Keep gettin pop-ups, goolgle redirects and BSOD with message, "IRQL_NOT_LESS_OR_EQUAL".

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
←
1
2

You cannot start a new topic
This topic is locked

Keep gettin pop-ups, goolgle redirects and BSOD with message, "IRQL_NOT_LESS_OR_EQUAL". How do I stop this from happening/ remove the malware?

#16 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 23 May 2011 - 02:28 PM

I'm guessing this is bad but, here it is:

File name:
swinr.exe

Submission date:
2011-05-23 19:15:04 (UTC)

Current status:
finished

Result:
30/ 43 (69.8%)

AhnLab-V3

2011.05.24.00

2011.05.23

Win-Trojan/Agent.18944.UG

AntiVir

7.11.8.107

2011.05.23

TR/Dldr.Agent.gbnx

Antiy-AVL

2.0.3.7

2011.05.23

Trojan/Win32.Agent.gen

Avast

4.8.1351.0

2011.05.23

-

Avast5

5.0.677.0

2011.05.23

-

AVG

10.0.0.1190

2011.05.23

Downloader.Agent2.AKLL

BitDefender

7.2

2011.05.23

Trojan.Generic.5755003

CAT-QuickHeal

11.00

2011.05.22

TrojanDownloader.Agent.gbnx

ClamAV

0.97.0.0

2011.05.23

-

Commtouch

5.3.2.6

2011.05.23

-

Comodo

8808

2011.05.23

UnclassifiedMalware

DrWeb

5.0.2.03300

2011.05.23

Trojan.MulDrop2.9697

Emsisoft

5.1.0.5

2011.05.23

Trojan-Downloader.Win32.Agent!IK

eSafe

7.0.17.0

2011.05.22

-

eTrust-Vet

36.1.8342

2011.05.23

-

F-Prot

4.6.2.117

2011.05.23

-

F-Secure

9.0.16440.0

2011.05.23

Trojan.Generic.5755003

Fortinet

4.2.257.0

2011.05.22

W32/Agent.GBNX!tr.dldr

GData

22

2011.05.23

Trojan.Generic.5755003

Ikarus

T3.1.1.104.0

2011.05.23

Trojan-Downloader.Win32.Agent

Jiangmin

13.0.900

2011.05.23

TrojanDownloader.Agent.dlik

K7AntiVirus

9.103.4707

2011.05.23

Trojan-Downloader

Kaspersky

9.0.0.837

2011.05.23

Trojan-Downloader.Win32.Agent.gbnx

McAfee

5.400.0.1158

2011.05.23

Generic Downloader.x!fva

McAfee-GW-Edition

2010.1D

2011.05.23

Generic Downloader.x!fva

Microsoft

1.6903

2011.05.23

-

NOD32

6146

2011.05.23

Win32/Agent.SKO

Norman

6.07.07

2011.05.23

-

nProtect

2011-05-23.01

2011.05.23

Trojan.Generic.5755003

Panda

10.0.3.5

2011.05.23

Generic Trojan

PCTools

7.0.3.5

2011.05.19

Downloader.Generic

Prevx

3.0

2011.05.23

Medium Risk Malware

Rising

23.59.00.03

2011.05.23

-

Sophos

4.65.0

2011.05.23

-

SUPERAntiSpyware

4.40.0.1006

2011.05.23

-

Symantec

20111.1.0.186

2011.05.23

Downloader

TheHacker

6.7.0.1.203

2011.05.23

Trojan/Downloader.Agent.gbnx

TrendMicro

9.200.0.1012

2011.05.23

TROJ_GEN.R1CC3DA

TrendMicro-HouseCall

9.200.0.1012

2011.05.23

TROJ_GEN.R1CC3DA

VBA32

3.12.16.0

2011.05.23

TrojanDownloader.Agent.gbnx

VIPRE

9367

2011.05.23

Trojan-Downloader.Win32.Agent

ViRobot

2011.5.23.4473

2011.05.23

-

VirusBuster

13.6.369.0

2011.05.23

Trojan.DL.Agent!iEXM6aCuAmM

Additional information

Show all

MD5 : 2e4598bd867b3455cee8b90805827ec2

SHA1 : 8f598dbf87ddcfbf2ea5fc438c2b437b598864a4

SHA256: abe98ca56326d7fa096d8675ee42f0c87fe9aedb717428f90e5f666fb9a0eeaa

ssdeep: 192:NwWS3BL27CXGAoJiNy4UK6L40J5RCygCRHZuMC+PgVhYmXdtLuyKrjSncc:qv1sCXGrJiNy
4UdsYHzDnm7LuYf

File size : 18944 bytes

First seen: 2011-03-24 15:33:08

Last seen : 2011-05-23 19:15:04

TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)

sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

packers (F-Prot): UPX

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x10710
timedatestamp....: 0x4D89F5F2 (Wed Mar 23 13:30:26 2011)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0xC000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0xD000, 0x4000, 0x3A00, 7.74, b7899c1aa669a58fb984a4b44c3cd1db
.rsrc, 0x11000, 0x1000, 0x400, 2.31, 2f884eedf842cc74b8bd5fd36bcda2f2

[[ 5 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.DLL: RegEnumKeyExA
COMCTL32.DLL: InitCommonControlsEx
GDI32.DLL: EnumObjects
USER32.DLL: GetDC

Prevx Info:
http://info.prevx.com/aboutprogramtext.asp?PX5=4828471A00F65F984A7F007EAF11BB00CC1D257F

ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=2e4598bd867b3455cee8b90805827ec2

ExifTool:
file metadata
FileSize: 18 kB
FileType: DOS EXE
MIMEType: application/octet-stream

#17 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 23 May 2011 - 02:36 PM

HI!

Yes, it's definitely bad.

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:OTL

:Reg

:Files
C:\Windows\System32\swinr.exe
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

OTL Custom Scan

We need to run an OTL Custom Scan

Please reopen on your desktop.
Copy and Paste the following code into the textbox.

netsvcs
drivers32
hklm\software\clients\startmenuinternet|command /rs
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Push the button.
A report will open. Copy and Paste that report in your next reply.

NEXT:

What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#18 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 24 May 2011 - 08:35 AM

No problems. I'm guessing this is a good thing but my internet is running a lot faster than usual.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\System32\swinr.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Sarah\Desktop\cmd.bat deleted successfully.
C:\Users\Sarah\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sarah
->Temp folder emptied: 80011 bytes
->Temporary Internet Files folder emptied: 298618912 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15837 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 285.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Sarah
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.23.0 log created on 05242011_142418

Files\Folders moved on Reboot...
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetAcceptTerms[1].png not found!
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetExport[1].htm not found!
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetExport[1].png not found!
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetListThreats[1].png not found!
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetOnline[1].htm not found!
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetScanArchives[1].htm not found!
File\Folder C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQJ1TKLZ\esetSmartInstall[1].htm not found!

Registry entries deleted on Reboot...

