Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Arestocrat strikes again [Closed]


  • This topic is locked This topic is locked

#1
Vandax

Vandax

    Member

  • Member
  • PipPip
  • 17 posts
I had an issue a couple weeks ago, managed to alt-tab and saw the extortion note was called Arestocrat. I rebooted in safe-mode, with network support. I found a thread in these forums and managed to recover my system. My computer was attacked again, only this time, when I reboot to safe-mode, the computer shuts itself down, and reboots normally, again displaying the extortion note. I had to pull out one of my older PCs, to log onto this site. For now, there is next to nothing I can do with the infected computer. About the only think I can think is to find the software to remove the problem, burn it to a disk, on this computer, and then put that disk as a startup disk in the infected computer, and HOPE that it will read the CD before going to the HDD. Any ideas, suggestions, or assistance would be appreciated.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi what is the operating system of the sick computer and is it 32 or 64 bit

Also do you have a USB or CD available to use as a boot method
  • 0

#3
Vandax

Vandax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks for the reply, I'm using Win7, fairly new laptop (6mos). I found some info in another thread that has a similar issue. I have followed the instructions (to a point). I'll post some of the instructions and where I got hung up.


NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
•Restart the computer.

•As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

•Use the arrow keys to select the Repair your computer menu item.

•Select US as the keyboard language settings, and then click Next.

•Select the operating system you want to repair, and then click Next.

•Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
•Insert the installation disc.

•Restart your computer.

•If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.

•Click Repair your computer.

•Select US as the keyboard language settings, and then click Next.

•Select the operating system you want to repair, and then click Next.

•Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
•Select Command Prompt

•In the command window type in notepad and press Enter.

•The notepad opens. Under File menu select Open.

•Select "Computer" and find your flash drive letter and close the notepad.

•In the command window type e:\frst64.exe or e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.

•The tool will start to run.

•When the tool opens click Yes to disclaimer.



Okay, here is where I am hung up. I used a thumb drive and copied the file FRST64 to it. I followed the steps to access the system recovery (BIOS + F8). I've opened notepad, where it wants me to use a *.txt file. FRST64 is an application. Opening it in notepad doesn't work as intended. Is there a way to run this program outside of notepad, or should I have run it on the (not quite as sick) computer, and then copy it to the thumb? Trying not to get too far ahead of myself, and stick to the instructions as best as I can.

Again, thanks for your assist with this.
  • 0

#4
Vandax

Vandax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ah, I might have answered my own question. We are using notepad to locate the directory/file. I misunderstood. I've closed notepad, and using the CMD prompt, accessed the thumb and run FRST64.
  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK could you post the FRST log please
  • 0

#6
Vandax

Vandax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Below are both the FRST and Search text files.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013
Ran by SYSTEM on 16-05-2013 10:41:00
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12452456 2012-02-21] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound HD] "C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe" /f="C:\Program Files\SRS Labs\SRS Control Panel\SRS_Premium_Sound_HD.zip" /h [223180 2012-01-05] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2867984 2011-12-22] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [595840 2012-03-02] ()
HKLM\...\Run: [TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [989056 2012-03-16] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1562032 2012-02-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [630912 2012-02-13] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1298816 2011-07-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218864 2011-06-22] (Toshiba)
HKLM-x32\...\Run: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [x]
HKU\Vax\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-05-29] (Google Inc.)
HKU\Vax\...\Run: [googletalk] C:\Users\Vax\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKU\Vax\...\Run: [C3] C:\Program Files (x86)\Vivox\C3\c3.exe [x]
HKU\Vax\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Vax\Documents\372e70fa.exe [24064 2013-05-16] ()
HKU\Vax\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
AppInit_DLLs: [0 ] ()

