Windows 7 64bit
==================== Registry (Whitelisted) ===================
HKLM.…\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9644576 2009-12-14] (Realtek Semiconductor)
HKLM.…\Run: [IntelWireless] “C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe” /tf Intel Wireless Tray [1928976 2010-03-04] (Intel(R) Corporation)
HKLM.…\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM.…\Run: [IntelWirelessWiMAX] “C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe” /tasktray /nosplash [1441792 2010-06-07] (Intel® Corporation)
HKLM.…\Run: [AdobeAAMUpdater-1.0] “C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe” [497648 2010-07-28] (Adobe Systems Incorporated)
HKLM.…\Run: [MSC] “C:\Program Files\Microsoft Security Client\msseces.exe” -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32.…\Run: [UpdateLBPShortCut] “C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\LabelPrint” UpdateWithCreateOnce “Software\CyberLink\LabelPrint\2.5” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [CLMLServer] “C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe” [103720 2009-12-03] (CyberLink)
HKLM-x32.…\Run: [UpdateP2GoShortCut] “C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\Power2Go” UpdateWithCreateOnce “SOFTWARE\CyberLink\Power2Go\6.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [UpdatePDRShortCut] “C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\PowerDirector” UpdateWithCreateOnce “Software\CyberLink\PowerDirector\7.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [RemoteControl8] “C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe” [91432 2009-07-16] (CyberLink Corp.)
HKLM-x32.…\Run: [PDVD8LanguageShortcut] “C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe” [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32.…\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2010-01-12] (cyberlink)
HKLM-x32.…\Run: [UpdatePPShortCut] “C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\PowerProducer” UpdateWithCreateOnce “Software\CyberLink\PowerProducer\5.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [UpdatePSTShortCut] “C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite” UpdateWithCreateOnce “Software\CyberLink\PowerStarter” [210216 2010-01-11] (CyberLink Corp.)
HKLM-x32.…\Run: [UCam_Menu] “C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\YouCam” UpdateWithCreateOnce “Software\CyberLink\YouCam\2.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [ConnectionCenter] “C:\Program Files (x86)\Citrix\ICA Client\concentr.exe” /startup [300400 2010-03-10] (Citrix Systems, Inc.)
HKLM-x32.…\Run: [BCSSync] “C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe” /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32.…\Run: [TkBellExe] “C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe” -osboot [273544 2011-05-27] (RealNetworks, Inc.)
HKLM-x32.…\Run: [Adobe ARM] “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32.…\Run: [APSDaemon] “C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe” [59240 2012-02-20] (Apple Inc.)
HKLM-x32.…\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe” [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32.…\Run: [iTunesHelper] “C:\Program Files (x86)\iTunes\iTunesHelper.exe” [421736 2012-03-27] (Apple Inc.)
HKLM-x32.…\Run: [QuickTime Task] “C:\Program Files (x86)\QuickTime\QTTask.exe” -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32.…\Run: [Clearwire Connection Manager] “C:\Program Files (x86)\Clearwire\Connection Manager\ClearwireCM.exe” -a [54608 2010-05-25] (ClearwireCM)
HKU\R of the J.…\Run: [swg] “C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [39408 2010-07-07] (Google Inc.)
HKU\R of the J.…\Run: [IMC] C:\Program Files (x86)\FriendFinder\FriendFinder Messenger 4\imc.exe
HKU\Tara.…\Run: [swg] “C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [39408 2010-07-07] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk → C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk → C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
==================== Services (Whitelisted) ======
3 CACLEARWIRE; “C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe” /n “CACLEARWIRE” [124240 2010-05-25] (SmithMicro Inc.)
3 clearwireDeviceDiagnosticsService; “C:\Program Files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe” [399872 2010-04-19] ()
3 CLEARWIRERcAppSvc; “C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe” /n “CLEARWIRERcAppSvc” [120144 2010-05-25] (SmithMicro Inc.)
2 MsMpSvc; “C:\Program Files\Microsoft Security Client\MsMpEng.exe” [12600 2012-03-26] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-04] ()
3 NisSrv; “C:\Program Files\Microsoft Security Client\NisSrv.exe” [291696 2012-03-26] (Microsoft Corporation)
2 RichVideo; “C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe” [247152 2009-07-07] ()
2 SMSI Device Launch Service; “C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe” /n “SMSI Device Launch Service” [107856 2010-05-25] ()
2 UNS; “C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe” [2320920 2010-02-03] (Intel Corporation)
==================== Drivers (Whitelisted) ===================
3 bcm; C:\Windows\System32\DRIVERS\drxvi314_64.sys [359040 2010-03-26] (Beceem communications pvt ltd.)
3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr_64.sys [62976 2010-03-26] (Beceem communications pvt ltd.)
1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [87600 2009-10-05] (Citrix Systems, Inc.)
3 PCTINDIS5X64; ??\C:\windows\system32\PCTINDIS5X64.SYS [43032 2010-05-25] (Smith Micro Inc.)
3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2010-10-07] (Windows (R) 2003 DDK 3790 provider)
3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [47104 2010-05-25] ()
3 SWNC5E00; C:\Windows\System32\Drivers\SWNC5E00.sys [285696 2010-05-25] (Sierra Wireless Inc.)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; ??\C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2010-01-12] (CyberLink Corp.)
3 EagleX64; ??\C:\windows\system32\drivers\EagleX64.sys
1 rrxoqcpy; ??\C:\windows\system32\drivers\rrxoqcpy.sys
3 X6va005; ??\C:\Users\ROFTHE~1\AppData\Local\Temp\005980C.tmp
3 X6va006; ??\C:\Users\ROFTHE~1\AppData\Local\Temp\0062DE6.tmp
ZeroAccess:
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}@
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\L
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\n
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\U
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\U\00000001.@
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\U\800000cb.@
ZeroAccess:
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}@
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}\L
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}\U
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit