BleepingComputer.com: Please help, Internet banking account hacked - bank says keylogger

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Please help, Internet banking account hacked - bank says keylogger

#1 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 06 June 2011 - 10:48 AM

Hi,

My internet banking account was recently hacked and $$$ transfered out of it. Bank says it has to be a keylogger buy I have scanned my PC with many different antivirus/antispyware/antikeylogger apps and have found nothing. Any help would be MUCH appreciated! I have attached the DDS log.

Thanks!

Hi all,

I have not received any replies and was wondering if I need to change my post/add additional information? I am really desperate for assistance as a large chunk of my savings was stolen and I cannot afford for this to happen again. As mentioned, I have tried multiple spyware removal tools but have detected nothing. This means I am still infected and really not sure what to do about it.

Should I go ahead and format my pc?

Thanks!

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Blade
Forum Global Moderator

Attached File(s)

  • Attached File  DDS.txt (32.36K)
    Number of downloads: 3

This post has been edited by Blade Zephon: 08 June 2011 - 01:59 AM

#2 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 13 June 2011 - 01:41 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.

  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!

  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!

  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.

  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!

  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.

  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!

  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.


____________________________________________________

Please download UnHide.exe by Grinler.

It will unhide folders/files that were set to be hidden by the infection you had.



NEXT:



Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:

  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 13 June 2011 - 02:15 PM

Hi and thanks for the reply / help!

My status is still the same as at time of original post i.e. havent detect any spyware but the bank insists there must be something. The only weird thing that happens on my PC is that occasionally it just powers down, not shut down, just instantly switches off.

I have successfully run the UnHide.exe.

The RootkitUnhooker will however not run. I tried to run it as Administartor but get an error i.e. "Error loading driver, NTSTATUS code: C000036B"

I have run OTL - log below.

Also, I tried to paste the logs in but got a message that my post was too long. Added the OTL logs as attachements.

Thanks again!

Attached File(s)

  • Attached File  Extras.Txt (54.36K)
    Number of downloads: 5
  • Attached File  OTL.Txt (385.16K)
    Number of downloads: 3

#4 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 13 June 2011 - 02:23 PM

Hi!

No problem!

Don't worry about the RKU scan. It doesn't work on 64 bit systems.

Lets see what these scans find.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin]  File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin]  File not found
O4 - HKU\S-1-5-21-2380367040-2394629961-3075189393-1000..\RunOnce: [mctadmin]  File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O33 - MountPoints2\{215b009a-1f8e-11e0-8ffa-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{215b009a-1f8e-11e0-8ffa-806e6f6e6963}\Shell\AutoRun\command - "" = Q:\LenovoQDrive.exe -- [2009/08/10 23:01:24 | 000,267,576 | -HS- | M] (Lenovo Group Limited)
[2011/06/01 13:27:24 | 000,000,000 | ---D | C] -- C:\ProgramData\{76502DD1-AB7E-4DB1-AF13-48F92C6AEA10}
[2011/06/13 20:54:12 | 000,087,354 | ---- | C] () -- C:\Users\Ryan\Desktop\20071210_182632_rku37300509.rar
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

:Reg

:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.



NEXT:



Java Outdated

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.



NEXT



Scanning with MalwareBytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (v1.51.0.1200) and save it to your desktop.

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology

  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#5 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 13 June 2011 - 03:28 PM

OTL log below.

Have uninstalled all JAVA runtime and installed the latest downloaded version.

Malwarebytes ran successfully and 0 malicious items found. Log below.

Security check ran successfully. Log below.

Am still busy with the ESET Scanner, it ran about half way then started again. Weird but I will post results once I have them. Need to head to bed, will do it first thing in the morning.

Thanks again!

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2380367040-2394629961-3075189393-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
C:\Windows\Downloaded Program Files\jinstall-6u14.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{215b009a-1f8e-11e0-8ffa-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{215b009a-1f8e-11e0-8ffa-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{215b009a-1f8e-11e0-8ffa-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{215b009a-1f8e-11e0-8ffa-806e6f6e6963}\ not found.
Q:\LenovoQDrive.exe moved successfully.
C:\ProgramData\{76502DD1-AB7E-4DB1-AF13-48F92C6AEA10} folder moved successfully.
File C:\Users\Ryan\Desktop\20071210_182632_rku37300509.rar not found.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ryan\Desktop\cmd.bat deleted successfully.
C:\Users\Ryan\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Ryan
->Temp folder emptied: 9326563 bytes
->Temporary Internet Files folder emptied: 223360937 bytes
->Java cache emptied: 2814576 bytes
->Flash cache emptied: 58485 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2740917 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67697 bytes
RecycleBin emptied: 3921076 bytes

Total Files Cleaned = 231.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Ryan
->Flash cache emptied: 0 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.24.0 log created on 06132011_212735

Files\Folders moved on Reboot...
File\Folder C:\Users\Ryan\AppData\Local\Temp\CitrixLogs\gotomeeting\721\G2MOutlookAddin.log not found!
File\Folder C:\Users\Ryan\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQF18GZA\google_co_za[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQF18GZA\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQF18GZA\search[3].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\iefix[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\iefix[2].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\in_post_topics[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\like[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\search[2].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\status[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VN6U59VK\test_domain[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V2OBMTO0\follow_button[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V2OBMTO0\js[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V2OBMTO0\mac-ad[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V2OBMTO0\search[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V2OBMTO0\search[3].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V2OBMTO0\southafrica;sz=728x90;rotatorId=8830;ord=2011.06.13.18.55[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBS9POR7\ads[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBS9POR7\count[1].json not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBS9POR7\iefix[2].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBS9POR7\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBS9POR7\search[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RBS9POR7\southafrica;sz=300x250;rotatorId=8830;ord=2011.06.13.18.55[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAZ2KS2L\domainhelp-default[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAZ2KS2L\follow_button[2].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAZ2KS2L\js[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAZ2KS2L\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAZ2KS2L\search[2].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\1555[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\1581[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\admin_content[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\iefix[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\js[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0NLHYS9\search[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\POEQPZ6N\3001-2250_4-10007677[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\POEQPZ6N\ads[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\POEQPZ6N\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\POEQPZ6N\offerScript[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\POEQPZ6N\search[2].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\POEQPZ6N\wtid[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OPHW08A6\ads[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OPHW08A6\cokeTrending2[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OPHW08A6\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OPHW08A6\ptf_rc_s[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OPHW08A6\search[2].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L6JQHB2M\iefix[2].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L6JQHB2M\mac-ad[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L6JQHB2M\search[3].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L6JQHB2M\search[4].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L6JQHB2M\southafrica;sz=728x90;rotatorId=8830;ord=2011.06.13.18.55[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L6JQHB2M\vars[2].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KZZM6G4F\fdmftsetup[1].exe not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KZZM6G4F\g[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KZZM6G4F\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KZZM6G4F\KonaSend[2].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KZZM6G4F\search[3].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1801M19\entrance[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1801M19\iefix[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1801M19\init[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1801M19\KonaSend[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1801M19\search[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6W9E4MS\iefix[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6W9E4MS\like[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6W9E4MS\r[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6W9E4MS\search[7].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6W9E4MS\topics;kw=;tile=2;sz=300x250,336x280;ord='%20+%20ord%20+%20'[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6W9E4MS\www.webopedia.com[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENMC21ET\admin[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENMC21ET\jre-6u26-windows-x64[1].exe not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENMC21ET\search[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENMC21ET\southafrica;sz=300x250;rotatorId=8830;ord=2011.06.13.18.55[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENMC21ET\status[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\ads[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\ads[2].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\advanced_internet[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\authorization[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\offerScript[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\search[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EJBUQYQG\search[2].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B7L0UDRA\bottom_topics[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B7L0UDRA\documentwrite[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B7L0UDRA\get_wifi_scan_result[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B7L0UDRA\ie8style[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B7L0UDRA\search[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B174IQG8\-10218609389_1307991606,120ab65cce862af,itsesecu,ns.itsesecu_l;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=218788;contx=itsesecu;dc=w;btg=ns[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B174IQG8\admin[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B174IQG8\help_advanced_internet[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B174IQG8\iefix[1].css not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B174IQG8\search[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\admin_content[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\hub[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\mac-ad[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\offerScript[1].txt not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\search[1].htm not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\search[3].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A33QMBML\search[5].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7Y8YDRTZ\ads[1].js not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BF49586A-7BA3-4DB1-A175-86C845EB7F33}.tmp not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{00CA30DF-0C4D-43B6-B182-1877D3C1534A}.tmp not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3170DB0F-7223-46E3-AE92-370ED27CD9A9}.tmp not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D5417F5F-D322-4CEF-95CF-FCF15A0CA788}.tmp not found!
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD25F691-5B18-4AE1-8D64-5F34052EF0DA}.tmp not found!

Registry entries deleted on Reboot...

_____________________________________________________________________________________________________

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6850

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

2011/06/13 09:56:27 PM
mbam-log-2011-06-13 (21-56-27).txt

Scan type: Quick scan
Objects scanned: 175632
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_____________________________________________________________________________________________________

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player 10.0.32.18
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
ESET ESET Online Scanner OnlineCmdLineScanner.exe
``````````End of Log````````````

#6 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 13 June 2011 - 03:35 PM

Quote

Am still busy with the ESET Scanner, it ran about half way then started again. Weird but I will post results once I have them. Need to head to bed, will do it first thing in the morning.
Okay. :)
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#7 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 14 June 2011 - 09:55 AM

Hi,

Had finished running the ESET scan and 0 threats were found. Was no option to export the log file.

Thanks

#8 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 14 June 2011 - 12:36 PM

Hi!

Okay.

OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.



NEXT:



What outstanding issues (if any) are you still experiencing with your computer?
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#9 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 14 June 2011 - 12:42 PM

Hi,

Dont see a frog button. Did paste the code and clicked 'Run Fix'

Got the output below.

Besides the banking site gettting hacked and them claiming that it has to be a keylogger, nothing else is strange/wrong with my pc..

Thanks!

Error: Unable to interpret <netsvcs> in the current context!
Error: Unable to interpret < drivers32> in the current context!
Error: Unable to interpret < hklm\software\clients\startmenuinternet|command /rs> in the current context!
Error: Unable to interpret < %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s> in the current context!
Error: Unable to interpret < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU> in the current context!
Error: Unable to interpret < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs> in the current context!
Error: Unable to interpret < > in the current context!

OTL by OldTimer - Version 3.2.24.0 log created on 06142011_194105

#10 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 14 June 2011 - 12:50 PM

Hi!

You need to press the Quick Scan button. Sorry about that. I need to get that image updated.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#11 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 14 June 2011 - 01:04 PM

Below is the OTL Log.

Thanks!


OTL logfile created on: 6/14/2011 7:57:52 PM - Run 2
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Users\Ryan\Desktop
64bit- An unknown product Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

7.80 Gb Total Physical Memory | 4.67 Gb Available Physical Memory | 59.85% Memory free
15.60 Gb Paging File | 12.12 Gb Available in Paging File | 77.70% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.87 Gb Total Space | 353.09 Gb Free Space | 77.97% Space Free | Partition Type: NTFS
Drive E: | 3.93 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive Q: | 11.72 Gb Total Space | 3.15 Gb Free Space | 26.86% Space Free | Partition Type: NTFS

Computer Name: RYANLAPTOP | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/14 19:38:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
PRC - [2011/06/08 17:48:24 | 000,240,288 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10s_ActiveX.exe
PRC - [2011/05/25 22:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2011/05/25 19:19:28 | 000,433,976 | ---- | M] (QFX Software Corporation) -- C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe
PRC - [2011/05/12 19:14:02 | 002,854,344 | ---- | M] (Zemana Ltd.) -- C:\Program Files (x86)\AntiLogger\AntiLogger.exe
PRC - [2011/04/25 17:30:48 | 003,298,712 | ---- | M] (Tonec Inc.) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
PRC - [2011/04/17 02:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccsvchst.exe
PRC - [2011/03/11 11:05:14 | 000,089,992 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\GoToMeeting\641\g2mstart.exe
PRC - [2011/03/11 11:05:14 | 000,089,992 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\GoToMeeting\641\g2mlauncher.exe
PRC - [2011/03/11 11:05:14 | 000,089,992 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\GoToMeeting\641\g2mcomm.exe
PRC - [2011/01/30 17:45:14 | 001,306,008 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
PRC - [2010/11/20 14:17:56 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PRC - [2010/09/18 03:52:56 | 000,402,792 | ---- | M] (Lenovo) -- C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
PRC - [2010/09/18 03:51:10 | 000,357,736 | ---- | M] (Lenovo) -- C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
PRC - [2010/09/18 03:50:54 | 000,259,432 | ---- | M] (Lenovo) -- C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
PRC - [2010/09/18 03:50:48 | 000,124,264 | ---- | M] (Lenovo) -- C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
PRC - [2010/08/20 09:38:44 | 001,348,944 | ---- | M] (Sunbelt Software) -- C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMTray.exe
PRC - [2010/08/20 09:16:34 | 002,763,080 | ---- | M] (Sunbelt Software) -- C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMSvc.exe
PRC - [2010/08/20 09:15:54 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBPIMSvc.exe
PRC - [2010/07/30 09:07:50 | 000,078,272 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
PRC - [2010/07/27 23:51:56 | 000,074,088 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
PRC - [2010/07/27 23:51:54 | 000,062,312 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
PRC - [2010/07/27 23:51:42 | 000,050,536 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Communications Utility\CamMute.exe
PRC - [2010/07/27 10:05:02 | 000,069,560 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2010/06/28 08:58:18 | 001,616,488 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2010/06/25 23:13:48 | 000,332,536 | ---- | M] (QUALCOMM, Inc.) -- C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kLenovo.exe
PRC - [2010/05/25 16:28:58 | 000,263,600 | ---- | M] (Tonec Inc.) -- C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
PRC - [2010/05/03 05:54:36 | 002,533,400 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/05/03 05:54:32 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2010/04/26 06:46:34 | 000,144,824 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2010/04/16 11:32:48 | 000,058,936 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe
PRC - [2010/04/12 09:13:08 | 000,142,336 | ---- | M] (HP) -- C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
PRC - [2010/04/07 07:37:40 | 000,093,032 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
PRC - [2010/04/07 07:37:24 | 000,063,928 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2010/04/07 05:02:18 | 000,045,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe
PRC - [2010/04/01 07:50:46 | 000,043,960 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
PRC - [2010/02/11 01:40:56 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- c:\Program Files (x86)\Lenovo\System Update\SUService.exe
PRC - [2009/11/24 06:51:20 | 000,176,056 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2009/08/31 14:12:50 | 000,430,080 | ---- | M] (Anoto AB) -- C:\Program Files (x86)\Common Files\Anoto\Pen\Phal\Service\LPhal.exe
PRC - [2009/08/29 00:09:58 | 001,019,904 | ---- | M] (Lenovo Group Limited) -- C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2009/08/27 01:32:16 | 000,816,440 | ---- | M] (Lenovo Group Limited) -- C:\Program Files (x86)\Lenovo\Client Security Solution\password_manager.exe
PRC - [2009/05/28 08:09:36 | 000,049,976 | ---- | M] () -- C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
PRC - [2009/03/05 09:28:28 | 000,059,760 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