==================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.7.0.20\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\diMaster.dll [309688 2012-04-12] (Symantec Corporation)
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [132056 2012-11-15] (Symantec Corporation)
S2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.38\diMaster.dll [132984 2011-11-30] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [31872 2012-02-01] (Advanced Micro Devices, Inc.)
S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20121005.002\BHDrvx64.sys [1385632 2012-10-05] (Symantec Corporation)
S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-08-09] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-10-27] (Symantec Corporation)
S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20121027.001\IDSvia64.sys [513184 2012-10-27] (Symantec Corporation)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20121026.032\ENG64.SYS [126112 2012-10-27] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20121026.032\EX64.SYS [2084000 2012-10-27] (Symantec Corporation)
S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-10-31] (Symantec Corporation)
S1 ccSet_NAT; \SystemRoot\system32\drivers\NATx64\0107000.014\ccSetx64.sys [x]
S3 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1309010.00E\ccSetx64.sys [x]
S3 L1C; system32\DRIVERS\L1C62x64.sys [x]
S3 SRTSP; \SystemRoot\System32\Drivers\NISx64\1309010.00E\SRTSP64.SYS [x]
S3 SRTSPX; \SystemRoot\system32\drivers\NISx64\1309010.00E\SRTSPX64.SYS [x]
S3 SymDS; \SystemRoot\system32\drivers\NISx64\1309010.00E\SYMDS64.SYS [x]
S3 SymEFA; \SystemRoot\system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS [x]
S3 SymIRON; \SystemRoot\system32\drivers\NISx64\1309010.00E\Ironx64.SYS [x]
S3 SymNetS; \SystemRoot\System32\Drivers\NISx64\1309010.00E\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-16 10:38 - 2013-05-16 10:38 - 00000000 ____D C:\FRST
2013-05-16 06:51 - 2013-05-16 06:51 - 01096074 ____A C:\Users\Vax\AppData\Local\2433f433
2013-05-16 06:51 - 2013-05-16 06:51 - 01096037 ____A C:\Users\Vax\AppData\Roaming\2433f433
2013-05-16 06:51 - 2013-05-16 06:51 - 01096006 ____A C:\ProgramData\2433f433
2013-05-16 06:51 - 2013-05-16 06:51 - 00024064 ____A C:\Users\Vax\Documents\372e70fa.exe
2013-05-16 01:03 - 2013-05-05 13:36 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-16 01:03 - 2013-05-05 13:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-16 01:03 - 2013-05-05 11:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-16 01:03 - 2013-05-05 11:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-16 01:01 - 2013-04-04 17:19 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-16 01:01 - 2013-04-04 17:08 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-16 01:01 - 2013-04-04 17:01 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-16 01:01 - 2013-04-04 17:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-16 01:01 - 2013-04-04 16:59 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-16 01:01 - 2013-04-04 16:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-16 01:01 - 2013-04-04 16:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-16 01:01 - 2013-04-04 16:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-16 01:01 - 2013-04-04 16:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-16 01:01 - 2013-04-04 16:55 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-16 01:01 - 2013-04-04 16:54 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-16 01:01 - 2013-04-04 16:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-16 01:01 - 2013-04-04 16:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-16 01:01 - 2013-04-04 16:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-16 01:01 - 2013-04-04 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-16 01:01 - 2013-04-04 14:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-16 01:01 - 2013-04-04 14:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-16 01:01 - 2013-04-04 14:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-16 01:01 - 2013-04-04 14:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-16 01:01 - 2013-04-04 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-16 01:01 - 2013-04-04 13:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-16 01:01 - 2013-04-04 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-16 01:01 - 2013-04-04 13:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-16 01:01 - 2013-04-04 13:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-16 01:01 - 2013-04-04 13:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-16 01:01 - 2013-04-04 13:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-16 01:01 - 2013-04-04 13:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-16 01:01 - 2013-04-04 13:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-15 07:19 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 07:19 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 07:19 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 07:19 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 07:19 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 07:19 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 07:19 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-15 07:19 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-15 07:19 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-15 07:19 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-15 07:18 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-15 07:18 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 07:18 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-14 14:02 - 2013-05-14 14:43 - 00000000 ____D C:\Program Files (x86)\VentSrv
2013-05-13 19:17 - 2013-05-13 19:17 - 00000000 ____D C:\Users\Vax\AppData\Local\Vivox
2013-05-03 04:36 - 2013-05-04 01:36 - 00002373 ____A C:\Users\Public\Desktop\Norton Anti-Theft.lnk
