Unexpected Adobe Flash plugin install including malware

B

birdman

New Member
Thread author
Sep 19, 2013
7
I'm not sure that I actually have some kind of Trojan or malware on my PC but I'd like to know if this is something that's been seen before. I doubt that a download from Microsoft that has a good certificate can contain the malware I'm seeing.

Thanks in advance for any help you can provide.
 

Attachments

  • OTL.Txt
    123.8 KB · Views: 106
  • aswMBR.txt
    1.5 KB · Views: 123
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
 
Last edited by a moderator:
B

birdman

New Member
Thread author
Sep 19, 2013
7
Here is the log from the scan:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-09-2013 01
Ran by SYSTEM on MININT-CP2PM86 on 20-09-2013 07:50:12
Running from M:\
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [THXCfg64] - C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11660904 2010-11-29] (Realtek Semiconductor)
HKLM\...\Run: [Zune Launcher] - C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-07-18] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [BackupManagerTray] - C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe [289600 2011-02-14] (NTI Corporation)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [THX Audio Control Panel] - C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe [1370624 2010-08-06] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] - C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [620136 2011-01-18] ()
HKLM-x32\...\Run: [PivotSoftware] - C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe [110192 2010-05-13] ()
HKLM-x32\...\Run: [DT ACR] - C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [121456 2010-06-30] ()
HKLM-x32\...\Run: [hpqSRMon] - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [HotSync] - "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers [x]
HKLM-x32\...\Run: [NPSStartup] - [x]
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKLM-x32\...\Run: [PMBVolumeWatcher] - C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe [740888 2013-04-24] (Sony Corporation)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Tom Demler\...\Run: [AutoStartNPSAgent] - C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe [95576 2010-07-04] (Samsung Electronics Co., Ltd.)
HKU\Tom Demler\...\Run: [PDHookServer] - C:\Program Files (x86)\Avanquest\PowerDesk\PDHookServer.exe [60416 2012-12-14] ()
AppInit_DLLs: C:\Users\Tom Demler\AppData\Roaming\Avanquest\PowerDesk\FileMonitor64.dll [129024 2012-12-14] ()
Startup: C:\Users\Tom Demler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Users\Tom Demler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Tom Demler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.lnk
ShortcutTarget: taskmgr.lnk -> C:\Windows\System32\taskmgr.exe (Microsoft Corporation)

==================== Services (Whitelisted) =================

S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2013-01-04] (Adobe Systems)
S2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe [121456 2010-06-30] ()
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2013-07-18] (Microsoft Corporation)
S2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [58345832 2011-09-22] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-07-18] (Microsoft Corporation)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
S2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [257344 2011-02-14] (NTI Corporation)
S2 PMBDeviceInfoProvider; C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [483864 2013-04-24] (Sony Corporation)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [431464 2011-09-22] (Microsoft Corporation)
S2 x10nets; C:\PROGRA~2\COMMON~1\X10\Common\X10nets.exe [20480 2010-11-01] (X10)
S2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [x]