OTL logfile created on: 5/24/2011 2:27:30 PM - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\Sarah\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.87 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 59.24% Memory free
3.74 Gb Paging File | 2.92 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 116.29 Gb Total Space | 85.12 Gb Free Space | 73.19% Space Free | Partition Type: NTFS
Drive D: | 116.21 Gb Total Space | 97.03 Gb Free Space | 83.50% Space Free | Partition Type: NTFS
Drive E: | 5.56 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: SARAH-TOSH | User Name: Sarah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 20:26:59 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Sarah\Desktop\OTL.exe
PRC - [2011/02/25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/30 14:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/20 05:17:48 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/08/17 11:48:46 | 001,294,136 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
PRC - [2009/08/17 11:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
PRC - [2009/08/13 13:31:24 | 000,521,528 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2009/08/12 11:30:42 | 006,203,296 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe
PRC - [2009/08/11 12:37:50 | 002,446,648 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\TOSHIBA Web Camera Application\TWebCamera.exe
PRC - [2009/08/06 15:02:02 | 000,029,528 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe
PRC - [2009/08/05 15:18:50 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2009/08/05 15:18:08 | 000,476,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2009/08/05 15:04:54 | 000,738,616 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2009/08/03 18:17:06 | 000,611,672 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
PRC - [2009/07/28 21:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2009/07/28 15:43:04 | 000,128,344 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2009/07/13 16:24:00 | 000,304,496 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2009/06/04 20:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

========== Modules (SafeList) ==========

MOD - [2011/05/22 20:26:59 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Sarah\Desktop\OTL.exe
MOD - [2010/11/20 04:55:10 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/05/24 14:24:20 | 000,018,944 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\dnixt.exe -- (dnixt)
SRV - [2011/05/21 19:22:14 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/11/11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/08/17 11:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009/08/10 20:55:46 | 000,185,712 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe -- (cfWiMAXService)
SRV - [2009/08/05 15:18:50 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2009/08/03 18:16:32 | 000,111,960 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV - [2009/07/28 15:43:04 | 000,128,344 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/07 10:37:32 | 000,062,832 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe -- (RSELSVC)
SRV - [2009/06/04 20:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2009/04/29 12:21:04 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService)
SRV - [2009/03/10 19:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)

========== Driver Services (SafeList) ==========

DRV - [2011/05/24 14:25:22 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C0CA3A90-1CB9-4D67-868B-E29DB372E89C}\MpKsle414c757.sys -- (MpKsle414c757)
DRV - [2011/05/24 14:22:09 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C0CA3A90-1CB9-4D67-868B-E29DB372E89C}\MpKsl75b3378e.sys -- (MpKsl75b3378e)
DRV - [2010/11/20 03:24:42 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/10/24 22:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/10/24 22:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/08/13 09:37:00 | 000,376,320 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2009/07/30 17:45:56 | 000,022,912 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2009/07/24 16:57:06 | 000,275,536 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2009/07/14 16:28:42 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2009/07/13 23:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/07 08:53:06 | 000,007,680 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\FwLnk.sys -- (FwLnk)
DRV - [2009/06/24 18:23:12 | 000,159,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2009/06/22 18:04:58 | 000,024,064 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PGEffect.sys -- (PGEffect)
DRV - [2009/04/29 12:20:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio)
DRV - [2006/04/10 06:02:18 | 000,162,816 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RT25USBAP.SYS -- (RT25USBAP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yeppo.net

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: ([2011/05/24 14:24:20 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (TBSB05541 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (Veehd Plugin) - {32EA9CD0-5187-4FE3-B989-B4D1408D2802} - C:\Program Files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Veehd Plugin) - {32EA9CD0-5187-4FE3-B989-B4D1408D2802} - C:\Program Files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll ()
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaReminder.exe (Toshiba Europe GmbH)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosSENotify] C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKCU..\Run: [TOSHIBA Online Product Information] C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe (TOSHIBA)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/04/30 03:57:32 | 000,054,544 | R--- | M] (Electronic Arts) - E:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2008/10/22 00:48:37 | 000,000,045 | R--- | M] () - E:\Autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.VP60 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\Windows\System32\vp6vfw.dll (On2.com)

========== Files/Folders - Created Within 30 Days ==========

[2011/05/22 20:45:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/05/22 20:45:57 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/05/22 20:43:18 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/05/22 20:42:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/05/22 20:26:53 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\Sarah\Desktop\OTL.exe
[2011/05/22 11:52:57 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Local\Microsoft Help
[2011/05/22 09:41:25 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/05/22 09:28:36 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/05/22 09:26:55 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Local\temp
[2011/05/22 09:16:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/05/21 22:39:14 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2011/05/21 14:34:32 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Local\WinZip
[2011/05/21 14:34:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
[2011/05/21 14:34:09 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2011/05/21 14:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2011/05/20 21:05:01 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/05/20 21:05:01 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/05/20 21:05:01 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/05/20 21:04:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/05/20 21:04:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/19 19:50:59 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/17 21:42:33 | 000,000,000 | ---D | C] -- C:\Windows\en
[2011/05/17 21:37:01 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
[2011/05/17 21:25:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2011/05/17 21:24:28 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Local\Windows Live
[2011/05/14 17:11:06 | 000,000,000 | ---D | C] -- C:\Program Files\NoVirusThanks
[2011/05/13 22:01:44 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Roaming\DivX
[2011/05/13 22:01:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2011/05/13 21:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2011/05/13 21:48:38 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2011/05/13 21:47:16 | 000,000,000 | ---D | C] -- C:\Program Files\Veehd Plugin
[2011/05/08 19:31:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts
[2011/05/07 20:13:29 | 000,000,000 | ---D | C] -- C:\Users\Sarah\Documents\Electronic Arts
[2011/05/07 20:11:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Electronic Arts
[2011/05/07 19:57:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft WSE
[2011/05/07 19:39:29 | 000,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2011/05/01 20:29:02 | 000,000,000 | ---D | C] -- C:\ProgramData\TorrentEasy
[2011/05/01 15:17:59 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Local\PackageAware
[2011/04/26 13:10:44 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Roaming\Synthesia
[2011/04/26 13:09:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Synthesia
[2011/04/26 13:09:51 | 000,000,000 | ---D | C] -- C:\Users\Sarah\Documents\Synthesia Music
[2011/04/26 13:09:22 | 000,000,000 | ---D | C] -- C:\Program Files\Synthesia
[2011/04/25 00:24:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/04/25 00:23:55 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/04/25 00:23:54 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/04/25 00:21:53 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[1 C:\Users\Sarah\AppData\Local\*.tmp files -> C:\Users\Sarah\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/24 14:27:03 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/24 14:25:25 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/24 14:25:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/24 14:25:13 | 1506,795,520 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/24 14:24:40 | 000,016,080 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/24 14:24:39 | 000,016,080 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/24 14:24:20 | 000,018,944 | ---- | M] () -- C:\Windows\System32\dnixt.exe
[2011/05/24 14:24:20 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/05/23 20:23:58 | 000,630,560 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/23 20:23:58 | 000,111,612 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/22 20:46:26 | 000,001,956 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/05/22 20:31:47 | 000,001,378 | ---- | M] () -- C:\Users\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/05/22 20:26:59 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Sarah\Desktop\OTL.exe
[2011/05/22 11:58:28 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2011/05/22 10:29:40 | 000,879,035 | ---- | M] () -- C:\Users\Sarah\Desktop\SecurityCheck.exe
[2011/05/22 09:15:42 | 004,352,705 | R--- | M] () -- C:\Users\Sarah\Desktop\ComboFix.exe
[2011/05/21 22:40:28 | 000,340,080 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/05/21 16:40:27 | 000,560,738 | ---- | M] () -- C:\Users\Sarah\Desktop\Chloe_Neill_-_Dark_Elite_01_-_Firespell.pdf
[2011/05/21 14:34:24 | 000,002,172 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk
[2011/05/19 20:01:18 | 219,147,647 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/05/14 17:22:53 | 000,000,000 | ---- | M] () -- C:\Users\Sarah\defogger_reenable
[2011/05/08 19:31:13 | 000,001,072 | ---- | M] () -- C:\Users\Public\Desktop\EA Download Manager.lnk
[2011/05/07 19:57:25 | 000,002,036 | ---- | M] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk
[2011/04/30 21:33:47 | 000,001,152 | ---- | M] () -- C:\Windows\System32\mapisvc.inf
[2011/04/26 13:10:28 | 000,001,864 | ---- | M] () -- C:\Users\Sarah\Desktop\Play Synthesia.lnk
[2011/04/25 00:25:36 | 000,002,503 | ---- | M] () -- C:\Users\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2011/04/25 00:24:37 | 000,001,720 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/04/24 15:47:05 | 000,000,534 | ---- | M] () -- C:\Windows\System32\tmp.xml
[1 C:\Users\Sarah\AppData\Local\*.tmp files -> C:\Users\Sarah\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/24 14:24:20 | 000,018,944 | ---- | C] () -- C:\Windows\System32\dnixt.exe
[2011/05/22 20:46:26 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/05/22 20:46:26 | 000,001,956 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/05/22 11:58:28 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/05/22 10:29:34 | 000,879,035 | ---- | C] () -- C:\Users\Sarah\Desktop\SecurityCheck.exe
[2011/05/22 09:15:42 | 004,352,705 | R--- | C] () -- C:\Users\Sarah\Desktop\ComboFix.exe
[2011/05/21 16:40:18 | 000,560,738 | ---- | C] () -- C:\Users\Sarah\Desktop\Chloe_Neill_-_Dark_Elite_01_-_Firespell.pdf
[2011/05/21 14:34:24 | 000,002,172 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk
[2011/05/20 21:05:01 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/05/20 21:05:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/05/20 21:05:01 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/05/20 21:05:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/05/20 21:05:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/05/17 21:35:43 | 000,001,218 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
[2011/05/17 21:33:51 | 000,001,287 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
[2011/05/17 21:31:41 | 000,001,371 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
[2011/05/17 21:30:05 | 000,002,399 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk
[2011/05/14 17:22:53 | 000,000,000 | ---- | C] () -- C:\Users\Sarah\defogger_reenable
[2011/05/08 19:31:13 | 000,001,072 | ---- | C] () -- C:\Users\Public\Desktop\EA Download Manager.lnk
[2011/05/07 19:57:25 | 000,002,036 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk
[2011/04/26 13:09:53 | 000,001,864 | ---- | C] () -- C:\Users\Sarah\Desktop\Play Synthesia.lnk
[2011/04/25 00:24:37 | 000,001,720 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/01/15 07:57:34 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2009/09/04 17:55:41 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2009/09/04 17:55:40 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/09/04 10:23:47 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/08/27 08:57:38 | 000,982,220 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2009/08/27 08:57:38 | 000,439,300 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2009/08/27 08:57:38 | 000,134,592 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2009/08/27 08:57:38 | 000,092,216 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2009/07/14 05:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 05:33:53 | 000,340,080 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 03:05:48 | 000,630,560 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 03:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 03:05:48 | 000,111,612 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 03:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 03:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 03:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/14 00:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/04/19 18:53:09 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\.anki
[2011/03/06 13:04:46 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\GetRightToGo
[2011/02/12 20:13:59 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\mplayer
[2011/04/20 22:22:39 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\Philipp Winterberg
[2011/04/26 13:10:49 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\Synthesia
[2011/03/13 10:51:02 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\The Path
[2011/03/12 15:26:41 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\Toshiba
[2011/05/14 21:55:45 | 000,000,000 | ---D | M] -- C:\Users\Sarah\AppData\Roaming\uTorrent
[2011/05/07 01:07:14 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/05/22 11:58:28 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/05/22 11:58:28 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/05/22 11:58:28 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/05/22 11:58:30 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2011/05/22 11:58:30 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoUpdate" = 0