2013-05-02 02:07 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-05-02 02:07 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2013-05-02 02:07 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2013-05-02 02:07 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2013-05-02 01:32 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-05-02 01:32 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-05-02 01:32 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-05-02 01:32 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-05-02 01:31 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2013-05-02 01:31 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2013-05-02 01:31 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2013-05-02 01:31 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2013-05-02 01:31 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2013-05-02 01:31 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2013-05-02 01:31 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2013-05-02 01:31 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2013-05-02 01:13 - 2012-02-29 22:46 - 00023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2013-05-02 01:13 - 2012-02-29 22:33 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2013-05-02 01:13 - 2012-02-29 22:28 - 00005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2013-05-02 01:13 - 2012-02-29 21:33 - 00159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2013-05-02 01:13 - 2012-02-29 21:29 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2013-05-01 04:14 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-05-01 04:14 - 2012-11-08 21:45 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-05-01 04:14 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-05-01 04:14 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-05-01 04:14 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2013-05-01 04:14 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2013-05-01 04:14 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2013-05-01 04:14 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2013-05-01 04:14 - 2012-03-02 22:35 - 01544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-05-01 04:14 - 2012-03-02 21:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-05-01 04:13 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-05-01 04:13 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-05-01 04:13 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-05-01 04:13 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-05-01 04:13 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-05-01 04:13 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-05-01 04:13 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-05-01 04:13 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-05-01 04:13 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-05-01 04:13 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2013-05-01 04:13 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2013-05-01 04:13 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2013-05-01 04:13 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2013-05-01 04:13 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2013-05-01 04:13 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2013-05-01 04:13 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2013-05-01 04:13 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2013-05-01 04:13 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2013-05-01 04:13 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2013-05-01 04:13 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2013-05-01 04:13 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2013-05-01 04:13 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2013-05-01 04:13 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2013-05-01 04:13 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2013-05-01 04:13 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2013-05-01 04:13 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2013-05-01 04:13 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2013-05-01 04:13 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2013-05-01 04:13 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2013-05-01 04:13 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2013-05-01 04:13 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2013-05-01 04:13 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2013-05-01 04:13 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2013-05-01 04:13 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2013-05-01 04:13 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2013-05-01 04:13 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2013-05-01 04:13 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2013-05-01 04:13 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2013-05-01 04:12 - 2013-01-03 21:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-05-01 04:12 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-05-01 04:12 - 2013-01-03 18:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-05-01 04:12 - 2013-01-03 18:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-05-01 04:12 - 2013-01-03 18:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-05-01 04:12 - 2013-01-03 18:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-05-01 04:12 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-05-01 04:12 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-05-01 04:12 - 2012-11-01 21:59 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2013-05-01 04:12 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2013-05-01 04:12 - 2012-08-24 10:05 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-05-01 04:12 - 2012-08-24 08:57 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-05-01 04:12 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2013-05-01 04:11 - 2013-01-02 22:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-05-01 04:11 - 2013-01-02 22:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-05-01 04:11 - 2012-12-07 05:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll
2013-05-01 04:11 - 2012-12-07 05:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll
2013-05-01 04:11 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll
2013-05-01 04:11 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll
2013-05-01 04:11 - 2012-12-07 03:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs
2013-05-01 04:11 - 2012-12-07 03:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs
2013-05-01 04:11 - 2012-12-07 03:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs
2013-05-01 04:11 - 2012-12-07 03:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs
2013-05-01 04:11 - 2012-12-07 03:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs
2013-05-01 04:11 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs
2013-05-01 04:11 - 2012-12-07 03:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs
2013-05-01 04:11 - 2012-12-07 03:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs
2013-05-01 04:11 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs
2013-05-01 04:11 - 2012-11-21 21:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll
2013-05-01 04:11 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2013-05-01 04:11 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2013-05-01 04:11 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2013-05-01 04:10 - 2012-11-29 21:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-05-01 04:10 - 2012-11-29 21:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-05-01 04:10 - 2012-11-29 21:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-05-01 04:10 - 2012-11-29 21:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-05-01 04:10 - 2012-11-29 21:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-05-01 04:10 - 2012-11-29 21:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 21:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-05-01 04:10 - 2012-11-29 20:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 19:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-05-01 04:10 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-05-01 04:10 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls
2013-05-01 04:10 - 2012-11-29 15:15 - 00420064 ____A C:\Windows\System32\locale.nls
2013-05-01 04:10 - 2012-08-10 16:56 - 00715776 ____A (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2013-05-01 04:10 - 2012-08-10 15:56 - 00542208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2013-05-01 04:10 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2013-05-01 04:10 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2013-05-01 04:10 - 2012-03-16 23:58 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2013-05-01 04:09 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-05-01 04:09 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-05-01 04:09 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-05-01 04:09 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-05-01 04:09 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-05-01 04:09 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-05-01 04:09 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-05-01 04:09 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-05-01 04:09 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2013-05-01 04:09 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2013-05-01 04:09 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2013-05-01 04:09 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2013-05-01 04:09 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2013-05-01 04:09 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2013-05-01 04:09 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2013-05-01 04:09 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2013-05-01 04:09 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2013-05-01 04:09 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2013-05-01 04:09 - 2011-02-22 20:55 - 00090624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bowser.sys
2013-05-01 04:02 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2013-05-01 04:02 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2013-05-01 03:59 - 2012-06-01 21:41 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-05-01 03:59 - 2012-06-01 21:41 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-05-01 03:59 - 2012-06-01 21:41 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-05-01 03:59 - 2012-06-01 20:36 - 01159680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-05-01 03:59 - 2012-06-01 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-05-01 03:59 - 2012-06-01 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-05-01 03:59 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2013-05-01 03:59 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2013-05-01 03:46 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2013-05-01 03:46 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2013-05-01 03:46 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2013-05-01 03:46 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2013-05-01 03:46 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2013-05-01 03:46 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2013-05-01 03:46 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2013-05-01 03:46 - 2012-06-02 13:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2013-05-01 03:46 - 2012-06-02 13:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2013-05-01 03:26 - 2013-05-01 03:26 - 00001084 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-01 03:26 - 2013-05-01 03:26 - 00000000 ____D C:\Users\Vax\AppData\Roaming\Malwarebytes
2013-05-01 03:26 - 2013-05-01 03:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-01 03:26 - 2013-05-01 03:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-01 03:26 - 2013-04-04 12:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-01 03:24 - 2013-05-01 03:24 - 00001217 ____A C:\Users\Vax\Desktop\PC Utility Kit.lnk
2013-05-01 03:24 - 2013-05-01 03:24 - 00000442 ____A C:\Windows\Tasks\PC Utility Kit Update3.job
2013-05-01 03:24 - 2013-05-01 03:24 - 00000440 ____A C:\Windows\Tasks\PC Utility Kit.job
2013-05-01 03:24 - 2013-05-01 03:24 - 00000428 ____A C:\Windows\Tasks\PC Utility Kit Registration3.job
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\Users\Vax\AppData\Roaming\PC Utility Kit
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\Users\Vax\AppData\Roaming\DriverCure
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\ProgramData\PC Utility Kit
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\Program Files (x86)\PC Utility Kit
2013-05-01 02:00 - 2013-05-01 02:00 - 00000000 ____D C:\Program Files (x86)\ESET
2013-05-01 01:58 - 2013-05-01 03:21 - 00073436 ____A C:\Users\Vax\Desktop\OTL.Txt
2013-05-01 01:58 - 2013-05-01 01:58 - 00070556 ____A C:\Users\Vax\Desktop\Extras.Txt
2013-05-01 01:53 - 2013-05-01 01:53 - 00602112 ____A (OldTimer Tools) C:\Users\Vax\Desktop\OTL.exe
2013-05-01 01:51 - 2013-05-01 01:51 - 00000099 ____A C:\Windows\Reimage.ini
2013-05-01 01:19 - 2013-05-01 01:20 - 00602112 ____A (OldTimer Tools) C:\Users\Vax\Downloads\OTL.exe
2013-05-01 01:05 - 2013-05-01 01:05 - 00000000 ____D C:\ProgramData\Book Place
2013-05-01 01:02 - 2013-05-01 01:05 - 00000000 ____D C:\Users\Vax\AppData\Roaming\Book Place
2013-05-01 01:02 - 2013-05-01 01:02 - 00000000 ____D C:\Users\Vax\Documents\Book Place
2013-05-01 00:30 - 2013-05-01 00:30 - 02250054 ____A C:\ProgramData\1.bmp
2013-04-23 10:57 - 2013-04-23 10:57 - 00012501 ____A C:\Users\Vax\Desktop\hs_err_pid23240.log