==================== Drivers (Whitelisted) ====================

S2 cpuz135; C:\Windows\system32\drivers\cpuz135_x64.sys [21992 2011-09-21] (CPUID)
S3 MosIrUsb; C:\Windows\System32\DRIVERS\MosIrUsb.sys [27648 2007-10-11] ()
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 PdiPorts; C:\Windows\System32\DRIVERS\PdiPorts.sys [20592 2010-04-16] (Portrait Displays, Inc.)
S3 PsxDrv; C:\Windows\System32\drivers\psxdrv.sys [10240 2009-07-13] (Microsoft Corporation)
S3 VSPerfDrv100; C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [68440 2011-01-18] (Microsoft Corporation)
S3 VSPerfDrv100; C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [68440 2011-01-18] (Microsoft Corporation)
S3 XUIF; C:\Windows\System32\Drivers\x10ufx2.sys [32792 2009-05-13] (X10 Wireless Technology, Inc.)
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [x]
S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-20 07:49 - 2013-09-20 07:49 - 00000000 ____D C:\FRST
2013-09-19 15:54 - 2013-09-19 15:54 - 01950622 _____ (Farbar) C:\Users\Tom Demler\Downloads\FRST64.exe
2013-09-19 04:43 - 2013-09-19 04:43 - 00001563 _____ C:\Users\Tom Demler\Downloads\aswMBR.txt
2013-09-19 04:43 - 2013-09-19 04:43 - 00000512 _____ C:\Users\Tom Demler\Downloads\MBR.dat
2013-09-19 04:38 - 2013-09-19 04:38 - 04745728 _____ (AVAST Software) C:\Users\Tom Demler\Downloads\aswMBR.exe
2013-09-19 04:38 - 2013-09-19 04:38 - 00126770 _____ C:\Users\Tom Demler\Downloads\OTL.Txt
2013-09-19 04:38 - 2013-09-19 04:38 - 00112430 _____ C:\Users\Tom Demler\Downloads\Extras.Txt
2013-09-19 04:34 - 2013-09-19 04:34 - 00602112 _____ (OldTimer Tools) C:\Users\Tom Demler\Downloads\OTL.exe
2013-09-18 15:48 - 2013-09-18 16:18 - 277320808 _____ C:\Users\Tom Demler\Downloads\Utilities and SDK for Subsystem for UNIX-based Applications_IA64.exe
2013-09-18 15:33 - 2013-09-18 15:40 - 00000000 ____D C:\AdwCleaner
2013-09-18 15:32 - 2013-09-18 15:32 - 01039554 _____ C:\Users\Tom Demler\Downloads\adwcleaner.exe
2013-09-18 13:33 - 2013-09-18 13:33 - 00003266 _____ C:\Windows\System32\Tasks\{A3BA27F5-B0A4-40FA-B3F4-B3B13D5955D7}
2013-09-18 13:17 - 2013-09-18 13:17 - 00000242 _____ C:\Windows\wininit.ini
2013-09-18 13:05 - 2013-09-18 13:16 - 507567168 _____ C:\Users\Tom Demler\Downloads\Utilities and SDK for UNIX-based Applications_IA64.exe
2013-09-18 13:01 - 2013-09-18 13:01 - 00000884 __RSH C:\Users\Tom Demler\ntuser.pol
2013-09-18 12:51 - 2013-09-18 12:51 - 00000000 ____D C:\Windows\SUA
2013-09-18 12:47 - 2013-09-18 12:50 - 265716328 _____ C:\Users\Tom Demler\Downloads\Utilities and SDK for Subsystem for UNIX-based Applications_X86.exe
2013-09-17 07:14 - 2013-09-17 07:14 - 00000000 ____D C:\Users\Tom Demler\MediaEspresso
2013-09-17 06:58 - 2013-09-17 06:59 - 00000000 ____D C:\Users\Tom Demler\Documents\Sounds
2013-09-16 06:47 - 2013-09-16 06:47 - 02276888 _____ (Sony Corporation) C:\Users\Tom Demler\Downloads\PMHOME_2003DL.EXE
2013-09-16 06:32 - 2013-09-16 06:32 - 06892672 _____ C:\Users\Tom Demler\Downloads\PMBP_WIN57_Upgrade1208a.exe
2013-09-15 07:08 - 2013-07-31 06:17 - 17833472 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-15 07:08 - 2013-07-31 05:42 - 10926080 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-15 07:08 - 2013-07-31 05:29 - 02312704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-15 07:08 - 2013-07-31 05:20 - 01346560 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-15 07:08 - 2013-07-31 05:19 - 01392128 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-15 07:08 - 2013-07-31 05:18 - 01494528 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-09-15 07:08 - 2013-07-31 05:17 - 00237056 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-09-15 07:08 - 2013-07-31 05:16 - 00085504 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-15 07:08 - 2013-07-31 05:14 - 00173056 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-09-15 07:08 - 2013-07-31 05:13 - 00816640 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-15 07:08 - 2013-07-31 05:13 - 00599040 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-09-15 07:08 - 2013-07-31 05:11 - 02147840 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-15 07:08 - 2013-07-31 05:11 - 00729088 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-15 07:08 - 2013-07-31 05:09 - 00096768 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-09-15 07:08 - 2013-07-31 05:08 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-15 07:08 - 2013-07-31 05:05 - 00248320 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-09-15 07:08 - 2013-07-31 02:30 - 12335104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-15 07:08 - 2013-07-31 02:05 - 09738752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-15 07:08 - 2013-07-31 02:00 - 01800704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-15 07:08 - 2013-07-31 01:53 - 01104896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-15 07:08 - 2013-07-31 01:52 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-09-15 07:08 - 2013-07-31 01:52 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-15 07:08 - 2013-07-31 01:51 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-09-15 07:08 - 2013-07-31 01:49 - 00065024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-15 07:08 - 2013-07-31 01:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-15 07:08 - 2013-07-31 01:48 - 00420864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-09-15 07:08 - 2013-07-31 01:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-09-15 07:08 - 2013-07-31 01:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-15 07:08 - 2013-07-31 01:46 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-15 07:08 - 2013-07-31 01:45 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-15 07:08 - 2013-07-31 01:45 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-09-15 07:08 - 2013-07-31 01:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-15 07:05 - 2013-08-01 18:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-09-15 07:05 - 2013-08-01 18:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-09-15 07:05 - 2013-08-01 18:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-09-15 07:05 - 2013-08-01 18:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-09-15 07:05 - 2013-08-01 18:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-09-15 07:05 - 2013-08-01 18:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-09-15 07:05 - 2013-08-01 18:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-09-15 07:05 - 2013-08-01 18:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-09-15 07:05 - 2013-08-01 18:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\System32\apisetschema.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-09-15 07:05 - 2013-08-01 17:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-09-15 07:05 - 2013-08-01 17:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-09-15 07:05 - 2013-08-01 17:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-09-15 07:05 - 2013-08-01 17:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-09-15 07:05 - 2013-08-01 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 17:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-09-15 07:05 - 2013-08-01 16:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-09-15 07:05 - 2013-08-01 16:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-09-15 07:05 - 2013-08-01 16:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-09-15 07:05 - 2013-08-01 16:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-09-15 07:05 - 2013-08-01 16:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-09-15 07:05 - 2013-08-01 16:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 16:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 16:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-15 07:05 - 2013-08-01 16:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-15 07:05 - 2013-07-25 18:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-09-15 07:04 - 2013-08-07 17:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-09-15 07:04 - 2013-08-04 18:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ataport.sys
2013-09-15 07:04 - 2013-07-25 18:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-09-15 07:04 - 2013-07-25 17:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-09-15 07:04 - 2013-07-25 17:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-09-05 07:51 - 2013-09-05 07:51 - 00007029 _____ C:\Users\Tom Demler\Downloads\18120147_09052013.qfx
2013-09-04 12:53 - 2013-09-04 12:53 - 00005180 _____ C:\Users\Tom Demler\Downloads\CabinetofCuriositiesPendergastSeriesB9781611139372.odm
2013-09-04 08:39 - 2013-09-04 08:39 - 00144505 _____ C:\Users\Tom Demler\Downloads\Kohler_1053195_7_c.dxf
2013-08-31 07:11 - 2013-08-31 07:11 - 00763904 _____ C:\Users\Tom Demler\Downloads\MicrosoftFixit50485.msi
2013-08-31 06:35 - 2013-08-31 06:35 - 00159144 _____ (Microsoft Corporation) C:\Users\Tom Demler\Downloads\WindowsActivationUpdate.exe
2013-08-31 06:27 - 2013-08-31 06:27 - 00001945 _____ C:\Windows\epplauncher.mif
2013-08-31 06:27 - 2013-08-31 06:27 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-31 06:27 - 2013-08-31 06:27 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-08-31 06:25 - 2013-08-31 06:26 - 13813944 _____ (Microsoft Corporation) C:\Users\Tom Demler\Downloads\mseinstall.exe
2013-08-22 05:42 - 2013-08-22 05:42 - 06919823 _____ C:\Users\Tom Demler\Downloads\com.sony.tvsideview.tablet_20130313.apk
2013-08-22 05:37 - 2013-08-22 05:37 - 06919823 _____ C:\Users\Tom Demler\Downloads\Apkboys.com - TV SideView for Tablet.apk
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\Program Files\iTunes
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\Program Files\iPod
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-08-21 12:35 - 2012-08-21 09:01 - 00033240 _____ (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2013-08-21 12:34 - 2013-08-21 12:34 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-08-21 12:34 - 2013-08-21 12:34 - 00000000 ____D C:\Program Files\Bonjour
2013-08-21 12:34 - 2013-08-21 12:34 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-08-21 12:33 - 2013-08-21 12:33 - 90889040 _____ (Apple Inc.) C:\Users\Tom Demler\Downloads\iTunes64Setup.exe
2013-08-21 11:17 - 2013-08-21 11:17 - 03949064 _____ C:\Users\Tom Demler\Downloads\com.sony.seconddisplay.tabletview.apk

==================== One Month Modified Files and Folders =======

2013-09-20 07:49 - 2013-09-20 07:49 - 00000000 ____D C:\FRST
2013-09-20 03:45 - 2011-11-18 19:40 - 01141179 _____ C:\Windows\WindowsUpdate.log
2013-09-20 03:45 - 2009-07-13 21:13 - 00872406 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-20 03:38 - 2012-07-16 14:43 - 00000000 ____D C:\Users\Tom Demler\Documents\Outlook Files
2013-09-20 03:30 - 2012-01-12 05:05 - 00000906 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-19 15:54 - 2013-09-19 15:54 - 01950622 _____ (Farbar) C:\Users\Tom Demler\Downloads\FRST64.exe
2013-09-19 14:57 - 2012-01-12 05:05 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-19 10:20 - 2013-06-11 10:13 - 00000402 _____ C:\Windows\Tasks\FinalTorrent Update Checker.job
2013-09-19 10:15 - 2013-06-11 10:13 - 00000000 ____D C:\Program Files (x86)\File Type Assistant
2013-09-19 09:46 - 2009-06-18 12:46 - 00000000 ____D C:\Users\Tom Demler\Documents\Excel
2013-09-19 04:43 - 2013-09-19 04:43 - 00001563 _____ C:\Users\Tom Demler\Downloads\aswMBR.txt
2013-09-19 04:43 - 2013-09-19 04:43 - 00000512 _____ C:\Users\Tom Demler\Downloads\MBR.dat
2013-09-19 04:38 - 2013-09-19 04:38 - 04745728 _____ (AVAST Software) C:\Users\Tom Demler\Downloads\aswMBR.exe
2013-09-19 04:38 - 2013-09-19 04:38 - 00126770 _____ C:\Users\Tom Demler\Downloads\OTL.Txt
2013-09-19 04:38 - 2013-09-19 04:38 - 00112430 _____ C:\Users\Tom Demler\Downloads\Extras.Txt
2013-09-19 04:34 - 2013-09-19 04:34 - 00602112 _____ (OldTimer Tools) C:\Users\Tom Demler\Downloads\OTL.exe
2013-09-19 03:52 - 2009-07-13 20:45 - 00022112 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-19 03:52 - 2009-07-13 20:45 - 00022112 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-19 03:45 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-19 03:45 - 2009-07-13 20:51 - 00085386 _____ C:\Windows\setupact.log
2013-09-18 16:18 - 2013-09-18 15:48 - 277320808 _____ C:\Users\Tom Demler\Downloads\Utilities and SDK for Subsystem for UNIX-based Applications_IA64.exe
2013-09-18 15:40 - 2013-09-18 15:33 - 00000000 ____D C:\AdwCleaner
2013-09-18 15:32 - 2013-09-18 15:32 - 01039554 _____ C:\Users\Tom Demler\Downloads\adwcleaner.exe
2013-09-18 14:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-09-18 13:54 - 2010-11-20 19:47 - 01422726 _____ C:\Windows\PFRO.log
2013-09-18 13:33 - 2013-09-18 13:33 - 00003266 _____ C:\Windows\System32\Tasks\{A3BA27F5-B0A4-40FA-B3F4-B3B13D5955D7}
2013-09-18 13:28 - 2011-11-19 07:32 - 00000000 ____D C:\Users\Tom Demler\AppData\Roaming\Notepad++
2013-09-18 13:28 - 2011-11-19 07:32 - 00000000 ____D C:\Program Files (x86)\Notepad++
2013-09-18 13:17 - 2013-09-18 13:17 - 00000242 _____ C:\Windows\wininit.ini
2013-09-18 13:16 - 2013-09-18 13:05 - 507567168 _____ C:\Users\Tom Demler\Downloads\Utilities and SDK for UNIX-based Applications_IA64.exe
2013-09-18 13:01 - 2013-09-18 13:01 - 00000884 __RSH C:\Users\Tom Demler\ntuser.pol
2013-09-18 13:01 - 2011-11-18 17:14 - 00000000 ____D C:\users\Tom Demler
2013-09-18 13:01 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2013-09-18 13:00 - 2012-04-12 17:49 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-18 13:00 - 2011-11-28 15:39 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-18 13:00 - 2011-04-15 01:34 - 00000000 ____D C:\ProgramData\Adobe
2013-09-18 12:51 - 2013-09-18 12:51 - 00000000 ____D C:\Windows\SUA
2013-09-18 12:50 - 2013-09-18 12:47 - 265716328 _____ C:\Users\Tom Demler\Downloads\Utilities and SDK for Subsystem for UNIX-based Applications_X86.exe
2013-09-18 11:32 - 2012-08-11 05:30 - 00000000 ____D C:\Users\Tom Demler\AppData\Local\CrashDumps
2013-09-18 09:40 - 2010-01-31 04:57 - 00000000 ____D C:\Users\Tom Demler\Documents\PDF's
2013-09-17 07:21 - 2012-08-25 06:52 - 00000000 ____D C:\Users\Tom Demler\AppData\Roaming\Audacity
2013-09-17 07:14 - 2013-09-17 07:14 - 00000000 ____D C:\Users\Tom Demler\MediaEspresso
2013-09-17 06:59 - 2013-09-17 06:58 - 00000000 ____D C:\Users\Tom Demler\Documents\Sounds
2013-09-16 06:51 - 2012-12-16 10:15 - 00000000 ____D C:\ProgramData\Sony Corporation
2013-09-16 06:51 - 2011-04-15 01:31 - 00001718 _____ C:\Windows\DirectX.log
2013-09-16 06:47 - 2013-09-16 06:47 - 02276888 _____ (Sony Corporation) C:\Users\Tom Demler\Downloads\PMHOME_2003DL.EXE
2013-09-16 06:32 - 2013-09-16 06:32 - 06892672 _____ C:\Users\Tom Demler\Downloads\PMBP_WIN57_Upgrade1208a.exe
2013-09-15 07:25 - 2011-11-20 15:24 - 00000000 ___RD C:\Users\Tom Demler\Podcasts
2013-09-15 07:22 - 2009-07-13 20:45 - 00412096 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-15 07:10 - 2013-07-12 04:42 - 00000000 ____D C:\Windows\System32\MRT
2013-09-15 07:09 - 2011-12-17 11:23 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-15 07:09 - 2011-11-18 17:47 - 79143768 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-09-06 04:08 - 2011-11-20 08:30 - 00000000 ____D C:\Users\Tom Demler\AppData\Local\ID Vault
2013-09-06 04:08 - 2011-11-20 08:29 - 00000000 ____D C:\Users\Tom Demler\AppData\Roaming\ID Vault
2013-09-06 04:08 - 2011-11-20 08:28 - 00000000 ____D C:\Program Files (x86)\Constant Guard Protection Suite
2013-09-05 07:51 - 2013-09-05 07:51 - 00007029 _____ C:\Users\Tom Demler\Downloads\18120147_09052013.qfx
2013-09-04 12:53 - 2013-09-04 12:53 - 00005180 _____ C:\Users\Tom Demler\Downloads\CabinetofCuriositiesPendergastSeriesB9781611139372.odm
