -> 2013-09-12 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1128 RP: -> 2013-09-11 04:01 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1127 RP: -> 2013-09-10 21:47 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1126 RP: -> 2013-09-10 02:10 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1125 RP: -> 2013-09-09 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1124 RP: -> 2013-09-08 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1123 RP: -> 2013-09-07 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1122 RP: -> 2013-09-06 21:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1121 RP: -> 2013-09-05 21:43 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1120 RP: -> 2013-09-04 21:45 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1119 RP: -> 2013-09-04 08:57 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1118 RP: -> 2013-09-03 08:32 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1117 RP: -> 2013-09-03 05:13 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1116 RP: -> 2013-09-03 02:06 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1115 RP: -> 2013-09-02 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1114 RP: -> 2013-09-01 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1113 RP: -> 2013-08-31 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1112 RP: -> 2013-08-30 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1111 RP: -> 2013-08-29 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1110 RP: -> 2013-08-28 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1109 RP: -> 2013-08-28 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1108 RP: -> 2013-08-27 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1107 RP: -> 2013-08-27 02:06 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1106 RP: -> 2013-08-26 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1105 RP: -> 2013-08-25 05:17 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1104 RP: -> 2013-08-24 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1103 RP: -> 2013-08-23 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1102 RP: -> 2013-08-22 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1101 RP: -> 2013-08-21 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1100 RP: -> 2013-08-20 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1099 RP: -> 2013-08-20 02:05 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1098 RP: -> 2013-08-19 05:13 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1097 RP: -> 2013-08-18 20:20 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1096 RP: -> 2013-08-18 05:15 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1095 RP: -> 2013-08-17 05:14 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1094 RP: -> 2013-08-16 05:15 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1093 RP: -> 2013-08-16 04:08 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1092 RP: -> 2013-08-15 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1091 RP: -> 2013-08-14 09:01 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1090 RP: -> 2013-08-13 08:59 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1089 RP: -> 2013-08-13 01:54 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1088 RP: -> 2013-08-12 09:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1087 RP: -> 2013-08-11 09:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1086 RP: -> 2013-08-10 09:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1085 RP: -> 2013-08-09 22:56 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1084 RP: -> 2013-08-08 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1083 RP: -> 2013-08-07 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1082 RP: -> 2013-08-06 22:27 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1081 RP: -> 2013-08-06 01:57 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1080 RP: -> 2013-08-05 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1079 RP: -> 2013-08-04 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1078 RP: -> 2013-08-03 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1077 RP: -> 2013-08-02 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1076 RP: -> 2013-08-01 22:23 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1075 RP: -> 2013-07-31 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1074 RP: -> 2013-07-30 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1073 RP: -> 2013-07-30 01:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1072 RP: -> 2013-07-29 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1071 RP: -> 2013-07-28 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1070 RP: -> 2013-07-27 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1069 RP: -> 2013-07-26 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1068 RP: -> 2013-07-25 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1067 RP: -> 2013-07-24 22:28 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1066 RP: -> 2013-07-23 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1065 RP: -> 2013-07-23 01:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1064 RP: -> 2013-07-22 22:24 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1063 RP: -> 2013-07-21 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1062 RP: -> 2013-07-20 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1061 RP: -> 2013-07-19 22:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1060 RP: -> 2013-07-19 21:17 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1059 RP: -> 2013-07-18 20:26 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1058 RP: -> 2013-07-17 20:25 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1057 RP: -> 2013-07-16 20:26 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1056 RP: -> 2013-07-16 01:40 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1055 RP: -> 2013-07-15 20:28 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1054 