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-22 11:00:18

< >

< >

< End of report >

#19 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 24 May 2011 - 01:31 PM

Hi!

Quote

No problems. I'm guessing this is a good thing but my internet is running a lot faster than usual.

That's always good!!

There is something hiding on your computer that keeps on respawning a malicious file.

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:OTL
SRV - [2011/05/24 14:24:20 | 000,018,944 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\dnixt.exe -- (dnixt)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2011/05/24 14:24:20 | 000,018,944 | ---- | M] () -- C:\Windows\System32\dnixt.exe
:Reg

:Files
dir /s /a "C:\Users\Sarah\AppData\Roaming\.anki" /c
type "C:\Windows\System32\tmp.xml" /c
ipconfig /flushdns /c
C:\Windows\System32\dnixt.exe
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

#20 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 24 May 2011 - 02:44 PM

The first time I tried to do this, the computer completely froze, but the second time was fine. Just from reading the first line, I don't it found it.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Error: No service named dnixt was found to stop!
Service\Driver key dnixt not found.
File C:\Windows\System32\dnixt.exe not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
File C:\Windows\System32\dnixt.exe not found.
========== REGISTRY ==========
========== FILES ==========
< dir /s /a "C:\Users\Sarah\AppData\Roaming\.anki" /c >
Volume in drive C is WINDOWS
Volume Serial Number is C6E4-BA6A
Directory of C:\Users\Sarah\AppData\Roaming\.anki
19/04/2011 18:53 <DIR> .
19/04/2011 18:53 <DIR> ..
13/02/2011 13:28 <DIR> backups
19/04/2011 18:53 4,513 config.db
27/01/2011 21:00 <DIR> plugins
1 File(s) 4,513 bytes
Directory of C:\Users\Sarah\AppData\Roaming\.anki\backups
13/02/2011 13:28 <DIR> .
13/02/2011 13:28 <DIR> ..
26/01/2011 09:26 541,696 C!Users!Sarah!Documents!Anki!Japanese Kana.backup-1.anki
27/01/2011 21:14 563,200 C!Users!Sarah!Documents!Anki!Japanese Kana.backup-2.anki
12/02/2011 20:13 68,608 C!Users!Sarah!Documents!Anki!Noun1.backup-1.anki
3 File(s) 1,173,504 bytes
Directory of C:\Users\Sarah\AppData\Roaming\.anki\plugins
27/01/2011 21:00 <DIR> .
27/01/2011 21:00 <DIR> ..
0 File(s) 0 bytes
Total Files Listed:
4 File(s) 1,178,017 bytes
8 Dir(s) 90,889,363,456 bytes free
C:\Users\Sarah\Desktop\cmd.bat deleted successfully.
C:\Users\Sarah\Desktop\cmd.txt deleted successfully.
< type "C:\Windows\System32\tmp.xml" /c >
<?xml version="1.0" encoding="utf-8"?>
<rss version="1.0" xmlns:tsu="http://www.tais.com/">
<title>Gabai Updates - $Revision: 1.3 $</title>
<link>http://updates.teg.toshiba.com/Updates</link>
<description>Toshiba Support Data - Default XML Data for TRO</description>
<language></language>
<copyright>TOSHIBA Corporation</copyright>
<pubDate>4/30/2008 2:53:20 PM</pubDate>
<managingEditor></managingEditor>
<webmaster></webmaster>
<channel>

</channel>
</rss>
C:\Users\Sarah\Desktop\cmd.bat deleted successfully.
C:\Users\Sarah\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Sarah\Desktop\cmd.bat deleted successfully.
C:\Users\Sarah\Desktop\cmd.txt deleted successfully.
File\Folder C:\Windows\System32\dnixt.exe not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sarah
->Temp folder emptied: 4441 bytes
->Temporary Internet Files folder emptied: 253639649 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4434 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 242.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Sarah
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.23.0 log created on 05242011_204101

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#21 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 24 May 2011 - 02:55 PM

Please run a new scan with ComboFix. If it prompts you to update, please allow it to do so.

#22 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 26 May 2011 - 12:59 PM

ComboFix 11-05-21.03 - Sarah 26/05/2011 18:44:54.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1916.1061 [GMT 1:00]
Running from: c:\users\Sarah\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-26 17:54 . 2011-05-26 17:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-05-26 17:54 . 2011-05-26 17:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-25 19:34 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-24 19:52 . 2011-05-09 12:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33315796-9750-43D3-BE04-73BF59FF8E2C}\mpengine.dll
2011-05-24 19:33 . 2011-05-24 19:33 18944 ----a-w- c:\windows\system32\awina.exe
2011-05-22 19:45 . 2011-05-22 19:46 -------- d-----w- c:\program files\Common Files\Adobe
2011-05-22 19:42 . 2011-05-22 19:42 -------- d-----w- c:\program files\Common Files\Java
2011-05-22 10:52 . 2011-05-22 10:52 -------- d-----w- c:\users\Sarah\AppData\Local\Microsoft Help
2011-05-22 10:45 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-05-22 10:45 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-05-22 10:45 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-05-22 08:26 . 2011-05-26 17:54 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2011-05-21 21:39 . 2011-05-21 21:39 -------- d-----w- c:\windows\system32\Wat
2011-05-21 18:25 . 2011-05-21 18:25 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-05-21 13:34 . 2011-05-21 13:34 -------- d-----w- c:\users\Sarah\AppData\Local\WinZip
2011-05-21 13:34 . 2011-05-21 13:34 -------- d-----w- c:\programdata\WinZip
2011-05-21 13:27 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-05-21 13:27 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7FBB8F0-37F1-4075-8E9B-B30781260A03}\gapaengine.dll
2011-05-21 13:26 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-21 10:55 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-05-21 10:55 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-21 10:55 . 2011-02-23 04:47 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-21 10:55 . 2011-02-23 04:47 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-21 10:55 . 2011-02-23 04:47 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-21 10:55 . 2011-02-23 04:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-21 10:55 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-21 10:55 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-05-19 18:50 . 2011-05-19 18:50 -------- d-----w- C:\_OTL
2011-05-17 20:42 . 2011-05-17 20:42 -------- d-----w- c:\windows\en
2011-05-17 20:40 . 2010-09-22 23:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-05-17 20:26 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-05-17 20:26 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-05-17 20:26 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-17 20:26 . 2011-05-17 20:26 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\b040c4261cc14d005\InstallManager_WLE_WLE.exe
2011-05-17 20:25 . 2011-05-17 20:25 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\983f533d1cc14d004\MeshBetaRemover.exe
2011-05-17 20:25 . 2011-05-17 20:25 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\DXSETUP.exe
2011-05-17 20:25 . 2011-05-17 20:25 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\dsetup32.dll
2011-05-17 20:25 . 2011-05-17 20:25 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\DSETUP.dll
2011-05-17 20:25 . 2011-05-17 20:25 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\DSETUP.dll
2011-05-17 20:25 . 2011-05-17 20:25 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\DXSETUP.exe
2011-05-17 20:25 . 2011-05-17 20:25 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\dsetup32.dll
2011-05-17 20:24 . 2011-05-17 20:24 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\7a7f20941cc14d001\Silverlight.4.0.exe
2011-05-17 20:24 . 2011-05-20 21:25 -------- d-----w- c:\users\Sarah\AppData\Local\Windows Live
2011-05-17 19:10 . 2011-05-17 19:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 16:11 . 2011-05-14 16:11 -------- d-----w- c:\program files\NoVirusThanks
2011-05-14 00:23 . 2011-05-14 00:23 0 ---ha-w- c:\users\Sarah\AppData\Local\BIT30D.tmp
2011-05-13 21:01 . 2011-05-13 21:01 -------- d-----w- c:\users\Sarah\AppData\Roaming\DivX
2011-05-13 21:01 . 2011-05-15 11:38 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2011-05-13 20:50 . 2011-05-15 11:38 -------- d-----w- c:\program files\DivX
2011-05-13 20:48 . 2011-05-15 11:38 -------- d-----w- c:\programdata\DivX
2011-05-13 20:47 . 2011-05-13 20:47 -------- d-----w- c:\program files\Veehd Plugin
2011-05-07 19:11 . 2011-05-08 18:31 -------- d-----w- c:\programdata\Electronic Arts
2011-05-07 18:57 . 2011-05-07 18:57 -------- d-----w- c:\program files\Microsoft WSE
2011-05-07 18:57 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-05-07 18:39 . 2011-05-07 19:08 -------- d-----w- c:\program files\Electronic Arts
2011-05-01 19:29 . 2011-05-01 19:29 -------- d-----w- c:\programdata\TorrentEasy
2011-05-01 14:17 . 2011-05-01 14:17 -------- d-----w- c:\users\Sarah\AppData\Local\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-22 19:41 . 2011-03-07 22:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-17 20:27 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-09 12:46 . 2011-01-21 22:02 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-26 13:39 . 2011-03-26 13:39 249856 ------w- c:\windows\Setup1.exe
2011-03-26 13:39 . 2011-03-26 13:39 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-03-06 15:13 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32EA9CD0-5187-4FE3-B989-B4D1408D2802}"= "c:\program files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll" [2011-04-19 2636800]
.
[HKEY_CLASSES_ROOT\clsid\{32ea9cd0-5187-4fe3-b989-b4d1408d2802}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32EA9CD0-5187-4FE3-B989-B4D1408D2802}"= "c:\program files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll" [2011-04-19 2636800]
.
[HKEY_CLASSES_ROOT\clsid\{32ea9cd0-5187-4fe3-b989-b4d1408d2802}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-03 611672]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2009-08-06 29528]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-28 7625248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-08-13 521528]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaReminder.exe" [2009-07-30 134032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
.
c:\users\Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl0e92d5af;MpKsl0e92d5af; [x]
R1 MpKsl1424d795;MpKsl1424d795; [x]
R1 MpKsl1e022a71;MpKsl1e022a71; [x]
R1 MpKsl21c5134d;MpKsl21c5134d; [x]
R1 MpKsl28f833ef;MpKsl28f833ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl28f833ef.sys [x]
R1 MpKsl2a505757;MpKsl2a505757; [x]
R1 MpKsl2df6adf9;MpKsl2df6adf9; [x]
R1 MpKsl318fd1a5;MpKsl318fd1a5; [x]
R1 MpKsl38ca0dfa;MpKsl38ca0dfa; [x]
R1 MpKsl3ca2cceb;MpKsl3ca2cceb; [x]
R1 MpKsl406eb0c9;MpKsl406eb0c9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl406eb0c9.sys [x]
R1 MpKsl43de8b4f;MpKsl43de8b4f; [x]
R1 MpKsl4a1b8746;MpKsl4a1b8746; [x]
R1 MpKsl4a6ea528;MpKsl4a6ea528;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl4a6ea528.sys [x]
R1 MpKsl5211fe91;MpKsl5211fe91; [x]
R1 MpKsl54148b40;MpKsl54148b40; [x]
R1 MpKsl5b17d3ca;MpKsl5b17d3ca; [x]
R1 MpKsl66e95bf4;MpKsl66e95bf4; [x]
R1 MpKsl6b9e364f;MpKsl6b9e364f; [x]
R1 MpKsl6c433114;MpKsl6c433114; [x]
R1 MpKsl7155c326;MpKsl7155c326;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl7155c326.sys [x]
R1 MpKsl719f4bd4;MpKsl719f4bd4; [x]
R1 MpKsl733229bc;MpKsl733229bc; [x]
R1 MpKsl7a17e627;MpKsl7a17e627; [x]
R1 MpKsl7c568b44;MpKsl7c568b44; [x]
R1 MpKsl7c5729ca;MpKsl7c5729ca; [x]
R1 MpKsl7eb89171;MpKsl7eb89171; [x]
R1 MpKsl834c58f3;MpKsl834c58f3; [x]
R1 MpKsl8fd38ec0;MpKsl8fd38ec0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C7E53A5-5872-4557-A639-01B9F8437C17}\MpKsl8fd38ec0.sys [x]
R1 MpKsl910e0b50;MpKsl910e0b50; [x]
R1 MpKsl98d87ac0;MpKsl98d87ac0; [x]
R1 MpKsl9badf15d;MpKsl9badf15d; [x]
R1 MpKsla654d409;MpKsla654d409; [x]
R1 MpKslb0c52954;MpKslb0c52954; [x]
R1 MpKslb11de4a7;MpKslb11de4a7; [x]
R1 MpKslb5e2588b;MpKslb5e2588b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslb5e2588b.sys [x]
R1 MpKslbee40013;MpKslbee40013;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslbee40013.sys [x]
R1 MpKslbefb3aa4;MpKslbefb3aa4; [x]
R1 MpKslbf5ce967;MpKslbf5ce967; [x]
R1 MpKslc6df51fb;MpKslc6df51fb; [x]
R1 MpKslc836247e;MpKslc836247e; [x]
R1 MpKslc908b192;MpKslc908b192;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslc908b192.sys [x]
R1 MpKslca81cd22;MpKslca81cd22; [x]
R1 MpKsld182a7f3;MpKsld182a7f3; [x]
R1 MpKsld97010ed;MpKsld97010ed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsld97010ed.sys [x]
R1 MpKslde43c1f4;MpKslde43c1f4; [x]
R1 MpKsldeca8f6c;MpKsldeca8f6c; [x]
R1 MpKsleb391fba;MpKsleb391fba; [x]
R1 MpKsledc46f88;MpKsledc46f88; [x]
R1 MpKslf590d73a;MpKslf590d73a; [x]
R1 MpKslf60cd55d;MpKslf60cd55d; [x]
R2 awina;Windows Autenthification Service;c:\windows\system32\awina.exe [2011-05-24 18944]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 135664]
R3 CFcatchme;CFcatchme;c:\users\Sarah\AppData\Local\Temp\CFcatchme.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-21 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-10 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 7680]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-30 187392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-03 111960]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 09:11]
.
2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 09:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://yeppo.net
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4a,58,38,0d,07,00,4f,a0,27,43,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4a,58,38,0d,07,00,4f,a0,27,43,\
.
[HKEY_USERS\S-1-5-21-2828275537-3082013931-1688591469-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2828275537-3082013931-1688591469-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-26 18:55:50
ComboFix-quarantined-files.txt 2011-05-26 17:55
ComboFix2.txt 2011-05-22 08:41
ComboFix3.txt 2011-05-21 00:18
ComboFix4.txt 2011-05-20 20:22
.
Pre-Run: 92,034,207,744 bytes free
Post-Run: 91,837,906,944 bytes free
.
- - End Of File - - 97D47F2EC222C57EF8B0D99E5244EED3

#23 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 27 May 2011 - 10:57 AM

Hi!

I'm going to ask that you delete the current copy of ComboFix from your desktop. (Right Click on the ComboFix file and select delete.

Please download a new copy from one of the links below:

Download ComboFix from one of the following locations:
Link 1
Link 2

Run a new scan with it.

This post has been edited by SweetTech: 27 May 2011 - 10:58 AM

#24 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 29 May 2011 - 01:26 PM

ComboFix 11-05-28.01 - Sarah 29/05/2011 19:15:42.5.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1916.1180 [GMT 1:00]
Running from: c:\users\Sarah\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-29 18:24 . 2011-05-29 18:24 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-05-29 18:24 . 2011-05-29 18:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-29 18:10 . 2011-05-29 18:10 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{427689B7-BCEC-4630-8252-0E389CEF41A4}\MpKslbee453b7.sys
2011-05-28 10:29 . 2011-05-28 10:31 -------- d-----w- c:\users\Sarah\.gimp-2.6
2011-05-28 10:28 . 2011-05-28 10:28 -------- d-----w- c:\program files\GIMP-2.0
2011-05-28 06:39 . 2011-05-09 12:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{427689B7-BCEC-4630-8252-0E389CEF41A4}\mpengine.dll
2011-05-25 19:34 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-24 19:33 . 2011-05-24 19:33 18944 ----a-w- c:\windows\system32\awina.exe
2011-05-22 19:45 . 2011-05-22 19:46 -------- d-----w- c:\program files\Common Files\Adobe
2011-05-22 19:42 . 2011-05-22 19:42 -------- d-----w- c:\program files\Common Files\Java
2011-05-22 10:52 . 2011-05-22 10:52 -------- d-----w- c:\users\Sarah\AppData\Local\Microsoft Help
2011-05-22 10:45 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-05-22 10:45 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-05-22 10:45 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-05-22 08:26 . 2011-05-29 18:24 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2011-05-21 21:39 . 2011-05-21 21:39 -------- d-----w- c:\windows\system32\Wat
2011-05-21 18:25 . 2011-05-21 18:25 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-05-21 13:34 . 2011-05-21 13:34 -------- d-----w- c:\users\Sarah\AppData\Local\WinZip
2011-05-21 13:34 . 2011-05-21 13:34 -------- d-----w- c:\programdata\WinZip
2011-05-21 13:27 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-05-21 13:27 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7FBB8F0-37F1-4075-8E9B-B30781260A03}\gapaengine.dll
2011-05-21 13:26 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-21 10:55 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-05-21 10:55 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-21 10:55 . 2011-02-23 04:47 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-21 10:55 . 2011-02-23 04:47 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-21 10:55 . 2011-02-23 04:47 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-21 10:55 . 2011-02-23 04:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-21 10:55 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-21 10:55 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-05-19 18:50 . 2011-05-19 18:50 -------- d-----w- C:\_OTL
2011-05-17 20:42 . 2011-05-17 20:42 -------- d-----w- c:\windows\en
2011-05-17 20:40 . 2010-09-22 23:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-05-17 20:26 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-05-17 20:26 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-05-17 20:26 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-17 20:26 . 2011-05-17 20:26 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\b040c4261cc14d005\InstallManager_WLE_WLE.exe
2011-05-17 20:25 . 2011-05-17 20:25 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\983f533d1cc14d004\MeshBetaRemover.exe
2011-05-17 20:25 . 2011-05-17 20:25 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\DXSETUP.exe
2011-05-17 20:25 . 2011-05-17 20:25 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\dsetup32.dll
2011-05-17 20:25 . 2011-05-17 20:25 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\DSETUP.dll
2011-05-17 20:25 . 2011-05-17 20:25 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\DSETUP.dll
2011-05-17 20:25 . 2011-05-17 20:25 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\DXSETUP.exe
2011-05-17 20:25 . 2011-05-17 20:25 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\dsetup32.dll
2011-05-17 20:24 . 2011-05-17 20:24 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\7a7f20941cc14d001\Silverlight.4.0.exe
2011-05-17 20:24 . 2011-05-20 21:25 -------- d-----w- c:\users\Sarah\AppData\Local\Windows Live
2011-05-17 19:10 . 2011-05-17 19:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 16:11 . 2011-05-14 16:11 -------- d-----w- c:\program files\NoVirusThanks
2011-05-14 00:23 . 2011-05-14 00:23 0 ---ha-w- c:\users\Sarah\AppData\Local\BIT30D.tmp
2011-05-13 21:01 . 2011-05-13 21:01 -------- d-----w- c:\users\Sarah\AppData\Roaming\DivX
2011-05-13 21:01 . 2011-05-15 11:38 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2011-05-13 20:50 . 2011-05-15 11:38 -------- d-----w- c:\program files\DivX
2011-05-13 20:48 . 2011-05-15 11:38 -------- d-----w- c:\programdata\DivX
2011-05-13 20:47 . 2011-05-13 20:47 -------- d-----w- c:\program files\Veehd Plugin
2011-05-07 19:11 . 2011-05-08 18:31 -------- d-----w- c:\programdata\Electronic Arts
2011-05-07 18:57 . 2011-05-07 18:57 -------- d-----w- c:\program files\Microsoft WSE
2011-05-07 18:57 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-05-07 18:39 . 2011-05-07 19:08 -------- d-----w- c:\program files\Electronic Arts
2011-05-01 19:29 . 2011-05-01 19:29 -------- d-----w- c:\programdata\TorrentEasy
2011-05-01 14:17 . 2011-05-01 14:17 -------- d-----w- c:\users\Sarah\AppData\Local\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-22 19:41 . 2011-03-07 22:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-17 20:27 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-09 12:46 . 2011-01-21 22:02 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-26 13:39 . 2011-03-26 13:39 249856 ------w- c:\windows\Setup1.exe
2011-03-26 13:39 . 2011-03-26 13:39 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-03-06 15:13 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32EA9CD0-5187-4FE3-B989-B4D1408D2802}"= "c:\program files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll" [2011-04-19 2636800]
.
[HKEY_CLASSES_ROOT\clsid\{32ea9cd0-5187-4fe3-b989-b4d1408d2802}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32EA9CD0-5187-4FE3-B989-B4D1408D2802}"= "c:\program files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll" [2011-04-19 2636800]
.
[HKEY_CLASSES_ROOT\clsid\{32ea9cd0-5187-4fe3-b989-b4d1408d2802}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-03 611672]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2009-08-06 29528]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-28 7625248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-08-13 521528]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaReminder.exe" [2009-07-30 134032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
.
c:\users\Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl0e92d5af;MpKsl0e92d5af; [x]
R1 MpKsl1424d795;MpKsl1424d795; [x]
R1 MpKsl1e022a71;MpKsl1e022a71; [x]
R1 MpKsl21c5134d;MpKsl21c5134d; [x]
R1 MpKsl28f833ef;MpKsl28f833ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl28f833ef.sys [x]
R1 MpKsl2a505757;MpKsl2a505757; [x]
R1 MpKsl2df6adf9;MpKsl2df6adf9; [x]
R1 MpKsl318fd1a5;MpKsl318fd1a5; [x]
R1 MpKsl38ca0dfa;MpKsl38ca0dfa; [x]
R1 MpKsl3ca2cceb;MpKsl3ca2cceb; [x]
R1 MpKsl406eb0c9;MpKsl406eb0c9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl406eb0c9.sys [x]
R1 MpKsl43de8b4f;MpKsl43de8b4f; [x]
R1 MpKsl4a1b8746;MpKsl4a1b8746; [x]
R1 MpKsl4a6ea528;MpKsl4a6ea528;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl4a6ea528.sys [x]
R1 MpKsl5211fe91;MpKsl5211fe91; [x]
R1 MpKsl54148b40;MpKsl54148b40; [x]
R1 MpKsl5b17d3ca;MpKsl5b17d3ca; [x]
R1 MpKsl66e95bf4;MpKsl66e95bf4; [x]
R1 MpKsl6b9e364f;MpKsl6b9e364f; [x]
R1 MpKsl6c433114;MpKsl6c433114; [x]
R1 MpKsl7155c326;MpKsl7155c326;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl7155c326.sys [x]
R1 MpKsl719f4bd4;MpKsl719f4bd4; [x]
R1 MpKsl733229bc;MpKsl733229bc; [x]
R1 MpKsl7a17e627;MpKsl7a17e627; [x]
R1 MpKsl7c568b44;MpKsl7c568b44; [x]
R1 MpKsl7c5729ca;MpKsl7c5729ca; [x]
R1 MpKsl7eb89171;MpKsl7eb89171; [x]
R1 MpKsl834c58f3;MpKsl834c58f3; [x]
R1 MpKsl8fd38ec0;MpKsl8fd38ec0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C7E53A5-5872-4557-A639-01B9F8437C17}\MpKsl8fd38ec0.sys [x]
R1 MpKsl910e0b50;MpKsl910e0b50; [x]
R1 MpKsl98d87ac0;MpKsl98d87ac0; [x]
R1 MpKsl9badf15d;MpKsl9badf15d; [x]
R1 MpKsla654d409;MpKsla654d409; [x]
R1 MpKslb0c52954;MpKslb0c52954; [x]
R1 MpKslb11de4a7;MpKslb11de4a7; [x]
R1 MpKslb5e2588b;MpKslb5e2588b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslb5e2588b.sys [x]
R1 MpKslbee40013;MpKslbee40013;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslbee40013.sys [x]
R1 MpKslbefb3aa4;MpKslbefb3aa4; [x]
R1 MpKslbf5ce967;MpKslbf5ce967; [x]
R1 MpKslc6df51fb;MpKslc6df51fb; [x]
R1 MpKslc836247e;MpKslc836247e; [x]
R1 MpKslc908b192;MpKslc908b192;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslc908b192.sys [x]
R1 MpKslca81cd22;MpKslca81cd22; [x]
R1 MpKsld182a7f3;MpKsld182a7f3; [x]
R1 MpKsld97010ed;MpKsld97010ed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsld97010ed.sys [x]
R1 MpKslde43c1f4;MpKslde43c1f4; [x]
R1 MpKsldeca8f6c;MpKsldeca8f6c; [x]
R1 MpKsleb391fba;MpKsleb391fba; [x]
R1 MpKsledc46f88;MpKsledc46f88; [x]
R1 MpKslf590d73a;MpKslf590d73a; [x]
R1 MpKslf60cd55d;MpKslf60cd55d; [x]
R2 awina;Windows Autenthification Service;c:\windows\system32\awina.exe [2011-05-24 18944]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 135664]
R3 CFcatchme;CFcatchme;c:\users\Sarah\AppData\Local\Temp\CFcatchme.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 135664]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-21 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKslbee453b7;MpKslbee453b7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{427689B7-BCEC-4630-8252-0E389CEF41A4}\MpKslbee453b7.sys [2011-05-29 28752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-10 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 7680]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-30 187392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-03 111960]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLBEE453B7
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 09:11]
.
2011-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 09:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://yeppo.net
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4a,58,38,0d,07,00,4f,a0,27,43,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4a,58,38,0d,07,00,4f,a0,27,43,\
.
[HKEY_USERS\S-1-5-21-2828275537-3082013931-1688591469-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2828275537-3082013931-1688591469-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-29 19:26:01
ComboFix-quarantined-files.txt 2011-05-29 18:26
ComboFix2.txt 2011-05-26 17:55
ComboFix3.txt 2011-05-22 08:41
ComboFix4.txt 2011-05-21 00:18
ComboFix5.txt 2011-05-29 18:14
.
Pre-Run: 91,091,296,256 bytes free
Post-Run: 91,140,673,536 bytes free
.
- - End Of File - - 9ECF6A0E7917FEC9CD70745448331DBD

#25 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 29 May 2011 - 01:30 PM

VirusTotal File Scan
Please go to: VirusTotal

Click the Browse button and search for the following file: c:\windows\system32\awina.exe
Click Open
Then click Send File
Please be patient while the file is scanned.
Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply

#26 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 29 May 2011 - 03:49 PM

AhnLab-V3

2011.05.30.00

2011.05.29

Win-Trojan/Agent.18944.UG

AntiVir

7.11.8.162

2011.05.29

TR/Dldr.Agent.gbnx

Antiy-AVL

2.0.3.7

2011.05.29

Trojan/Win32.Agent.gen

Avast

4.8.1351.0

2011.05.29

-

Avast5

5.0.677.0

2011.05.29

-

AVG

10.0.0.1190

2011.05.29

Downloader.Agent2.AKLL

BitDefender

7.2

2011.05.29

Trojan.Generic.5755003

CAT-QuickHeal

11.00

2011.05.29

TrojanDownloader.Agent.gbnx

ClamAV

0.97.0.0

2011.05.29

-

Commtouch

5.3.2.6

2011.05.29

-

Comodo

8885

2011.05.29

UnclassifiedMalware

DrWeb

5.0.2.03300

2011.05.29

Trojan.MulDrop2.9697

eSafe

7.0.17.0

2011.05.26

-

eTrust-Vet

36.1.8353

2011.05.27

-

F-Prot

4.6.2.117

2011.05.28

-

F-Secure

9.0.16440.0

2011.05.29

Trojan.Generic.5755003

Fortinet

4.2.257.0

2011.05.28

W32/Agent.GBNX!tr.dldr

GData

22

2011.05.29

Trojan.Generic.5755003

Ikarus

T3.1.1.104.0

2011.05.29

Trojan-Downloader.Win32.Agent

Jiangmin

13.0.900

2011.05.29

TrojanDownloader.Agent.dlik

K7AntiVirus

9.104.4734

2011.05.28

Trojan-Downloader

Kaspersky

9.0.0.837

2011.05.29

Trojan-Downloader.Win32.Agent.gbnx

McAfee

5.400.0.1158

2011.05.29

Generic Downloader.x!fva

McAfee-GW-Edition

2010.1D

2011.05.29

Generic Downloader.x!fva

Microsoft

1.6903

2011.05.29

-

NOD32

6163

2011.05.29

Win32/Agent.SKO

Norman

6.07.07

2011.05.29

-

nProtect

2011-05-29.01

2011.05.29

Trojan.Generic.5755003

Panda

10.0.3.5

2011.05.29

Generic Trojan

PCTools

7.0.3.5

2011.05.19

Downloader.Generic

Prevx

3.0

2011.05.29

-

Rising

23.59.04.03

2011.05.27

-

Sophos

4.65.0

2011.05.29

-

SUPERAntiSpyware

4.40.0.1006

2011.05.29

-

Symantec

20111.1.0.186

2011.05.29

Downloader

TheHacker

6.7.0.1.212

2011.05.28

Trojan/Downloader.Agent.gbnx

TrendMicro

9.200.0.1012

2011.05.29

TROJ_GEN.R1CC3DA

TrendMicro-HouseCall

9.200.0.1012

2011.05.29

TROJ_GEN.R1CC3DA

VBA32

3.12.16.0

2011.05.27

TrojanDownloader.Agent.gbnx

VIPRE

9427

2011.05.29

Trojan-Downloader.Win32.Agent

ViRobot

2011.5.28.4484

2011.05.29

-

VirusBuster

13.6.376.0

2011.05.29

Trojan.DL.Agent!iEXM6aCuAmM

#27 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 30 May 2011 - 09:40 AM

Hi!

Is Microsoft Security Essentials active? Is it detecting anything? Please ensure that it is disabled when you are running the ComboFix script below.

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Collect::[102]
c:\windows\system32\awina.exe
Driver::
MpKsl0e92d5af
MpKsl1424d795
MpKsl1e022a71
MpKsl21c5134d
MpKsl28f833ef
MpKsl2a505757
MpKsl2df6adf9
MpKsl318fd1a5
MpKsl38ca0dfa
MpKsl3ca2cceb
MpKsl406eb0c9
MpKsl43de8b4f
MpKsl4a1b8746
MpKsl4a6ea528
MpKsl5211fe91
MpKsl54148b40
MpKsl5b17d3ca
MpKsl66e95bf4
MpKsl6b9e364f
MpKsl6c433114
MpKsl7155c326
MpKsl719f4bd4
MpKsl733229bc
MpKsl7a17e627
MpKsl7c568b44
MpKsl7c5729ca
MpKsl7eb89171
MpKsl834c58f3
MpKsl8fd38ec0
MpKsl910e0b50
MpKsl98d87ac0
MpKsl9badf15d
MpKsla654d409
MpKslb0c52954
MpKslb11de4a7
MpKslb5e2588b
MpKslbee40013
MpKslbefb3aa4
MpKslbf5ce967
MpKslc6df51fb
MpKslc836247e
MpKslc908b192
MpKslca81cd22
MpKsld182a7f3
MpKsld97010ed
MpKslde43c1f4
MpKsldeca8f6c
MpKsleb391fba
MpKsledc46f88
MpKslf590d73a
MpKslf60cd55d
awina
File::
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl28f833ef.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl406eb0c9.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl4a6ea528.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl7155c326.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C7E53A5-5872-4557-A639-01B9F8437C17}\MpKsl8fd38ec0.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslb5e2588b.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslbee40013.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslc908b192.sys
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsld97010ed.sys