2013-09-04 08:39 - 2013-09-04 08:39 - 00144505 _____ C:\Users\Tom Demler\Downloads\Kohler_1053195_7_c.dxf
2013-08-31 07:20 - 2011-11-19 15:42 - 00221529 _____ C:\Windows\hpoins19.dat
2013-08-31 07:20 - 2011-11-19 15:42 - 00016089 _____ C:\ProgramData\hpzinstall.log
2013-08-31 07:19 - 2013-03-04 14:08 - 00229044 _____ C:\Windows\hpwins23.dat
2013-08-31 07:17 - 2013-03-04 14:12 - 00000697 _____ C:\Users\Tom Demler\AppData\Roaming\ConvAPIPlugin.log
2013-08-31 07:13 - 2009-07-13 18:34 - 00000513 _____ C:\Windows\win.ini
2013-08-31 07:11 - 2013-08-31 07:11 - 00763904 _____ C:\Users\Tom Demler\Downloads\MicrosoftFixit50485.msi
2013-08-31 06:35 - 2013-08-31 06:35 - 00159144 _____ (Microsoft Corporation) C:\Users\Tom Demler\Downloads\WindowsActivationUpdate.exe
2013-08-31 06:27 - 2013-08-31 06:27 - 00001945 _____ C:\Windows\epplauncher.mif
2013-08-31 06:27 - 2013-08-31 06:27 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-08-31 06:27 - 2013-08-31 06:27 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-08-31 06:26 - 2013-08-31 06:25 - 13813944 _____ (Microsoft Corporation) C:\Users\Tom Demler\Downloads\mseinstall.exe
2013-08-31 06:11 - 2009-07-13 19:20 - 00000000 __RHD C:\Users\Public\Libraries
2013-08-31 06:09 - 2012-11-26 08:14 - 00000000 ____D C:\Program Files (x86)\Hard Disk Sentinel
2013-08-31 06:08 - 2011-04-15 01:35 - 00000000 ____D C:\ProgramData\Norton
2013-08-22 05:42 - 2013-08-22 05:42 - 06919823 _____ C:\Users\Tom Demler\Downloads\com.sony.tvsideview.tablet_20130313.apk
2013-08-22 05:37 - 2013-08-22 05:37 - 06919823 _____ C:\Users\Tom Demler\Downloads\Apkboys.com - TV SideView for Tablet.apk
2013-08-21 12:41 - 2011-11-20 06:44 - 00000000 ____D C:\Users\Tom Demler\AppData\Roaming\Apple Computer
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\Program Files\iTunes
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\Program Files\iPod
2013-08-21 12:35 - 2013-08-21 12:35 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-08-21 12:35 - 2013-07-23 13:10 - 00000000 ____D C:\ProgramData\Apple Computer
2013-08-21 12:35 - 2012-08-03 10:41 - 00000000 ____D C:\Users\Tom Demler\AppData\Local\Apple Computer
2013-08-21 12:34 - 2013-08-21 12:34 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-08-21 12:34 - 2013-08-21 12:34 - 00000000 ____D C:\Program Files\Bonjour
2013-08-21 12:34 - 2013-08-21 12:34 - 00000000 ____D C:\Program Files (x86)\Bonjour
2013-08-21 12:34 - 2011-11-19 17:03 - 00000000 ____D C:\ProgramData\Apple
2013-08-21 12:33 - 2013-08-21 12:33 - 90889040 _____ (Apple Inc.) C:\Users\Tom Demler\Downloads\iTunes64Setup.exe
2013-08-21 11:17 - 2013-08-21 11:17 - 03949064 _____ C:\Users\Tom Demler\Downloads\com.sony.seconddisplay.tabletview.apk

Some content of TEMP:
====================
C:\Users\Tom Demler\AppData\Local\Temp\setup.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

12
Restore point made on: 2013-08-29 05:27:13
Restore point made on: 2013-08-31 07:11:44
Restore point made on: 2013-09-02 04:20:38
Restore point made on: 2013-09-06 03:12:30
Restore point made on: 2013-09-15 04:12:40
Restore point made on: 2013-09-15 07:05:32
Restore point made on: 2013-09-16 06:51:22
Restore point made on: 2013-09-17 07:56:12
Restore point made on: 2013-09-17 09:15:17
Restore point made on: 2013-09-18 04:07:51
Restore point made on: 2013-09-18 08:16:08
Restore point made on: 2013-09-18 12:51:09

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8174.5 MB
Available physical RAM: 7249.37 MB
Total Pagefile: 8172.7 MB
Available Pagefile: 7246.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:238.47 GB) (Free:103.97 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (Gateway) (Fixed) (Total:1377.17 GB) (Free:1042.47 GB) NTFS
Drive f: (PQSERVICE) (Fixed) (Total:20 GB) (Free:9.43 GB) NTFS
Drive h: (MyBook) (Fixed) (Total:465.76 GB) (Free:204.88 GB) NTFS
Drive m: (WDO_Media64) (Removable) (Total:29.87 GB) (Free:20.01 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 238 GB) (Disk ID: AF0B95BF)
Partition 1: (Active) - (Size=238 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1397 GB) (Disk ID: 622AC0EB)
Partition 1: (Not Active) - (Size=20 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=-720303554560) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 44FDFE06)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 7 (MBR Code: Windows 7 or 8) (Size: 30 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=30 GB) - (Type=07 NTFS)


LastRegBack: 2013-09-15 04:19

==================== End Of Log ============================
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Do you have the link of where you downloaded Microsoft file? Do you have the link so I can investigate further?

Your log isn't showing malware presence. An easy solution could be doing a system restore to an earlier date.
 
B

birdman

New Member
Thread author
Sep 19, 2013
7
This is the link: http://www.microsoft.com/en-us/download/details.aspx?id=2391

I'm sure the link and the files available there are OK. I downloaded each of the versions there to my laptop and executed them. At no time did I end up getting an install of the Adobe Flash plugin. I did a compare of one of the downloaded files on my PC with the same file downloaded to my laptop (FC /b ...). The files were exactly the same yet on the laptop the expected install ran and on my PC the Adobe Flash plugin install started. So there is definitely some kind of problem on my PC. I'm going to try to go back to a previous restore point on my PC. But I have some chores I must get done here at my home. I'll respond later with the results of my restore.
Right now my guess is that there is some registry or policy setting that is triggering this bogus install action.

Thanks for your prompt help.
 
B

birdman

New Member
Thread author
Sep 19, 2013
7
I've tried restoring a few restore points without success. I have not tried the oldest restore points that are available. I'm concerned that doing so may impact a lot of software. Right now I'd like to try to find out how this particular piece of malware hijacks this product install. I'm curious if what I'm seeing here (or something similar) has been experienced by others. I've tried having SysInternals ProcMon running while trying to run the Utilities and SDK for subsystem for Unix install. ProcMon generates a huge amount of data. I've been studying the ProcMan log to try to find out at what point the trojan takes over but so far I've not been successful.
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Ok, let's run a few scans. Maybe some system setting was changed.

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click Scan then Clean
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner\Adwcleaner[S0].txt

Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select Run as Administrator to start
  • Wait until Prescan has finished, then click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click delete and wait until it saids deleting finished
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply
 
B

birdman

New Member
Thread author
Sep 19, 2013
7
I believe that I may have resolved this issue. I ran the tool from MalwareBytes (see the log that follows) and it found two files that I removed. I now can run the Utilities and SDK for subsystem for Unix installer and it proceeds normally. I'm surprised that the tools I used earlier didn't find these files. I'm also curious about what caused the installer I was running to use the bogus setup file. I'm going to run the other tools you've suggested to be sure there is nothing lingering in my system.

Thanks again for your assistance.

The Log file:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.27.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tom Demler :: ARUBA [limited]

Protection: Disabled

9/27/2013 11:11:53 AM
mbam-log-2013-09-27 (11-11-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207338
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Tom Demler\Downloads\FinalTorrent2012Setup.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
C:\Users\Tom Demler\Downloads\setup.exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.

(end)
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

It's hard to say what happened initially. Many popular sites have been hijacked by hackers before. When that happens, the bad guys may put a malicious attack on the website so any visitors who visits that site will be targeted. This is called drive-by downloads and is a main reason why keeping your PC up to date is vital.
 

Similar threads

lokamoka820
    • Like
    • Wow
    • HaHa
New Update Microsoft Will Charge You $30 To Stay on Windows 10
Replies
6
Views
360
Windows 10
7Oz-64
7Oz-64
angclkjsces
  • Locked
chromstera
Replies
2
Views
1,110
Windows Malware Removal Help & Support
nasdaq
nasdaq
Kongo
    • Like
    • +Reputation
Malware News Malware campaign attempts abuse of defender binaries | Sophos News
Replies
5
Views
1,574
Security News
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top