PRC - [2008/01/10 22:13:50 | 000,061,440 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2007/01/05 05:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2007/01/01 23:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Program Files (x86)\Google\Google Talk\googletalk.exe


========== Modules (SafeList) ==========

MOD - [2011/06/14 19:38:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
MOD - [2010/11/20 13:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
MOD - [2010/06/28 03:51:00 | 000,101,992 | ---- | M] (NVIDIA Corporation) -- C:\Windows\SysWOW64\nvinit.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/23 04:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/07/27 23:51:56 | 000,074,088 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe -- (LENOVO.TPKNRSVC)
SRV:64bit: - [2010/07/27 23:51:42 | 000,050,536 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\Communications Utility\CamMute.exe -- (LENOVO.CAMMUTE)
SRV:64bit: - [2010/07/20 04:08:30 | 001,429,776 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:64bit: - [2010/07/20 03:46:54 | 000,838,928 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:64bit: - [2010/06/16 23:44:38 | 000,047,728 | ---- | M] (Lenovo.) [On_Demand | Stopped] -- C:\Windows\SysNative\TPHDEXLG64.exe -- (TPHDEXLGSVC)
SRV:64bit: - [2010/04/07 07:37:40 | 000,093,032 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe -- (Lenovo.VIRTSCRLSVC)
SRV:64bit: - [2010/04/07 07:37:24 | 000,063,928 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV:64bit: - [2010/04/07 05:02:18 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV:64bit: - [2009/11/18 07:04:24 | 000,045,928 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Windows\SysNative\ibmpmsvc.exe -- (IBMPMSVC)
SRV:64bit: - [2009/09/30 03:25:48 | 000,126,392 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost)
SRV:64bit: - [2009/08/12 02:59:38 | 000,864,032 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe -- (btwdins)
SRV:64bit: - [2009/07/14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2011/04/17 02:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe -- (N360)
SRV - [2010/10/22 13:08:18 | 001,039,360 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2010/09/18 03:50:54 | 000,259,432 | ---- | M] (Lenovo) [Auto | Running] -- C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe -- (AcSvc)
SRV - [2010/09/18 03:50:48 | 000,124,264 | ---- | M] (Lenovo) [Auto | Running] -- C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2010/08/24 20:30:00 | 000,164,200 | ---- | M] (Lenovo.) [On_Demand | Stopped] -- C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE -- (DozeSvc)
SRV - [2010/08/24 20:30:00 | 000,075,112 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE -- (Power Manager DBC Service)
SRV - [2010/08/20 09:16:34 | 002,763,080 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMSvc.exe -- (SBAMSvc)
SRV - [2010/08/20 09:15:54 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2010/06/28 08:58:18 | 001,616,488 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2010/06/25 23:13:48 | 000,332,536 | ---- | M] (QUALCOMM, Inc.) [Auto | Running] -- C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kLenovo.exe -- (QDLService2kLenovo) Qualcomm Gobi 2000 Download Service (Lenovo)
SRV - [2010/05/03 05:54:36 | 002,533,400 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2010/05/03 05:54:32 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2010/04/12 09:13:08 | 000,142,336 | ---- | M] (HP) [Auto | Running] -- C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe -- (HP LaserJet Service)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/11 01:40:56 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files (x86)\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2009/08/31 14:12:50 | 000,430,080 | ---- | M] (Anoto AB) [Auto | Running] -- C:\Program Files (x86)\Common Files\Anoto\Pen\Phal\Service\LPhal.exe -- (PenSup)
SRV - [2009/08/31 14:12:50 | 000,430,080 | ---- | M] (Anoto AB) [Auto | Running] -- C:\Program Files (x86)\Common Files\Anoto\Pen\Phal\Service\LPhal.exe -- (PenRendezvous)
SRV - [2009/08/29 00:09:58 | 001,019,904 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/04/29 04:21:18 | 000,436,736 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\XAudio64.dll -- (HsfXAudioService)
SRV - [2008/01/10 22:13:50 | 000,061,440 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2007/01/05 05:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/05/16 07:24:59 | 000,174,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2011/04/25 00:14:22 | 000,273,088 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\keyscrambler.sys -- (KeyScrambler)
DRV:64bit: - [2011/03/31 05:04:12 | 000,043,640 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SymIMV.sys -- (SymIM)
DRV:64bit: - [2011/03/31 05:00:09 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2011/03/31 05:00:09 | 000,040,568 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\srtspx64.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV:64bit: - [2011/03/28 19:46:40 | 000,146,568 | ---- | M] (Tonec Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\idmwfp.sys -- (IDMWFP)
DRV:64bit: - [2011/03/22 02:39:49 | 000,382,584 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\symnets.sys -- (SymNetS)
DRV:64bit: - [2011/03/15 04:31:23 | 000,912,504 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\symefa64.sys -- (SymEFA)
DRV:64bit: - [2011/03/11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/18 16:36:58 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/01/27 08:47:10 | 000,450,680 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\symds64.sys -- (SymDS)
DRV:64bit: - [2011/01/14 05:36:09 | 000,031,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pmxdrv.sys -- (pmxdrv)
DRV:64bit: - [2010/11/20 15:34:02 | 000,360,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm)
DRV:64bit: - [2010/11/20 15:34:02 | 000,194,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus)
DRV:64bit: - [2010/11/20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 15:25:46 | 000,840,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\blackbox.dll -- (BlackBox)
DRV:64bit: - [2010/11/20 13:35:32 | 000,095,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb)
DRV:64bit: - [2010/11/20 13:35:20 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV:64bit: - [2010/11/20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 11:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/16 03:45:33 | 000,171,128 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\ironx64.sys -- (SymIRON)
DRV:64bit: - [2010/08/29 21:17:36 | 000,289,280 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) Intel®
DRV:64bit: - [2010/08/25 18:46:18 | 000,682,624 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2010/08/25 05:36:02 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/08/24 20:30:00 | 000,030,320 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\DZHDD64.SYS -- (DzHDD64)
DRV:64bit: - [2010/08/24 20:30:00 | 000,013,104 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\TPPWR64V.SYS -- (TPPWRIF)
DRV:64bit: - [2010/08/21 06:59:12 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2010/07/14 14:42:58 | 007,821,312 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64) ___ Intel®
DRV:64bit: - [2010/06/25 20:43:22 | 000,443,392 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\qcusbnetlno2k.sys -- (qcusbnetlno2k) Gobi 2000 USB-NDIS miniport(05C6-9205)
DRV:64bit: - [2010/06/25 20:43:22 | 000,230,784 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\qcusbserlno2k.sys -- (qcusbserlno2k) Gobi 2000 USB Device for Legacy Serial Communication(05C6-9205)