==================== One Month Modified Files and Folders =======

2013-05-16 10:38 - 2013-05-16 10:38 - 00000000 ____D C:\FRST
2013-05-16 07:51 - 2012-04-16 01:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-16 07:49 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-16 07:49 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-16 07:48 - 2012-05-29 09:20 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-16 07:42 - 2013-03-13 01:02 - 00000410 ____A C:\Windows\Tasks\Quick PC Booster64 startups.job
2013-05-16 07:42 - 2012-05-29 09:20 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-16 07:41 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-16 07:41 - 2009-07-13 20:51 - 00037856 ____A C:\Windows\setupact.log
2013-05-16 07:30 - 2012-05-29 08:06 - 01586694 ____A C:\Windows\WindowsUpdate.log
2013-05-16 06:51 - 2013-05-16 06:51 - 01096074 ____A C:\Users\Vax\AppData\Local\2433f433
2013-05-16 06:51 - 2013-05-16 06:51 - 01096037 ____A C:\Users\Vax\AppData\Roaming\2433f433
2013-05-16 06:51 - 2013-05-16 06:51 - 01096006 ____A C:\ProgramData\2433f433
2013-05-16 06:51 - 2013-05-16 06:51 - 00024064 ____A C:\Users\Vax\Documents\372e70fa.exe
2013-05-16 05:44 - 2009-07-13 20:45 - 00275712 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-16 05:43 - 2010-11-20 19:47 - 00028940 ____A C:\Windows\PFRO.log
2013-05-16 01:07 - 2009-07-13 21:13 - 00794134 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-15 12:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-15 11:45 - 2013-03-04 12:40 - 00000000 ____D C:\Program Files (x86)\Graboid
2013-05-15 11:44 - 2012-04-16 02:00 - 00000000 ____D C:\Program Files\Toshiba
2013-05-15 11:42 - 2013-03-13 00:51 - 00000000 ____D C:\ProgramData\Yahoo!
2013-05-15 11:42 - 2013-03-13 00:51 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2013-05-14 23:51 - 2012-04-16 01:58 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 23:51 - 2012-04-16 01:58 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-14 14:45 - 2012-12-29 08:41 - 00000000 ____D C:\Users\Vax\AppData\Roaming\Ventrilo
2013-05-14 14:43 - 2013-05-14 14:02 - 00000000 ____D C:\Program Files (x86)\VentSrv
2013-05-13 19:17 - 2013-05-13 19:17 - 00000000 ____D C:\Users\Vax\AppData\Local\Vivox
2013-05-12 15:07 - 2012-04-16 01:58 - 00000000 ____D C:\ProgramData\Adobe
2013-05-06 15:56 - 2012-10-22 17:31 - 00000000 ____D C:\Program Files (x86)\Steam
2013-05-05 13:36 - 2013-05-16 01:03 - 17818624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-05 13:16 - 2013-05-16 01:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-05 11:25 - 2013-05-16 01:03 - 12324864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-05 11:12 - 2013-05-16 01:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-05 04:18 - 2013-01-23 12:52 - 00000000 ____D C:\Users\Vax\AppData\Local\CrashDumps
2013-05-04 02:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-05-04 01:36 - 2013-05-03 04:36 - 00002373 ____A C:\Users\Public\Desktop\Norton Anti-Theft.lnk
2013-05-04 01:36 - 2012-05-29 09:26 - 00000000 ____D C:\Windows\System32\Drivers\NATx64
2013-05-03 04:36 - 2012-04-16 02:10 - 00000000 ____D C:\ProgramData\Norton
2013-05-02 12:03 - 2012-10-22 15:50 - 00058016 ____A C:\Users\Vax\AppData\Local\GDIPFONTCACHEV1.DAT
2013-05-02 11:59 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-05-02 11:58 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-05-02 02:33 - 2012-05-29 09:30 - 00773612 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-05-02 00:06 - 2010-11-20 19:27 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-01 03:26 - 2013-05-01 03:26 - 00001084 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-01 03:26 - 2013-05-01 03:26 - 00000000 ____D C:\Users\Vax\AppData\Roaming\Malwarebytes
2013-05-01 03:26 - 2013-05-01 03:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-05-01 03:26 - 2013-05-01 03:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-01 03:24 - 2013-05-01 03:24 - 00001217 ____A C:\Users\Vax\Desktop\PC Utility Kit.lnk
2013-05-01 03:24 - 2013-05-01 03:24 - 00000442 ____A C:\Windows\Tasks\PC Utility Kit Update3.job
2013-05-01 03:24 - 2013-05-01 03:24 - 00000440 ____A C:\Windows\Tasks\PC Utility Kit.job
2013-05-01 03:24 - 2013-05-01 03:24 - 00000428 ____A C:\Windows\Tasks\PC Utility Kit Registration3.job
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\Users\Vax\AppData\Roaming\PC Utility Kit
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\Users\Vax\AppData\Roaming\DriverCure
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\ProgramData\PC Utility Kit
2013-05-01 03:24 - 2013-05-01 03:24 - 00000000 ____D C:\Program Files (x86)\PC Utility Kit
2013-05-01 03:21 - 2013-05-01 01:58 - 00073436 ____A C:\Users\Vax\Desktop\OTL.Txt
2013-05-01 02:00 - 2013-05-01 02:00 - 00000000 ____D C:\Program Files (x86)\ESET
2013-05-01 01:58 - 2013-05-01 01:58 - 00070556 ____A C:\Users\Vax\Desktop\Extras.Txt
2013-05-01 01:53 - 2013-05-01 01:53 - 00602112 ____A (OldTimer Tools) C:\Users\Vax\Desktop\OTL.exe
2013-05-01 01:51 - 2013-05-01 01:51 - 00000099 ____A C:\Windows\Reimage.ini
2013-05-01 01:20 - 2013-05-01 01:19 - 00602112 ____A (OldTimer Tools) C:\Users\Vax\Downloads\OTL.exe
2013-05-01 01:10 - 2012-05-29 09:34 - 00000000 ____D C:\Program Files (x86)\TOSHIBA Games
2013-05-01 01:09 - 2012-05-29 09:34 - 00000000 ____D C:\ProgramData\WildTangent
2013-05-01 01:05 - 2013-05-01 01:05 - 00000000 ____D C:\ProgramData\Book Place
2013-05-01 01:05 - 2013-05-01 01:02 - 00000000 ____D C:\Users\Vax\AppData\Roaming\Book Place
2013-05-01 01:02 - 2013-05-01 01:02 - 00000000 ____D C:\Users\Vax\Documents\Book Place
2013-05-01 01:00 - 2012-05-29 09:31 - 00000000 ____D C:\Users\Public\Book Place
2013-05-01 00:30 - 2013-05-01 00:30 - 02250054 ____A C:\ProgramData\1.bmp
2013-04-23 10:57 - 2013-04-23 10:57 - 00012501 ____A C:\Users\Vax\Desktop\hs_err_pid23240.log