RP: -> 2013-07-15 09:05 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1053 RP: -> 2013-07-14 05:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1052 RP: -> 2013-07-13 05:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1051 RP: -> 2013-07-12 05:44 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1050 RP: -> 2013-07-12 04:37 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1049 RP: -> 2013-07-11 04:00 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1048 RP: -> 2013-07-10 14:50 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1047 RP: -> 2013-07-10 02:41 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1046 RP: -> 2013-07-09 02:21 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1045 RP: -> 2013-07-08 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1044 RP: -> 2013-07-07 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1043 RP: -> 2013-07-06 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1042 RP: -> 2013-07-05 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1041 RP: -> 2013-07-04 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1040 RP: -> 2013-07-03 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1039 RP: -> 2013-07-02 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1038 RP: -> 2013-07-02 02:21 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1037 RP: -> 2013-07-01 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1036 RP: -> 2013-06-30 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1035 RP: -> 2013-06-29 22:58 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1034 RP: -> 2013-06-28 22:59 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1033 RP: -> 2013-06-28 09:51 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1032 RP: -> 2013-06-27 09:18 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1031 RP: -> 2013-06-26 08:52 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1030 RP: -> 2013-06-25 10:03 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1029 RP: -> 2013-06-25 02:27 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1028 RP: -> 2013-06-24 10:06 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1027 RP: -> 2013-06-23 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1026 RP: -> 2013-06-22 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1025 RP: -> 2013-06-21 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1024 RP: -> 2013-06-20 08:33 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1023 RP: -> 2013-06-19 08:33 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1022 RP: -> 2013-06-18 08:34 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1021 RP: -> 2013-06-18 02:23 - 020480 _restore{6A3E3DB9-7EB7-4E62-8264-E618E273518D}\RP1020 RP: -> 2009-10-18 18:05 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1109 RP: -> 2009-10-17 17:17 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1108 RP: -> 2009-10-16 13:34 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1107 RP: -> 2009-10-15 13:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1106 RP: -> 2009-10-13 23:33 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1105 RP: -> 2009-10-13 17:58 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1104 RP: -> 2009-10-12 08:55 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1103 RP: -> 2009-10-11 08:38 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102 RP: -> 2009-10-09 19:50 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1101 RP: -> 2009-10-08 19:29 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1100 RP: -> 2009-10-06 21:49 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1099 RP: -> 2009-10-04 22:12 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1098 RP: -> 2009-10-03 21:56 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1097 RP: -> 2009-10-02 20:58 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1096 RP: -> 2009-09-30 10:34 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1095 RP: -> 2009-09-29 07:55 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1094 RP: -> 2009-09-27 23:23 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1093 RP: -> 2009-09-26 22:52 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1092 RP: -> 2009-09-25 22:45 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1091 RP: -> 2009-09-24 22:02 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1090 RP: -> 2009-09-23 21:58 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1089 RP: -> 2009-09-22 21:35 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1088 RP: -> 2009-09-21 20:09 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1087 RP: -> 2009-09-20 18:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1086 RP: -> 2009-09-19 18:26 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1085 RP: -> 2009-09-18 18:14 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1084 RP: -> 2009-09-17 17:40 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1083 RP: -> 2009-09-16 08:54 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1082 RP: -> 2009-09-14 22:53 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1081 RP: -> 2009-09-13 21:32 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1080 RP: -> 2009-09-12 20:36 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1079 RP: -> 2009-09-11 20:03 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1078 RP: -> 2009-09-10 19:44 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1077 RP: -> 2009-09-09 17:29 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1076 RP: -> 2009-09-08 13:52 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1075 RP: -> 2009-09-07 21:09 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1074 RP: -> 2009-09-06 20:15 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1073 RP: -> 2009-09-05 19:19 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1072 RP: -> 2009-09-04 18:27 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1071 RP: -> 2009-09-02 22:57 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1070 RP: -> 2009-09-01 22:02 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1069 RP: -> 2009-08-31 21:14 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1068 RP: -> 2009-08-30 20:21 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1067 RP: -> 2009-08-29 19:35 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1066 RP: -> 2009-08-28 19:33 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1065 RP: -> 2009-08-27 19:24 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1064 RP: -> 2009-08-25 23:15 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1063 RP: -> 2009-08-24 21:14 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1062 RP: -> 2009-08-22 23:30 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1061 RP: -> 2009-08-22 10:11 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1060 RP: -> 2009-08-20 21:47 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1059 RP: -> 2009-08-19 21:38 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1058 RP: -> 2009-08-18 21:06 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1057 RP: -> 2009-08-17 20:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1056 RP: -> 2009-08-16 19:48 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1055 RP: -> 2009-08-15 17:57 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1054 RP: -> 2009-08-14 17:50 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1053 RP: -> 2009-08-13 08:33 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1052 RP: -> 2009-08-11 23:18 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1051 RP: -> 2009-08-10 23:10 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1050 RP: -> 2009-08-09 22:59 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1049 RP: -> 2009-08-09 10:23 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1048 RP: -> 2009-08-09 00:08 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1047 RP: -> 2009-08-08 09:50 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1046 RP: -> 2009-08-06 23:00 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1045 RP: -> 2009-08-05 20:34 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1044 RP: -> 2009-08-04 20:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1043 RP: -> 2009-08-03 18:54 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1042 RP: -> 2009-08-02 12:37 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1041 RP: -> 2009-08-01 10:08 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1040 RP: -> 2009-07-31 08:23 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1039 RP: -> 2009-07-30 00:35 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1038 RP: -> 2009-07-29 19:41 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1037 RP: -> 2009-07-28 19:05 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1036 RP: -> 2009-07-27 10:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1035 RP: -> 2009-07-26 09:47 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1034 RP: -> 2009-07-25 09:46 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1033 RP: -> 2009-07-23 23:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1032 RP: -> 2009-07-22 22:28 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1031 RP: -> 2009-07-21 21:20 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1030 RP: -> 2009-07-20 20:27 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1029 ==================== Memory info =========================== Percentage of memory in use: 13% Total physical RAM: 2038.08 MB Available physical RAM: 1763.36 MB Total Pagefile: 1868.75 MB Available Pagefile: 1799.91 MB Total Virtual: 2047.88 MB Available Virtual: 1993.54 MB ==================== Drives ================================ Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS Drive c: () (Fixed) (Total:108.59 GB) (Free:4.39 GB) NTFS ==>[Drive with boot components (Windows XP)] Drive d: (My Book) (Fixed) (Total:930.86 GB) (Free:654.06 GB) NTFS Drive e: (Backup) (Fixed) (Total:37.24 GB) (Free:37.17 GB) NTFS Drive f: (WD SmartWare) (CDROM) (Total:0.63 GB) (Free:0 GB) UDF Drive g: (USB DISK) (Removable) (Total:0.06 GB) (Free:0.06 GB) FAT Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: D0F4738C) Partition 1: (Not Active) - (Size=31 MB) - (Type=DE) Partition 2: (Active) - (Size=109 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=37 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=3 GB) - (Type=DB) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 931 GB) (Disk ID: 0002AE3F) Partition 1: (Not Active) - (Size=931 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (MBR Code: Windows XP) (Size: 64 MB) (Disk ID: C3072E18) Partition 1: (Not Active) - (Size=63 MB) - (Type=06) ==================== End Of Log ============================ Ok, please do this on another PC. [list] [*]Download [url=http://oldtimer.geekstogo.com/OTLPENet.exe]OTLPENet.exe[/url] to your desktop [*]Download [url=http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/]Farbar Recovery Scan Tool[/url] and save it to a flash drive. [*]Ensure that you have a blank CD in the drive [*]Double click[b] OTLPENet.exe[/b] and this will then open imgburn to burn the file to CD [*]Reboot your infected system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps [url=http://www.hiren.info/pages/bios-boot-cdrom]here[/url] [*]Wait for the CD to detect your hardware and load the operating system [*]Your system should now display a Reatogo desktop [b]Note : as you are running from CD it is not exactly speedy[/b] [*]Insert the USB with FRST [*]Locate the flash drive with FRST and double click [*]The tool will start to run. [*]When the tool opens click Yes to disclaimer. [*]Press [b]Scan[/b] button. [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list] [/quote] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