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#28 RedAppleDolly

Member

Group: Members
Posts: 15
Joined: 14-May 11

Posted 30 May 2011 - 04:40 PM

ComboFix 11-05-30.06 - Sarah 30/05/2011 22:11:54.6.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1916.1252 [GMT 1:00]
Running from: c:\users\Sarah\Desktop\ComboFix.exe
Command switches used :: c:\users\Sarah\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl28f833ef.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl406eb0c9.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl4a6ea528.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsl7155c326.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslb5e2588b.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslbee40013.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKslc908b192.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07859454-E5F9-4E09-84E1-AD5F4FB028A8}\MpKsld97010ed.sys"
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C7E53A5-5872-4557-A639-01B9F8437C17}\MpKsl8fd38ec0.sys"
.
file zipped: c:\windows\system32\awina.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\awina.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL0E92D5AF
-------\Legacy_MPKSL1E022A71
-------\Legacy_MPKSL21C5134D
-------\Legacy_MPKSL28F833EF
-------\Legacy_MPKSL2A505757
-------\Legacy_MPKSL318FD1A5
-------\Legacy_MPKSL3CA2CCEB
-------\Legacy_MPKSL43DE8B4F
-------\Legacy_MPKSL4A1B8746
-------\Legacy_MPKSL4A6EA528
-------\Legacy_MPKSL5211FE91
-------\Legacy_MPKSL54148B40
-------\Legacy_MPKSL5B17D3CA
-------\Legacy_MPKSL66E95BF4
-------\Legacy_MPKSL6B9E364F
-------\Legacy_MPKSL6C433114
-------\Legacy_MPKSL719F4BD4
-------\Legacy_MPKSL733229BC
-------\Legacy_MPKSL7C568B44
-------\Legacy_MPKSL7EB89171
-------\Legacy_MPKSL834C58F3
-------\Legacy_MPKSL8FD38EC0
-------\Legacy_MPKSL910E0B50
-------\Legacy_MPKSL98D87AC0
-------\Legacy_MPKSL9BADF15D
-------\Legacy_MPKSLB0C52954
-------\Legacy_MPKSLB11DE4A7
-------\Legacy_MPKSLBEE40013
-------\Legacy_MPKSLBEFB3AA4
-------\Legacy_MPKSLBF5CE967
-------\Legacy_MPKSLC836247E
-------\Legacy_MPKSLCA81CD22
-------\Legacy_MPKSLD182A7F3
-------\Legacy_MPKSLDE43C1F4
-------\Legacy_MPKSLDECA8F6C
-------\Legacy_MPKSLEB391FBA
-------\Legacy_MPKSLEDC46F88
-------\Legacy_MPKSLF590D73A
-------\Legacy_MPKSLF60CD55D
-------\Service_awina
-------\Service_MpKsl0e92d5af
-------\Service_MpKsl1424d795
-------\Service_MpKsl1e022a71
-------\Service_MpKsl21c5134d
-------\Service_MpKsl28f833ef
-------\Service_MpKsl2a505757
-------\Service_MpKsl2df6adf9
-------\Service_MpKsl318fd1a5
-------\Service_MpKsl38ca0dfa
-------\Service_MpKsl3ca2cceb
-------\Service_MpKsl406eb0c9
-------\Service_MpKsl43de8b4f
-------\Service_MpKsl4a1b8746
-------\Service_MpKsl4a6ea528
-------\Service_MpKsl5211fe91
-------\Service_MpKsl54148b40
-------\Service_MpKsl5b17d3ca
-------\Service_MpKsl66e95bf4
-------\Service_MpKsl6b9e364f
-------\Service_MpKsl6c433114
-------\Service_MpKsl7155c326
-------\Service_MpKsl719f4bd4
-------\Service_MpKsl733229bc
-------\Service_MpKsl7a17e627
-------\Service_MpKsl7c568b44
-------\Service_MpKsl7c5729ca
-------\Service_MpKsl7eb89171
-------\Service_MpKsl834c58f3
-------\Service_MpKsl8fd38ec0
-------\Service_MpKsl910e0b50
-------\Service_MpKsl98d87ac0
-------\Service_MpKsl9badf15d
-------\Service_MpKsla654d409
-------\Service_MpKslb0c52954
-------\Service_MpKslb11de4a7
-------\Service_MpKslb5e2588b
-------\Service_MpKslbee40013
-------\Service_MpKslbefb3aa4
-------\Service_MpKslbf5ce967
-------\Service_MpKslc6df51fb
-------\Service_MpKslc836247e
-------\Service_MpKslc908b192
-------\Service_MpKslca81cd22
-------\Service_MpKsld182a7f3
-------\Service_MpKsld97010ed
-------\Service_MpKslde43c1f4
-------\Service_MpKsldeca8f6c
-------\Service_MpKsleb391fba
-------\Service_MpKsledc46f88
-------\Service_MpKslf590d73a
-------\Service_MpKslf60cd55d
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-30 21:18 . 2011-05-30 21:20 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2011-05-30 21:18 . 2011-05-30 21:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-05-30 21:18 . 2011-05-30 21:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-30 21:18 . 2011-05-30 21:18 18944 ----a-w- c:\windows\system32\mnixl.exe
2011-05-30 13:27 . 2011-05-30 13:27 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C73889B9-9680-4321-9A78-ABF8CB563BB6}\MpKsl013a39a5.sys
2011-05-29 22:11 . 2011-05-09 12:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C73889B9-9680-4321-9A78-ABF8CB563BB6}\mpengine.dll
2011-05-28 10:29 . 2011-05-28 10:31 -------- d-----w- c:\users\Sarah\.gimp-2.6
2011-05-28 10:28 . 2011-05-28 10:28 -------- d-----w- c:\program files\GIMP-2.0
2011-05-25 19:34 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-22 19:45 . 2011-05-22 19:46 -------- d-----w- c:\program files\Common Files\Adobe
2011-05-22 19:42 . 2011-05-22 19:42 -------- d-----w- c:\program files\Common Files\Java
2011-05-22 10:52 . 2011-05-22 10:52 -------- d-----w- c:\users\Sarah\AppData\Local\Microsoft Help
2011-05-22 10:45 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-05-22 10:45 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-05-22 10:45 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-05-21 21:39 . 2011-05-21 21:39 -------- d-----w- c:\windows\system32\Wat
2011-05-21 18:25 . 2011-05-21 18:25 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2011-05-21 13:34 . 2011-05-21 13:34 -------- d-----w- c:\users\Sarah\AppData\Local\WinZip
2011-05-21 13:34 . 2011-05-21 13:34 -------- d-----w- c:\programdata\WinZip
2011-05-21 13:27 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-05-21 13:27 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7FBB8F0-37F1-4075-8E9B-B30781260A03}\gapaengine.dll
2011-05-21 13:26 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-21 10:55 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-05-21 10:55 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-21 10:55 . 2011-02-23 04:47 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-21 10:55 . 2011-02-23 04:47 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-21 10:55 . 2011-02-23 04:47 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-21 10:55 . 2011-02-23 04:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-21 10:55 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-21 10:55 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-05-19 18:50 . 2011-05-19 18:50 -------- d-----w- C:\_OTL
2011-05-17 20:42 . 2011-05-17 20:42 -------- d-----w- c:\windows\en
2011-05-17 20:40 . 2010-09-22 23:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-05-17 20:26 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-05-17 20:26 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-05-17 20:26 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-17 20:26 . 2011-05-17 20:26 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\b040c4261cc14d005\InstallManager_WLE_WLE.exe
2011-05-17 20:25 . 2011-05-17 20:25 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\983f533d1cc14d004\MeshBetaRemover.exe
2011-05-17 20:25 . 2011-05-17 20:25 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\DXSETUP.exe
2011-05-17 20:25 . 2011-05-17 20:25 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\dsetup32.dll
2011-05-17 20:25 . 2011-05-17 20:25 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\94eebc401cc14d003\DSETUP.dll
2011-05-17 20:25 . 2011-05-17 20:25 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\DSETUP.dll
2011-05-17 20:25 . 2011-05-17 20:25 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\DXSETUP.exe
2011-05-17 20:25 . 2011-05-17 20:25 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\877f42961cc14d002\dsetup32.dll
2011-05-17 20:24 . 2011-05-17 20:24 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\7a7f20941cc14d001\Silverlight.4.0.exe
2011-05-17 20:24 . 2011-05-20 21:25 -------- d-----w- c:\users\Sarah\AppData\Local\Windows Live
2011-05-17 19:10 . 2011-05-17 19:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 16:11 . 2011-05-14 16:11 -------- d-----w- c:\program files\NoVirusThanks
2011-05-14 00:23 . 2011-05-14 00:23 0 ---ha-w- c:\users\Sarah\AppData\Local\BIT30D.tmp
2011-05-13 21:01 . 2011-05-13 21:01 -------- d-----w- c:\users\Sarah\AppData\Roaming\DivX
2011-05-13 21:01 . 2011-05-15 11:38 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2011-05-13 20:50 . 2011-05-15 11:38 -------- d-----w- c:\program files\DivX
2011-05-13 20:48 . 2011-05-15 11:38 -------- d-----w- c:\programdata\DivX
2011-05-13 20:47 . 2011-05-13 20:47 -------- d-----w- c:\program files\Veehd Plugin
2011-05-07 19:11 . 2011-05-08 18:31 -------- d-----w- c:\programdata\Electronic Arts
2011-05-07 18:57 . 2011-05-07 18:57 -------- d-----w- c:\program files\Microsoft WSE
2011-05-07 18:57 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-05-07 18:39 . 2011-05-07 19:08 -------- d-----w- c:\program files\Electronic Arts
2011-05-01 19:29 . 2011-05-01 19:29 -------- d-----w- c:\programdata\TorrentEasy
2011-05-01 14:17 . 2011-05-01 14:17 -------- d-----w- c:\users\Sarah\AppData\Local\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-22 19:41 . 2011-03-07 22:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-17 20:27 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-05-09 12:46 . 2011-01-21 22:02 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-26 13:39 . 2011-03-26 13:39 249856 ------w- c:\windows\Setup1.exe
2011-03-26 13:39 . 2011-03-26 13:39 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-03-06 15:13 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32EA9CD0-5187-4FE3-B989-B4D1408D2802}"= "c:\program files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll" [2011-04-19 2636800]
.
[HKEY_CLASSES_ROOT\clsid\{32ea9cd0-5187-4fe3-b989-b4d1408d2802}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32EA9CD0-5187-4FE3-B989-B4D1408D2802}"= "c:\program files\Veehd Plugin\tbunsxDAD.tmp\tbcore3.dll" [2011-04-19 2636800]
.
[HKEY_CLASSES_ROOT\clsid\{32ea9cd0-5187-4fe3-b989-b4d1408d2802}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB05541.TBSB05541]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-03 611672]
"TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2009-08-06 29528]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-28 7625248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-08-13 521528]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaReminder.exe" [2009-07-30 134032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
.
c:\users\Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 135664]
R2 mnixl;Windows Autenthification Service;c:\windows\system32\mnixl.exe [2011-05-30 18944]
R3 CFcatchme;CFcatchme;c:\users\Sarah\AppData\Local\Temp\CFcatchme.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 135664]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-21 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 MpKsl013a39a5;MpKsl013a39a5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C73889B9-9680-4321-9A78-ABF8CB563BB6}\MpKsl013a39a5.sys [2011-05-30 28752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-10 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 7680]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-30 187392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-03 111960]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 09:11]
.
2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-15 09:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://yeppo.net
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4a,58,38,0d,07,00,4f,a0,27,43,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4a,58,38,0d,07,00,4f,a0,27,43,\
.
[HKEY_USERS\S-1-5-21-2828275537-3082013931-1688591469-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2828275537-3082013931-1688591469-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\DllHost.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-05-30 22:25:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-30 21:25
ComboFix2.txt 2011-05-29 18:26
ComboFix3.txt 2011-05-26 17:55
ComboFix4.txt 2011-05-22 08:41
ComboFix5.txt 2011-05-30 21:08
.
Pre-Run: 90,463,608,832 bytes free
Post-Run: 90,405,769,216 bytes free
.
- - End Of File - - 140CCC166F97C5BB4C79AA088BC357A0
Upload was successful

#29 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 30 May 2011 - 04:57 PM

Hi RedAppleDolly!

I am not liking the logs of your latest logs. I removed a malicious file in hopes that it would stop it from re-appearing, and it looks like another malicious file has appeared.

We could keep on going at this infection, but at this point, the quickest and honestly best option would be to perform a reformat and re-install.

This infection seems very persistence, and I have no idea how long and even if we will be able to successfully get rid of this infection without a reformat and re-install.

Kindest Regards,
SweetTech.

#30 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 01 June 2011 - 07:54 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.