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-13 19:14:42
Restore point made on: 2013-05-14 14:01:46
Restore point made on: 2013-05-15 07:15:41
Restore point made on: 2013-05-15 11:41:28
Restore point made on: 2013-05-15 11:43:34
Restore point made on: 2013-05-15 11:44:42
Restore point made on: 2013-05-16 01:00:44

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 5601.33 MB
Available physical RAM: 4948.36 MB
Total Pagefile: 5599.53 MB
Available Pagefile: 4938.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (TI106412W0C) (Fixed) (Total:581.38 GB) (Free:473.5 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.25 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Drive e: (Sims3EP03) (CDROM) (Total:6.75 GB) (Free:0 GB) UDF
Drive f: (G45M-CD10I) (Removable) (Total:3.72 GB) (Free:2.57 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 596 GB) (Disk ID: 17DF695F)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=581 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=17)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


Last Boot: 2013-05-14 17:07

==================== End Of Log ============================

Farbar Recovery Scan Tool (x64) Version: 14-05-2013
Ran by SYSTEM at 2013-05-16 10:47:55
Running from F:\
Boot Mode: Recovery

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets get you back to normal windows

Download the attached fixlist.txt to the same USB as FRST
[attachment=64671:fixlist.txt]
Run FRST as before and press Fix
A log will be generated on the USB please post that


THEN

Download OTL to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    winsock.*
    /md5stop
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#8
Vandax

Vandax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I've tried twice to post my results here, received a 404 site could not be found both times, trying again, if this takes, I'll continue with the results.

Apparently, the results I received in OTL cannot be posted to this site?!? Every time I try to post them, the site kicks me off for about 5-10 minutes on both computers.

What happens if I run RogueKiller after OTL?

Edited by Vandax, 16 May 2013 - 01:51 PM.

  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are you back to normal windows ?

If so run this prior to OTL

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.
  • 0

#10
Vandax

Vandax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Vax [Admin rights]
Mode : Scan -- Date : 05/16/2013 13:56:16
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] OTL.exe -- C:\Users\Vax\Desktop\OTL.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4484 : wscript.exe C:\Users\Vax\AppData\Local\Temp\launchie.vbs //B -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\Command Processor : AutoRun ("C:\Users\Vax\Documents\372e70fa.exe") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX ATA Device +++++
--- User ---
[MBR] 7b5a1601696595185f1c266ad43f7d79
[BSP] 6fdae2aacb23ea1cef4fe813854b94ad : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 595329 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1222307840 | Size: 13650 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05162013_02d1356.txt >>
RKreport[1]_S_05162013_02d1356.txt





Time : 16/05/2013 13:56:16
--------------------------
[OTL.exe.vir] -> C:\Users\Vax\Desktop\OTL.exe


Time : 16/05/2013 14:04:33
--------------------------
[OTL.exe.vir] -> C:\Users\Vax\Desktop\OTL.exe


Time : 16/05/2013 14:10:18
--------------------------
[OTL.exe.vir] -> C:\Users\Vax\Desktop\OTL.exe



RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Vax [Admin rights]
Mode : Remove -- Date : 05/16/2013 14:04:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] OTL.exe -- C:\Users\Vax\Desktop\OTL.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> DELETED
[TASK][ROGUE ST] 4484 : wscript.exe C:\Users\Vax\AppData\Local\Temp\launchie.vbs //B -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\Command Processor : AutoRun ("C:\Users\Vax\Documents\372e70fa.exe") -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX ATA Device +++++
--- User ---
[MBR] 7b5a1601696595185f1c266ad43f7d79
[BSP] 6fdae2aacb23ea1cef4fe813854b94ad : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 595329 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1222307840 | Size: 13650 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05162013_02d1404.txt >>
RKreport[1]_S_05162013_02d1356.txt ; RKreport[2]_D_05162013_02d1404.txt



RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Vax [Admin rights]
Mode : Shortcuts HJfix -- Date : 05/16/2013 14:10:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] OTL.exe -- C:\Users\Vax\Desktop\OTL.exe [-] -> KILLED [TermProc]

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 14 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 131 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 83 / Fail 32
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[Q:] \Device\SftVol -- 0x3 --> Restored

Finished : << RKreport[3]_SC_05162013_02d1410.txt >>
RKreport[1]_S_05162013_02d1356.txt ; RKreport[2]_D_05162013_02d1404.txt ; RKreport[3]_SC_05162013_02d1410.txt

Edited by Vandax, 16 May 2013 - 02:17 PM.

  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
If you could run the OTL scan now I will clean up any remnants, how is the computer now ?
  • 0

#12
Vandax

Vandax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Tested it just a bit, the fact that I can start the pc without having the extortion screen is already a good start. I'll continue to check it out, and post more later today, once I've put it through the paces. Thanks again for the assistance, I'll post again soon.
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There is probably still a remnant on there so an OTL scan will enable me to remove it
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP