my system is infected with Sirefef-PL, Atraps-PF, Malware-gen, Bitcoin-A and BitCoinMiner-U. I don't know how I got infected. The last thing I rembember is installing flash update. Few days earlier my friend changed (just for fun ) my wallpaper to some gay porn picture. I asked him and he said he got it from 4fukr site that he visited on my pc so maybe this is the source of infection.
Timeline is following:
================================
5th july
================================
1. At 9:42am Avast (v.6.0.1289) starts complaining about Win32:Atraps-PF [Trj] and Win32:Malware-gen. Here are the entries from avast quarantine:
name: 80000032.@
original location: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U
virus: Win32:Atraps-PF [Trj]
name: 80000064.@
original location: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U
virus: Win32:Atraps-PF [Trj]
name: 80000000.@
original location: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U
virus: Win32:Malware-gen
There are 30 such entries in avast quarantine between 9:42am and 10:20am.
2. At 10:23am avast detected Win32:Sirefef-PL [Rtk]. Here is the entry from avast quarantine:
name: n
original location: C:\Users\my_name_replaced\AppData\Local\{7eaaf632-a970-98b2-9551-9a43312dca11}
virus: Win32:Sirefef-PL [Rtk]
3. At 11:04am avast detected Java:Bitcoin-A [Trj]. Here's entry from avast quarantine:
name: com\bitcoinplus\applet\MiningApplet.class
original location: C:\Users\my_name_replaced\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\2e002d9c-64b4a7e8
virus: Java:Bitcoin-A [Trj]
4. At 11:11am avast detected Win32:Sirefef-PL [Rtk] in another two files. Entries from avast quarantine:
name: Desktop.ini
original location: C:\Windows\assembly\GAC_32
virus: Win32:Sirefef-PL [Rtk]
name: Desktop.ini
original location: C:\Windows\assembly\GAC_64
virus: Win32:Sirefef-PL [Rtk]
5. At 11:48 am avast detected Win32:Sirefef-PL [Rtk] in another file, Win32:Malware-gen in another file and also Win32:BitCoinMiner-U [PUP]. Entries from avast quarantine:
name: n
original location: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}
virus: Win32:Sirefef-PL [Rtk]
name: 00000004.@
original location: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U
virus: Win32:Malware-gen
name: 00000008.@
original location: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U
virus: Win32:BitCoinMiner-U [PUP]
Up till now, each time avast said that it moved infected file to quarantine and that no following actions were needed. This time it also said that no following actions are needed but a while later dialog box asking me to schedule virus scan before windows start. I agreed and rebooted the pc.
6. At 2pm avast scan finished and windows has started. Avast found 9 infected files:
name: C:\Users\my_name_replaced\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\2e002d9c-64b4a7e8|>com\bitcoinplus\applet\MiningApplet.class
state: threat: Java:Bitcoin-A [Trj]
action: move to quarantine [result: success]
name: C:\Windows\assembly\GAC_32\Desktop.ini
state: threat: Win32:Sirefef-PL [Rtk]
action: move to quarantine [result: success]
name: C:\Windows\assembly\GAC_64\Desktop.ini
state: threat: Win32:Sirefef-PL [Rtk]
action: move to quarantine [result: success]
name: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\n|>[Embedded_I#5608]
state: threat: Win32:Sirefef-PL [Rtk]
action: move to quarantine [result: success]
name: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\n|>[Embedded_I#6e08]
state: threat: Win32:Sirefef-PL [Rtk]
action: move to quarantine [result: no result specified]
name: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\n
state: threat: Win32:Sirefef-PL [Rtk]
action: move to quarantine [result: no result specified]
name: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U\00000004.@
state: threat: Win32:Malware-gen
action: move to quarantine [result: success]
name: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U\00000008.@|>[Embedded_R#00310]
state: PNP: Win32:BitCoinMiner-U [PUP]
action: move to quarantine [result: success]
name: C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U\00000008.@
state: PNP: Win32:BitCoinMiner-U [PUP]
action: move to quarantine [result: no result specified]
7. Using MBAM
MBAM detected Trojan.Dropper.BCMiner:
C:\Windows\Installer\{7eaaf632-a970-98b2-9551-9a43312dca11}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
After reboot MBAM still detected BCMiner. I repeated this several times (MBAM, reboot) with no further success (BCMiner detected after reboot).
8. Since the time that avast has scanned the system before Windows start, avast quarantine contains entries only for Win32:Atraps-PF [Trj] and Win32:Malware-gen.
================================
6th july
================================
I didn't do anything - avast just kept complaining about Win32:Atraps-PF [Trj] and Win32:Malware-gen
================================
7th-8th july
================================
Pc was turned off.
================================
9th july
================================
Since avast couldn't handle the situation I started using other tools: OTL, Rogue Killer, aswMBR, FRST and FSS. If needed I may provide full logs.
First I used Rogue Killer. It deteced some infections (ZeroAcces, HJ). I ordered it to delete infected items and rebooted the pc. I repeated this (scan, delete, reboot) several times. Each of first 3 or 4 times made the situation better (less infections) and Avast stopped complaining at all. After this Rogue Killer couldn't do more. It still reported ZeroAccess infections in Desktop.ini in c:\windows\assembly\gac_32\desktop.ini and c:\windows\assembly\gac_64\desktop.ini).
Then I used aswMBR. The log contained following suspicious entries:
15:07:24.766 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
15:07:27.873 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80036a22c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
15:07:27.903 \Driver\atapi[0xfffffa8004490420] -> IRP_MJ_CREATE -> 0xfffffa80036a22c0
15:08:37.814 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
15:08:39.452 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
Then I used FSS. It complained about bad md5 of following files: afd.sys, tcpip.sys, mpssvc.dll, SDRSVC.dll, cryptsvc.dll. It also complained about nonexistent Action Center and Windows Defender service keys.
At last I used FRST. It found ZeroAccess in C:\Windows\assembly\GAC_32\Desktop.ini, C:\Windows\assembly\GAC_64\Desktop.ini and in C:\Windows\System32\services.exe.
Oh, I also used TDSSKiller. The results were:
Unsigned file
Service: nlsvc
Suspicious object, medium risk
Locked file
Service: sptd
Suspicious object, medium risk
==========================================
OTL log
==========================================
OTL logfile created on: 2012-07-10 11:54:50 - Run 5
OTL by OldTimer - Version 3.2.53.1 Folder = D:\virus
64bit- Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd
4,00 Gb Total Physical Memory | 1,85 Gb Available Physical Memory | 46,34% Memory free
8,00 Gb Paging File | 5,93 Gb Available in Paging File | 74,23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149,90 Gb Total Space | 73,02 Gb Free Space | 48,71% Space Free | Partition Type: NTFS
Drive D: | 315,76 Gb Total Space | 20,38 Gb Free Space | 6,46% Space Free | Partition Type: NTFS
Computer Name: fl-PC | User Name: my_name_replaced | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012-07-05 14:47:17 | 000,595,968 | ---- | M] (OldTimer Tools) -- D:\virus\OTL.exe
PRC - [2012-06-21 10:41:35 | 000,800,656 | ---- | M] (Opera Software) -- C:\Program Files (x86)\Opera\pluginwrapper\opera_plugin_wrapper.exe
PRC - [2012-06-21 10:41:34 | 000,874,384 | ---- | M] (Opera Software) -- C:\Program Files (x86)\Opera\opera.exe
PRC - [2012-05-28 17:43:02 | 000,076,888 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2012-05-24 20:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Users\my_name_replaced\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012-04-04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012-04-04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011-12-06 17:05:28 | 000,024,424 | ---- | M] (Apache Software Foundation) -- C:\Program Files (x86)\VisualSVN Server\bin\VisualSVNServer.exe
PRC - [2011-10-15 10:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011-10-15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011-09-06 22:45:30 | 003,722,416 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011-09-06 22:45:28 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011-08-02 09:33:30 | 004,910,912 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
PRC - [2011-01-17 18:01:46 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
PRC - [2011-01-17 18:01:46 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
========== Modules (No Company Name) ==========
MOD - [2012-07-05 09:44:13 | 009,459,912 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
MOD - [2012-06-21 10:41:40 | 000,276,480 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstwebmdec.dll
MOD - [2012-06-21 10:41:40 | 000,078,336 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstwavparse.dll
MOD - [2012-06-21 10:41:40 | 000,064,000 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstautodetect.dll
MOD - [2012-06-21 10:41:40 | 000,046,592 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstwaveform.dll
MOD - [2012-06-21 10:41:40 | 000,045,568 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gsttypefindfunctions.dll
MOD - [2012-06-21 10:41:39 | 000,783,360 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\gstreamer.dll
MOD - [2012-06-21 10:41:39 | 000,316,928 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstoggdec.dll
MOD - [2012-06-21 10:41:39 | 000,168,448 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstffmpegcolorspace.dll
MOD - [2012-06-21 10:41:39 | 000,099,840 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstcoreplugins.dll
MOD - [2012-06-21 10:41:39 | 000,098,816 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstaudioresample.dll
MOD - [2012-06-21 10:41:39 | 000,098,816 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstaudioconvert.dll
MOD - [2012-06-21 10:41:39 | 000,076,800 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstdirectsound.dll
MOD - [2012-06-21 10:41:39 | 000,068,608 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstdecodebin2.dll
MOD - [2011-10-28 14:34:33 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll
MOD - [2011-10-22 10:16:18 | 000,070,424 | ---- | M] () -- C:\Program Files\TortoiseSVN\bin\libsasl32.dll
MOD - [2009-07-14 03:15:51 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
MOD - [2009-07-14 03:15:51 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll
========== Win32 Services (SafeList) ==========
SRV:64bit: - [2012-03-05 15:45:14 | 001,431,888 | ---- | M] (Flexera Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2011-09-06 22:45:28 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2011-03-21 16:19:16 | 001,845,248 | ---- | M] (Locktime Software) [Auto | Running] -- C:\Program Files\NetLimiter 3\nlsvc.exe -- (nlsvc)
SRV:64bit: - [2009-07-14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008-11-08 02:19:36 | 004,761,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90)
SRV - [2012-07-05 09:44:13 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012-05-28 17:43:02 | 000,076,888 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2012-04-04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011-12-06 17:05:28 | 000,024,424 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files (x86)\VisualSVN Server\bin\VisualSVNServer.exe -- (VisualSVNServer)
SRV - [2011-10-15 10:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011-10-15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010-11-11 15:39:34 | 000,128,928 | ---- | M] (Futuremark Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe -- (Futuremark SystemInfo Service)
SRV - [2010-03-18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009-06-10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2012-04-04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012-03-01 08:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011-12-02 18:37:10 | 000,348,560 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\cbfs3.sys -- (cbfs3)
DRV:64bit: - [2011-10-27 12:29:49 | 000,526,392 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2011-09-06 22:38:18 | 000,601,944 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2011-09-06 22:38:16 | 000,301,912 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2011-09-06 22:36:41 | 000,058,200 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2011-09-06 22:36:41 | 000,042,328 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
DRV:64bit: - [2011-09-06 22:36:30 | 000,065,368 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011-09-06 22:36:14 | 000,024,408 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2011-06-01 05:16:50 | 000,535,656 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011-03-21 16:44:30 | 000,033,416 | ---- | M] (Locktime Software) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nlndis.sys -- (NLNdisPT)
DRV:64bit: - [2011-03-21 16:44:30 | 000,033,416 | ---- | M] (Locktime Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nlndis.sys -- (NLNdisMP)
DRV:64bit: - [2011-03-21 16:44:28 | 000,088,200 | ---- | M] (Locktime Software) [Kernel | System | Running] -- C:\Program Files\NetLimiter 3\nltdi.sys -- (nltdi)
DRV:64bit: - [2011-03-11 08:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011-03-11 08:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009-08-13 22:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009-07-14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009-07-14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009-07-14 03:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009-07-14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009-06-10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009-06-10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009-06-10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009-06-10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009-07-14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1335383598-3148590315-1204926149-1629\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1335383598-3148590315-1204926149-1629\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-1335383598-3148590315-1204926149-1629\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_262.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
O1 HOSTS File: ([2009-06-10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Virtual Storage Mount Notification) - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O2 - BHO: (COmeaHelper Object) - {09628AAA-66AD-4FA2-82E2-698185B66463} - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O2 - BHO: (Virtual Storage Mount Notification) - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {35402C01-1777-4159-9ABA-3480BA70D90A} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1335383598-3148590315-1204926149-1629..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-1335383598-3148590315-1204926149-1629..\Run: [NetLimiter] C:\Program Files\NetLimiter 3\NLClientApp.exe (Locktime Software)
O4 - HKU\S-1-5-21-2230560716-1881926867-1619574448-1002..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-2230560716-1881926867-1619574448-1002..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\my_name_replaced\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\my_name_replaced\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\my_name_replaced\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Clip and Edit - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O8:64bit: - Extra context menu item: Clip and Save - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O8:64bit: - Extra context menu item: Subscribe to Feed - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O8 - Extra context menu item: Clip and Edit - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O8 - Extra context menu item: Clip and Save - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O8 - Extra context menu item: Subscribe to Feed - C:\Program Files (x86)\JetBrains\Omea Reader\IexploreOmeaW.dll (JetBrains Inc)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\pnrpnsp.dll File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.100.11 217.8.168.244
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RealityPump.pl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5162EC37-A7E0-4DF9-9352-23785F2C3BE2}: DhcpNameServer = 192.168.100.11 217.8.168.244
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O22:64bit: - SharedTaskScheduler: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - Virtual Storage Mount Notification - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O22 - SharedTaskScheduler: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - Virtual Storage Mount Notification - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{67387440-008c-11e1-bd7e-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{67387440-008c-11e1-bd7e-806e6f6e6963}\Shell\AutoRun\command - "" = M:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (SeDAEMON Tools LiteaswTdi.sys -- (aswTdi)
DRV:64bit: - [2011-09-06 22:36:41 | 000,042,328 | ---- | M] (AVAST Software) [Kernel | System |assemblydrivers Running] -- C:rverDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2012-07-10 20:11:44 | 000,000,000 | ---D | C] -- C:\FRST
[2012-07-09 15:19:13 | 000,000,000 | ---D | C] -- C:\Users\my_name_replaced\Desktop\RK_Quarantine
[2012-07-05 14:29:29 | 000,000,000 | ---D | C] -- C:\UParameters: DhcpNameServer = 192.168.100.11 217.8.168.244
O17 - HKLMsers\my_name_replaced\AppData\Roaming\Malwarebytes
[2012-07-05 14:29:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012-07-05 14:29:24 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012-07-05 14:29:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012-07-05 14:29:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012-07-05 09:42:27 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012-06-27 17:09:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpiderOak
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012-07-10 11:44:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012-07-10 10:25:23 | 000,015,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012-07-10 10:25:23 | 000,015,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012-07-10 10:17:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012-07-10 10:17:41 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
[2012-07-09 13:59:41 | 000,002,068 | ---- | M] () -- C:\Users\my_name_replaced\Documents\Default.rdp
[2012-07-03 11:41:28 | 000,016,250 | ---- | M] () -- C:\Users\my_name_replaced\_viminfo
[2012-07-03 11:40:24 | 000,000,987 | ---- | M] () -- C:\Users\my_name_replaced\.gitk
[2012-06-29 18:24:21 | 000,003,916 | ---- | M] () -- C:\Users\my_name_replaced\.bash_history
[2012-06-15 10:01:45 | 002,146,070 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012-06-15 10:01:45 | 000,679,954 | ---- | M] () -- C:\Windows\SysNative\perfh00C.dat
[2012-06-15 10:01:45 | 000,651,938 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012-06-15 10:01:45 | 000,468,808 | ---- | M] () -- C:\Windows\SysNative\perfh001.dat
[2012-06-15 10:01:45 | 000,128,620 | ---- | M] () -- C:\Windows\SysNative\perfc00C.dat
[2012-06-15 10:01:45 | 000,120,870 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012-06-15 10:01:45 | 000,093,466 | ---- | M] () -- C:\Windows\SysNative\perfc001.dat
[2012-06-14 10:16:19 | 000,003,584 | ---- | M] () -- C:\Users\my_name_replaced\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012-06-14 10:01:40 | 000,001,020 | ---- | M] () -- C:\Users\my_name_replaced\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012-06-14 09:42:16 | 000,293,240 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012-07-05 09:42:29 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012-06-14 10:16:19 | 000,003,584 | ---- | C] () -- C:\Users\my_name_replaced\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012-05-22 10:43:17 | 000,000,035 | ---- | C] () -- C:\Users\my_name_replaced\.lesshst
[2012-03-15 17:47:51 | 000,358,912 | ---- | C] () -- C:\Windows\SysWow64\pythoncom27.dll
[2012-03-15 17:47:51 | 000,110,080 | ---- | C] () -- C:\Windows\SysWow64\pywintypes27.dll
[2012-03-15 17:47:51 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\pythoncomloader27.dll
[2012-03-01 16:17:16 | 000,282,296 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012-03-01 16:17:10 | 002,434,856 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_bc2.exe
[2012-03-01 16:17:10 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012-02-03 11:48:05 | 000,000,000 | ---- | C] () -- C:\Users\my_name_replaced\mydump
[2012-01-24 18:15:36 | 000,000,147 | ---- | C] () -- C:\Users\my_name_replaced\.bash_profile
[2011-10-28 16:31:51 | 000,016,250 | ---- | C] () -- C:\Users\my_name_replaced\_viminfo
[2011-10-28 16:13:39 | 000,003,916 | ---- | C] () -- C:\Users\my_name_replaced\.bash_history
[2011-10-28 14:38:32 | 000,000,987 | ---- | C] () -- C:\Users\my_name_replaced\.gitk
[2011-10-28 11:18:27 | 000,000,017 | ---- | C] () -- C:\Users\my_name_replaced\AppData\Local\resmon.resmoncfg
[2011-10-28 11:06:32 | 000,000,055 | ---- | C] () -- C:\Users\my_name_replaced\.gitconfig
[2011-10-27 13:24:49 | 002,099,428 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011-10-27 11:35:44 | 000,003,048 | R-S- | C] () -- C:\ProgramData\ntuser.pol
[2011-10-15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
========== LOP Check ==========
[2012-03-05 15:55:41 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Autodesk
[2012-05-17 14:47:10 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Awasu
[2011-10-27 13:19:33 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\DAEMON Tools Lite
[2012-07-10 10:18:51 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Dropbox
[2012-03-12 12:55:13 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Eric4
[2012-05-17 15:22:35 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Feedreader
[2011-12-13 11:37:29 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\GHISLER
[2012-03-19 11:04:26 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\IrfanView
[2012-05-22 09:48:36 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\JetBrains
[2012-03-05 16:37:03 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Notepad++
[2011-10-28 14:36:07 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\OpenOffice.org
[2011-10-27 11:52:22 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Opera
[2012-03-01 10:53:56 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Origin
[2012-06-29 17:42:05 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\SpiderOak
[2011-10-28 12:00:53 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Subversion
[2012-06-26 14:59:41 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\uTorrent
[2012-07-04 09:26:06 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\VisualAssist
[2012-03-26 13:27:39 | 000,000,000 | ---D | M] -- C:\Users\my_name_replaced\AppData\Roaming\Wuala
[2012-03-21 10:49:21 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
< End of report >Usersmy_name_replaced
Edited by flv, 10 July 2012 - 06:28 AM.