DRV:64bit: - [2010/06/25 20:43:22 | 000,006,400 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\qcfilterlno2k.sys -- (qcfilterlno2k) Gobi 2000 USB Composite Device Filter Driver(05C6-9205)
DRV:64bit: - [2010/06/22 08:37:38 | 000,295,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1k62x64.sys -- (e1kexpress) Intel®
DRV:64bit: - [2010/06/16 23:44:38 | 000,136,816 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ApsX64.sys -- (Shockprf)
DRV:64bit: - [2010/06/16 23:44:38 | 000,023,664 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ApsHM64.sys -- (TPDIGIMN)
DRV:64bit: - [2010/06/14 14:54:30 | 000,064,600 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\sbapifs.sys -- (sbapifs)
DRV:64bit: - [2010/04/22 10:17:40 | 000,318,000 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/03/22 12:11:12 | 000,049,752 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\sbredrv.sys -- (SBRE)
DRV:64bit: - [2010/03/03 12:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/02/26 09:32:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009/12/15 03:09:08 | 000,163,072 | ---- | M] (Ricoh co.,Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\5U877.sys -- (5U877)
DRV:64bit: - [2009/11/18 07:04:04 | 000,032,880 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV:64bit: - [2009/10/26 07:52:00 | 000,061,952 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspe64.sys -- (rimspci)
DRV:64bit: - [2009/09/30 03:25:50 | 000,012,728 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB)
DRV:64bit: - [2009/09/24 13:58:38 | 000,041,536 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tvti2c.sys -- (TVTI2C)
DRV:64bit: - [2009/09/17 05:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel®
DRV:64bit: - [2009/09/07 10:27:28 | 000,064,896 | ---- | M] (Anoto AB) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LPhalUsb.sys -- (Phal)
DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 02:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/07/14 01:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM)
DRV:64bit: - [2009/07/02 04:16:02 | 000,040,512 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\psadd.sys -- (psadd)
DRV:64bit: - [2009/07/01 05:46:00 | 000,132,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:64bit: - [2009/07/01 05:46:00 | 000,098,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:64bit: - [2009/07/01 05:46:00 | 000,021,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
DRV:64bit: - [2009/06/30 06:05:16 | 001,486,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2009/06/30 06:01:16 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2009/06/30 05:59:54 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2009/06/10 23:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 23:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 23:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 22:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 22:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/11 04:33:56 | 000,118,016 | ---- | M] (Lenovo) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LenovoRd.sys -- (LenovoRd)
DRV:64bit: - [2009/04/29 04:21:08 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2009/04/07 08:33:00 | 000,035,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwl2cap.sys -- (btwl2cap)
DRV:64bit: - [2009/03/14 00:47:34 | 000,013,840 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (smihlp) SMI Helper Driver (smihlp)
DRV:64bit: - [2008/05/12 11:04:26 | 000,015,400 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\smiifx64.sys -- (lenovo.smi)
DRV:64bit: - [2006/06/18 15:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2011/06/13 21:10:29 | 000,024,448 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\rkhdrv40.sys -- (rkhdrv40)
DRV - [2011/06/13 20:53:23 | 000,035,712 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\BlackBox.sys -- (BlackBox)
DRV - [2011/06/03 03:08:18 | 000,488,056 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110610.006\IDSviA64.sys -- (IDSVia64)
DRV - [2011/05/19 21:37:05 | 001,143,416 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110519.002\BHDrvx64.sys -- (BHDrvx64)
DRV - [2011/05/18 06:49:22 | 002,011,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110614.001\EX64.SYS -- (NAVEX15)
DRV - [2011/05/18 06:49:22 | 000,117,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110614.001\ENG64.SYS -- (NAVENG)
DRV - [2011/05/16 07:25:17 | 000,481,912 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2011/05/16 07:25:17 | 000,136,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/05/12 19:14:05 | 000,276,184 | ---- | M] (Zemana Ltd.) [Kernel | System | Running] -- C:\Program Files (x86)\AntiLogger\AntiLog64.sys -- (AntiLog32)
DRV - [2010/05/13 07:56:22 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\SBREDrv.sys -- (SBRE)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/02/21 10:29:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\ [2011/05/16 09:00:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn\ [2011/05/16 07:24:47 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/06/13 21:27:40 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (IDM integration (IDMIEHlprObj Class)) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll (Internet Download Manager, Tonec Inc.)
O2 - BHO: (IDM integration (IDMIEHlprObj Class)) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (IePasswordManagerHelper Class) - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe (Lenovo)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe (Lenovo Group Limited)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4:64bit: - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4:64bit: - HKLM..\Run: [TpShocks] C:\Windows\SysNative\TpShocks.exe (Lenovo.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AntiLogger] C:\Program Files (x86)\AntiLogger\AntiLogger.exe (Zemana Ltd.)
O4 - HKLM..\Run: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [IMSS] C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe (Intel Corporation)
O4 - HKLM..\Run: [KeyScrambler] C:\Program Files (x86)\KeyScrambler\keyscrambler.exe (QFX Software Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe (Ricoh co.,Ltd.)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMTray.exe (Sunbelt Software)
O4 - HKLM..\Run: [ToolboxFX] C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe (Hewlett-Packard Company)
O4 - HKCU..\Run: [GoToMeeting] C:\Program Files (x86)\Citrix\GoToMeeting\641\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKCU..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe (Tonec Inc.)
O4 - HKCU..\Run: [LinkPointAssist] C:\Users\Ryan\AppData\Roaming\LinkPoint360\Bin\LinkPointAssist.exe (LinkPoint360)
O4 - Startup: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O8:64bit: - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm ()
O8:64bit: - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm ()
O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files (x86)\KeyScrambler\x64\KeyScramblerIE.dll (QFX Software Corporation)
O9:64bit: - Extra Button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files (x86)\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {03A89EFD-E023-B000-A22D-45F77558EB4C} https://content10.ilinc.com/download/AXCltInst11.dll (ILINCInstall110 Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab (DLM Control)
O16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} http://www.r2mslive.co.za/R2MSDemo/Reserved.ReportViewerWebControl.axd?ReportSession=efb5hy55qxdd4o455appfm55&Culture=2057&CultureOverrides=True&UICulture=2057&UICultureOverrides=True&ReportStack=1&ControlID=4ebbffca5c65414eabe3b2848fd3ad34&OpType=PrintCab&Arch=X86 (RSClientPrint 2008 Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} http://10.0.0.30/codebase/DVM_IPCam2.ocx (DVM_IPCam2 Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://kelloggsconference.webex.com/client/T27L10NSP21/webex/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 196.43.45.190 196.43.50.190
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20:64bit: - Winlogon\Notify\psfus: DllName - Reg Error: Key error. - C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (UPEK Inc.)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/10 18:32:46 | 000,000,049 | -HS- | M] () - Q:\AUTORUN.INF -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.dvacm - C:\Program Files (x86)\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.mpegacm - C:\Program Files (x86)\Common Files\Ulead Systems\MPEG\MPEGACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.ulmp3acm - C:\Program Files (x86)\Common Files\Ulead Systems\MPEG\ulmp3acm.acm (Ulead systems)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/14 19:39:00 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2011/06/13 21:43:25 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/06/13 21:27:35 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/13 20:56:41 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\WinRAR
[2011/06/13 20:56:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinRAR
[2011/06/13 20:53:12 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Diagnostics
[2011/06/13 13:45:58 | 000,086,016 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe
[2011/06/13 13:45:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IP Camera
[2011/06/12 22:33:38 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2011/06/12 22:31:06 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2011/06/10 17:08:50 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\skypePM
[2011/06/10 17:08:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype Extras
[2011/06/10 17:08:38 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2011/06/10 17:08:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/06/10 17:08:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2011/06/09 12:08:41 | 000,116,224 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\SysNative\fms.dll
[2011/06/09 12:08:33 | 000,093,696 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\SysWow64\fms.dll
[2011/06/08 20:44:44 | 000,000,000 | ---D | C] -- C:\ProgramData\PC-Doctor for Windows
[2011/06/08 20:44:04 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\PCDr
[2011/06/08 20:42:02 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Update
[2011/06/01 13:27:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AntiLogger
[2011/06/01 13:27:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AntiLogger
[2011/05/31 21:06:26 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Sunbelt
[2011/05/31 21:06:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Sunbelt
[2011/05/31 21:06:22 | 000,049,752 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\sbredrv.sys
[2011/05/31 21:06:22 | 000,027,472 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\sbbd.exe
[2011/05/31 21:06:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sunbelt Software
[2011/05/31 21:06:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sunbelt Software
[2011/05/31 17:44:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Tools Security
[2011/05/31 17:43:29 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2011/05/31 16:39:30 | 000,000,000 | R--D | C] -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/05/31 16:02:52 | 000,043,640 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SymIMV.sys
[2011/05/31 12:53:18 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2011/05/30 09:34:38 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011/05/26 21:17:22 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\QFX Software
[2011/05/26 21:17:22 | 000,000,000 | ---D | C] -- C:\ProgramData\QFX Software
[2011/05/26 21:17:20 | 000,273,088 | ---- | C] (QFX Software Corporation) -- C:\Windows\SysNative\drivers\keyscrambler.sys
[2011/05/26 21:17:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyScrambler
[2011/05/26 21:17:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KeyScrambler
[2011/05/25 23:50:01 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Malwarebytes
[2011/05/25 23:49:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/05/25 23:49:49 | 000,025,912 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/05/25 23:21:42 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/05/25 17:35:32 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2011/05/23 17:45:28 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\com.prezi.PreziDesktop
[2011/05/20 09:23:40 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Broadcom
[2011/05/20 09:23:40 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Documents\Bluetooth Exchange Folder
[2011/05/19 16:54:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PreziDesktop3
[2011/05/18 16:18:51 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
[2011/05/16 17:03:58 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Documents\Personal
[2011/05/16 17:03:31 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\iLinc
[2011/05/16 17:03:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iLinc 11
[2011/05/16 17:01:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iLinc

========== Files - Modified Within 30 Days ==========

[2011/06/14 19:38:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2011/06/14 19:34:10 | 000,027,066 | ---- | M] () -- C:\Users\Ryan\Desktop\Capture.JPG
[2011/06/14 19:30:38 | 000,218,134 | ---- | M] () -- C:\Windows\hpwins14.dat
[2011/06/14 18:09:11 | 000,730,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/06/14 18:09:11 | 000,633,494 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/06/14 18:09:11 | 000,112,576 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/06/14 18:08:35 | 000,020,704 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/14 18:08:35 | 000,020,704 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/14 18:00:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/14 18:00:50 | 1986,859,007 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/14 16:37:33 | 000,000,393 | ---- | M] () -- C:\Users\Ryan\Documents\ChatLog R2 Lite Design 1 2011_06_14 16_37.rtf
[2011/06/14 13:43:00 | 000,000,056 | -H-- | M] () -- C:\Windows\SysWow64\ezsidmv.dat
[2011/06/14 13:33:53 | 000,002,050 | ---- | M] () -- C:\Users\Ryan\Documents\Default.rdp
[2011/06/14 12:41:28 | 000,000,466 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/06/13 21:27:40 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2011/06/13 21:10:29 | 000,024,448 | ---- | M] () -- C:\Windows\SysWow64\drivers\rkhdrv40.sys
[2011/06/13 20:53:23 | 000,035,712 | ---- | M] () -- C:\Windows\SysWow64\drivers\BlackBox.sys
[2011/06/13 18:45:38 | 001,707,006 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0501000.01D\Cat.DB
[2011/06/13 13:45:58 | 000,000,856 | ---- | M] () -- C:\Users\Public\Desktop\IP Camera Tool.lnk
[2011/06/12 22:56:33 | 000,434,080 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/06/12 22:20:31 | 000,000,528 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/06/01 14:14:46 | 000,000,681 | ---- | M] () -- C:\Users\Ryan\Documents\ChatLog Webinar_ AARTO Overview _ The Business Case for Implementing R2MS _ AARTO Management Software 2011_06_01 14_14.rtf
[2011/05/31 21:29:17 | 000,000,088 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\netstat.bat
[2011/05/31 17:45:04 | 001,407,932 | ---- | M] () -- C:\Windows\SysNative\drivers\Cat.DB
[2011/05/30 09:34:40 | 000,001,452 | ---- | M] () -- C:\Users\Ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/05/30 09:29:45 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/05/30 09:29:44 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2011/05/29 09:11:20 | 000,025,912 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/05/28 07:13:17 | 000,000,967 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/05/25 23:10:09 | 007,611,557 | ---- | M] () -- C:\EntropyDSM 25052011.rar
[2011/05/25 23:08:29 | 194,867,749 | ---- | M] () -- C:\EntropyClover 25052011.rar
[2011/05/19 15:32:39 | 000,072,080 | ---- | M] () -- C:\Users\Ryan\g2mdlhlpx.exe
[2011/05/17 08:54:32 | 000,000,381 | ---- | M] () -- C:\Users\Ryan\Documents\ChatLog Meet Now 2011_05_17 08_54.rtf
[2011/05/16 07:24:59 | 000,174,200 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2011/05/16 07:24:59 | 000,007,488 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2011/05/16 07:24:59 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF

========== Files Created - No Company Name ==========

[2011/06/14 16:37:33 | 000,000,393 | ---- | C] () -- C:\Users\Ryan\Documents\ChatLog R2 Lite Design 1 2011_06_14 16_37.rtf
[2011/06/14 13:43:00 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2011/06/13 20:57:20 | 000,024,448 | ---- | C] () -- C:\Windows\SysWow64\drivers\rkhdrv40.sys
[2011/06/13 20:50:57 | 000,035,712 | ---- | C] () -- C:\Windows\SysWow64\drivers\BlackBox.sys
[2011/06/13 13:45:58 | 000,000,856 | ---- | C] () -- C:\Users\Public\Desktop\IP Camera Tool.lnk
[2011/06/09 12:09:17 | 000,347,904 | ---- | C] () -- C:\Windows\SysNative\systemsf.ebd
[2011/06/09 12:08:25 | 000,010,429 | ---- | C] () -- C:\Windows\SysNative\ScavengeSpace.xml
[2011/06/09 12:08:17 | 000,105,559 | ---- | C] () -- C:\Windows\SysWow64\RacRules.xml
[2011/06/09 12:08:17 | 000,105,559 | ---- | C] () -- C:\Windows\SysNative\RacRules.xml
[2011/06/09 12:07:59 | 000,146,389 | ---- | C] () -- C:\Windows\SysWow64\printmanagement.msc
[2011/06/09 12:07:59 | 000,001,041 | ---- | C] () -- C:\Windows\SysWow64\tcpbidi.xml
[2011/06/08 20:45:05 | 000,000,528 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/06/08 20:45:04 | 000,000,466 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/06/01 14:14:46 | 000,000,681 | ---- | C] () -- C:\Users\Ryan\Documents\ChatLog Webinar_ AARTO Overview _ The Business Case for Implementing R2MS _ AARTO Management Software 2011_06_01 14_14.rtf
[2011/05/31 21:29:17 | 000,000,088 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\netstat.bat
[2011/05/31 17:45:00 | 001,407,932 | ---- | C] () -- C:\Windows\SysNative\drivers\Cat.DB
[2011/05/30 22:04:37 | 000,027,066 | ---- | C] () -- C:\Users\Ryan\Desktop\Capture.JPG
[2011/05/30 09:34:40 | 000,001,424 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2011/05/30 09:34:38 | 000,001,458 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/05/30 09:29:45 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/05/30 09:29:44 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2011/05/25 23:31:32 | 007,611,557 | ---- | C] () -- C:\EntropyDSM 25052011.rar
[2011/05/25 23:23:35 | 194,867,749 | ---- | C] () -- C:\EntropyClover 25052011.rar
[2011/05/19 16:54:52 | 000,000,944 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PreziDesktop3.lnk
[2011/05/17 08:54:32 | 000,000,381 | ---- | C] () -- C:\Users\Ryan\Documents\ChatLog Meet Now 2011_05_17 08_54.rtf
[2011/02/21 11:47:14 | 000,007,597 | ---- | C] () -- C:\Users\Ryan\AppData\Local\Resmon.ResmonCfg
[2011/02/21 10:26:17 | 000,218,134 | ---- | C] () -- C:\Windows\hpwins14.dat
[2011/02/21 10:26:17 | 000,000,411 | ---- | C] () -- C:\Windows\hpwmdl14.dat
[2011/02/12 10:11:59 | 000,210,492 | ---- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2011/02/12 09:40:46 | 000,231,520 | ---- | C] () -- C:\Users\Ryan\AppData\Local\wanancsp.dat
[2011/01/14 05:40:58 | 000,870,560 | ---- | C] () -- C:\Windows\SysWow64\igkrng575.bin
[2011/01/14 05:40:58 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2011/01/14 05:40:58 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2011/01/14 05:40:57 | 000,127,868 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng575.bin
[2011/01/14 05:40:57 | 000,104,796 | ---- | C] () -- C:\Windows\SysWow64\igfcg575m.bin
[2009/07/14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 04:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 23:59:36 | 000,982,196 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2009/07/13 23:59:36 | 000,139,824 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2009/07/13 23:59:36 | 000,097,448 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2009/07/13 23:59:35 | 000,417,344 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2009/07/13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2007/12/04 17:02:08 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\IPCamera.exe

========== LOP Check ==========

[2011/03/07 08:16:42 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\anoto
[2011/05/23 17:45:28 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\com.prezi.PreziDesktop
[2011/03/07 09:07:11 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Destiny
[2011/06/14 17:59:48 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\DMCache
[2011/06/14 19:38:13 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Dropbox
[2011/05/16 07:13:56 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\IDM
[2011/01/23 06:52:33 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Lenovo
[2011/06/12 22:22:11 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\LinkPoint360
[2011/06/08 20:45:43 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\PCDr
[2011/05/26 21:17:22 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\QFX Software
[2011/02/13 11:23:48 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Ulead Systems
[2011/06/08 20:42:05 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Update
[2011/06/01 15:45:40 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\webex
[2011/06/12 22:20:31 | 000,000,528 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2009/07/14 07:08:49 | 000,016,078 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/06/14 12:41:28 | 000,000,466 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/05/30 09:29:45 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/05/30 09:29:45 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/05/30 09:29:45 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2011/05/30 09:29:46 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files (x86)\Internet Explorer\iexplore.exe [2011/05/30 09:29:46 | 000,748,336 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< >

< End of report >

#12 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 14 June 2011 - 01:57 PM

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:OTL
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
:Files
dir /s /a "C:\Users\Ryan\AppData\Roaming\Update" /c
ipconfig /flushdns /c
:Commands
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#13 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 14 June 2011 - 02:29 PM

OTL log. Ran successfully.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
========== FILES ==========
< dir /s /a "C:\Users\Ryan\AppData\Roaming\Update" /c >
Volume in drive C is Windows7_OS
Volume Serial Number is BA78-E044
Directory of C:\Users\Ryan\AppData\Roaming\Update
2011/06/08 08:42 PM <DIR> .
2011/06/08 08:42 PM <DIR> ..
2011/06/08 08:42 PM <DIR> full_5802_25_64_03
0 File(s) 0 bytes
Directory of C:\Users\Ryan\AppData\Roaming\Update\full_5802_25_64_03
2011/06/08 08:42 PM <DIR> .
2011/06/08 08:42 PM <DIR> ..
2011/06/08 08:42 PM 44˙308˙328 full_5802_25_64_03.exe
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.000
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.001
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.002
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.003
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.004
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.005
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.006
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.007
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.008
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.009
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.010
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.011
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.012
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.013
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.014
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.015
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.016
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.017
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.018
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.019
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.020
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.021
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.022
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.023
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.024
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.025
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.026
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.027
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.028
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.029
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.030
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.031
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.032
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.033
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.034
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.035
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.036
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.037
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.038
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.039
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.040
2011/06/08 08:42 PM 1˙048˙576 full_5802_25_64_03.exe.041
2011/06/08 08:42 PM 268˙136 full_5802_25_64_03.exe.042
44 File(s) 88˙616˙656 bytes
Total Files Listed:
44 File(s) 88˙616˙656 bytes
5 Dir(s) 377˙286˙926˙336 bytes free
C:\Users\Ryan\Desktop\cmd.bat deleted successfully.
C:\Users\Ryan\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ryan\Desktop\cmd.bat deleted successfully.
C:\Users\Ryan\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Ryan
->Temp folder emptied: 7218669 bytes
->Temporary Internet Files folder emptied: 273696093 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1305 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 747193 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 66717 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
RecycleBin emptied: 471 bytes

Total Files Cleaned = 269.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Ryan
->Flash cache emptied: 0 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.24.0 log created on 06142011_211412

Files\Folders moved on Reboot...
File move failed. C:\Users\Ryan\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Ryan\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb scheduled to be moved on reboot.
File\Folder C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\5[1].htm not found!
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\ads[6].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\ads[7].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\ads[8].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\context[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\context[2].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\context[3].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\context[4].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\copyright[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\MilestoneXProtectGo_Quick_Getting_Started_Guide_en-US[1].pdf scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\searchCA5D7DI3.js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\searchCA8U2WT4.js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\searchCAILZ2TN.js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RTU2V138\xprotect+essential[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\context[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\context[2].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\context[3].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\context[4].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\cookie[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\gggzipcheck.js[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\search[7].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PERKCXFD\uninstall[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\7[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\8529[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\ads[4].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\context[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\context[2].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\context[3].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\context[4].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\download[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\likebox[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\monitor[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\question[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\searchCAAPDLQK.js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\search[4].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\search[5].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\search[7].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O1YZZ42Y\vars[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\ads[7].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\computer-only-works-in-safe-mode-shuts-off-randomly-has-no-sound-etc-577147[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\context[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\context[2].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\context[3].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\context[4].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FKTTSDVR\ping[1].js scheduled to be moved on reboot.
File move failed. C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat scheduled to be moved on reboot.
C:\Users\Ryan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

#14 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 14 June 2011 - 02:45 PM

Hello,

Your logs appear to be clean, so if you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Commands
[ClearAllRestorePoints]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.



NEXT:



OTL Clean-Up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


NEXT:



All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===



Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



Extra Goodies

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates


  • Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.


  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome and Opera.

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#15 User is offline   ryanziegler 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 06-June 11

Posted 15 June 2011 - 01:41 AM

Thanks for all your help, it is really appreciated! I will run all housecleaning procedures. Was anything picked up and subsequently removed or was the pc clean? Just wondering how my bank account got hacked.

Thanks again for all you help!

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users