Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.fakealert keeps regenerating, desktop disappears


  • This topic is locked This topic is locked
20 replies to this topic

#1 edcomitz

edcomitz

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 03 March 2010 - 11:26 PM

Toshiba Satellite L305D
AMD Turion 64x2 mobile Technology TL-60 2.00 GHz
32 bit Operating System
Windows Vista Home Premium, SP2

About ten days ago my normal Desktop and Start menu disappeared. I rebooted the laptop and was presented with a black screen and a “My Documents” window. Suspecting an infection I installed Malwarebytes from a USB Flash drive. I was able to execute a scan which identified and removed a significant amount of suspected items. Upon restart, my normal desktop returned.
The laptop ran normally for a week and then a few days ago it reverted to the black screen with no Start menu.

Whatever has infected the laptop had removed the Malwarebytes application so I downloaded it again and ran another scan. My desktop once again returned to normal.
A file named TROJAN.FAKEALERT keeps regenerating. I can't permanently delete it using the Malwarebytes program. It has been three days and I still have my normal desktop but I suspect that my days are numbered.
Despite the name, I am not being prompted to purchase anything. When I attempt to update my anti-virus program, the update fails, although I can successfully connect to the internet.

Here is my Hijack This log file. Any help with this is greatly appreciated.

Ed

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:25 PM, on 3/3/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Owner\AppData\Local\Temp\Ggd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1204.0\msneshellx.dll
O2 - BHO: &UpdateCheck.dll - {D34D56E9-B37B-4C37-A854-1AC144592D5C} - C:\Windows\System32\UpdateCheck.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1204.0\msneshellx.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [DSS] C:\Windows\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [F5JMWNZTHI] C:\Users\Owner\AppData\Local\Temp\Ggd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} (Symantec Configuration Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlcm.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD700D70-4407-43E8-AA8B-DDA1E4D7C854}: NameServer = 93.188.164.56,93.188.166.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{C69A1454-6DB0-4BD9-A237-987EFAFB88F6}: NameServer = 93.188.164.56,93.188.166.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.56,93.188.166.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.56,93.188.166.62
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8837 bytes


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:13 AM

Posted 04 March 2010 - 08:28 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.



=============



The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for the following boxes. Please uncheck these boxes.
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 01:39 AM

Thank you very much for responding to my post Sam. I ran both processes per your instructions. The OTL scan went quickly taking around two minutes. The GMER scan took considerably longer, close to forty minutes. Here is the first log

Ed

OTL logfile created on: 3/5/2010 12:23:58 AM - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Users\Owner\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 231.42 Gb Total Space | 174.62 Gb Free Space | 75.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/05 00:22:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
PRC - [2010/02/03 18:06:11 | 000,174,592 | ---- | M] () -- C:\Users\Owner\AppData\Local\Temp\Ggd.exe
PRC - [2010/01/15 22:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/10 14:54:02 | 000,269,648 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/09/10 14:54:00 | 000,420,176 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2009/04/11 01:28:11 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WerFault.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/30 13:06:50 | 000,485,208 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/02/15 10:03:36 | 000,333,064 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2008/01/29 20:51:52 | 004,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/29 19:00:40 | 000,430,080 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2008/01/22 16:25:26 | 000,712,704 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
PRC - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/01/17 18:27:52 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2007/06/15 23:01:58 | 000,448,080 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
PRC - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2007/01/25 21:45:42 | 000,468,600 | ---- | M] (TOSHIBA Corporation) -- C:\TOSHIBA\IVP\ISM\Ivpsvmgr.exe
PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/03/05 00:22:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
MOD - [2009/04/11 01:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2009/09/10 14:54:02 | 000,269,648 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2008/02/26 13:19:46 | 000,648,456 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (tmproxy)
SRV - [2008/02/15 10:03:36 | 000,333,064 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 02:35:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/24 20:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\S-1-5-21-1085965913-235832656-310955751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\S-1-5-21-1085965913-235832656-310955751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {3454C0E4-E174-42EB-89A8-F30CF94DCCE5}:1.9.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=QLbQX9xIZV43iAiVJzhbew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}: C:\Users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5} [2010/02/13 19:15:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/01 21:16:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/01 21:16:33 | 000,000,000 | ---D | M]

[2008/12/25 11:24:15 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\mozilla\Extensions
[2010/03/03 22:34:27 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\kp3echst.default\extensions
[2009/09/01 17:26:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\kp3echst.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/23 20:42:35 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\kp3echst.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/06/11 15:07:50 | 000,009,941 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Mozilla\FireFox\Profiles\kp3echst.default\searchplugins\mywebsearch.xml
[2010/03/01 21:16:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/08/04 13:36:08 | 000,352,256 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npgobitgamesplugin.dll
[2009/06/11 15:03:05 | 000,024,684 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1204.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (&UpdateCheck.dll) - {D34D56E9-B37B-4C37-A854-1AC144592D5C} - C:\Windows\System32\UpdateCheck.dll ()
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1204.0\msneshellx.dll (Microsoft Corp.)
O3 - HKU\S-1-5-21-1085965913-235832656-310955751-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [DSS] C:\Windows\BBSTORE\DSS\DSSAGENT.EXE (Brøderbund Software)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1085965913-235832656-310955751-1000..\Run: [F5JMWNZTHI] C:\Users\Owner\AppData\Local\Temp\Ggd.exe ()
O4 - HKU\S-1-5-21-1085965913-235832656-310955751-1000..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe ()
O4 - Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O7 - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlcm.cab (Symantec Configuration Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.56,93.188.166.62
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 21:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/03/05 00:22:16 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2010/03/02 07:20:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/03/02 07:20:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/03/02 07:20:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/03/01 23:26:22 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/03/01 16:32:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/01 16:32:00 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/05 00:22:57 | 004,456,448 | -HS- | M] () -- C:\Users\Owner\ntuser.dat
[2010/03/05 00:22:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2010/03/05 00:20:31 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/05 00:20:31 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/05 00:19:03 | 000,000,492 | ---- | M] () -- C:\Windows\tasks\Malwarebytes' Scheduled Scan for Owner.job
[2010/03/05 00:18:02 | 000,000,240 | -H-- | M] () -- C:\Windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/03/04 23:56:02 | 000,000,286 | -H-- | M] () -- C:\Windows\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/04 18:18:12 | 000,000,558 | ---- | M] () -- C:\Windows\tasks\Norton Security Scan for Owner.job
[2010/03/03 23:27:19 | 000,035,840 | ---- | M] () -- C:\Users\Owner\Documents\Toshiba Satellite L305D.doc
[2010/03/03 22:38:49 | 000,007,944 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2010/03/03 22:27:50 | 000,740,884 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/03 22:27:50 | 000,157,798 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/03 22:27:50 | 000,151,972 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/03 22:20:47 | 000,000,433 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics
[2010/03/03 22:20:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/03 22:20:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/03 22:20:18 | 3084,521,472 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/03 22:18:57 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/03/03 22:18:57 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TM.blf
[2010/03/03 22:18:50 | 004,868,379 | -H-- | M] () -- C:\Users\Owner\AppData\Local\IconCache.db
[2010/03/02 23:02:06 | 000,001,885 | ---- | M] () -- C:\Users\Owner\Desktop\HijackThis.lnk
[2010/03/02 07:24:04 | 000,390,872 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/01 23:11:51 | 000,002,609 | ---- | M] () -- C:\Users\Owner\Desktop\Microsoft Office Word 2003.lnk
[2010/03/01 21:16:34 | 000,001,735 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/03/01 16:32:06 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/01 14:12:49 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/03/01 13:49:54 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/03/01 13:49:54 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TM.blf
[2010/02/28 19:39:35 | 000,002,838 | ---- | M] () -- C:\Windows\machine.ver
[2010/02/28 18:28:56 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/02/28 18:02:49 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{490dc9e8-1a80-11df-ac38-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 18:02:49 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{490dc9e8-1a80-11df-ac38-001e3362bc7f}.TM.blf
[2010/02/23 20:13:04 | 000,019,968 | ---- | M] () -- C:\Users\Owner\Documents\Hair.doc
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/03 23:27:19 | 000,035,840 | ---- | C] () -- C:\Users\Owner\Documents\Toshiba Satellite L305D.doc
[2010/03/02 23:02:06 | 000,001,885 | ---- | C] () -- C:\Users\Owner\Desktop\HijackThis.lnk
[2010/03/02 18:36:50 | 000,000,492 | ---- | C] () -- C:\Windows\tasks\Malwarebytes' Scheduled Scan for Owner.job
[2010/03/01 16:32:06 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/01 13:52:00 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/03/01 13:52:00 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/03/01 13:52:00 | 000,065,536 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TM.blf
[2010/03/01 13:38:58 | 3084,521,472 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/28 18:22:31 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/02/28 18:22:31 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 18:22:31 | 000,065,536 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TM.blf
[2010/02/23 20:13:04 | 000,019,968 | ---- | C] () -- C:\Users\Owner\Documents\Hair.doc
[2010/02/10 16:10:09 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/08 18:30:17 | 000,000,120 | ---- | C] () -- C:\Users\Owner\AppData\Local\Bxucubucamotig.dat
[2010/02/08 18:30:17 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Local\Treguvahoh.bin
[2010/02/08 00:50:40 | 000,622,080 | ---- | C] () -- C:\Windows\System32\UpdateCheck.dll
[2010/02/06 15:59:44 | 000,000,169 | ---- | C] () -- C:\Windows\disney.ini
[2010/01/30 13:08:42 | 000,000,000 | ---- | C] () -- C:\Windows\setup32.INI
[2009/09/19 18:45:10 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/23 19:23:21 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Horns
[2009/08/23 19:23:21 | 000,000,268 | RH-- | C] () -- C:\Users\Owner\AppData\Roaming\Hip Hop
[2009/08/23 19:23:21 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdw.DAT
[2009/08/23 19:18:07 | 000,000,268 | RH-- | C] () -- C:\ProgramData\HomePageService
[2009/08/23 19:18:07 | 000,000,268 | RH-- | C] () -- C:\Users\Owner\AppData\Roaming\Help
[2009/08/23 19:18:07 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdu.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/27 10:30:34 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2009/04/20 17:24:29 | 000,007,944 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2009/01/22 19:20:36 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/12/27 13:17:42 | 000,009,216 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/22 13:06:32 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/11/22 13:06:32 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/08/27 23:26:05 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/08/27 23:26:05 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/08/27 23:26:05 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/08/27 23:26:05 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/02/13 13:15:06 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/12 21:23:20 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/12 21:23:20 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/12 21:23:20 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/12 21:23:20 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/12 21:23:20 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/12 21:23:20 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/01/20 21:24:21 | 000,148,480 | ---- | C] () -- C:\Users\Owner\AppData\Local\anogomusige.dll
[2008/01/20 21:24:21 | 000,039,936 | ---- | C] () -- C:\Users\Owner\AppData\Local\mstaten.dll
[2007/07/28 00:26:30 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 11:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/02/26 17:51:54 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Fabulous Finds
[2009/02/25 17:19:52 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Gamelab
[2009/06/13 19:29:31 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\GOL_byHasbro
[2009/05/07 17:40:16 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\iWin
[2010/02/06 16:00:47 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Leadertech
[2010/02/28 21:16:38 | 000,000,000 | -HSD | M] -- C:\Users\Owner\AppData\Roaming\lowsec
[2009/08/29 14:40:57 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Nikon
[2008/12/25 06:14:49 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\TOSHIBA
[2008/12/25 06:14:21 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Ulead Systems
[2009/05/07 19:28:21 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\WildTangent
[2010/03/03 22:18:59 | 000,032,578 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/05 00:18:02 | 000,000,240 | -H-- | M] () -- C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/03/04 23:56:02 | 000,000,286 | -H-- | M] () -- C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: KR10N.SYS >
[2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\drivers\KR10N.sys
[2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\DriverStore\FileRepository\kr10.inf_c681c175\KR10N.sys
[2005/09/27 03:57:00 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) MD5=A1963360E74931222A67356C8AD48378 -- C:\Windows\System32\DriverStore\FileRepository\kr10n.inf_f8c77270\KR10N.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 21:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 21:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 01:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 01:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\ProgramData\TEMP:7E95B6FD
@Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:C210B4D5
@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:829B37EE
@Alternate Data Stream - 161 bytes -> C:\ProgramData\TEMP:7A639C45
@Alternate Data Stream - 154 bytes -> C:\ProgramData\TEMP:80DDCCC1
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:47ADFAF3
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:9371B810
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:CA4300C6
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:26FE5B17
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:58D2A680
< End of report >







#4 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 01:41 AM

Sam,
I was not able to include all three logs in one reply due to size limitation.

This the second log file.

Ed

OTL Extras logfile created on: 3/5/2010 12:23:59 AM - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Users\Owner\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 231.42 Gb Total Space | 174.62 Gb Free Space | 75.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1085965913-235832656-310955751-1000]
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00330DE6-969F-4AD8-88E2-B4EA7647422E}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{1AF9EE37-7067-4D05-8228-7480743A6A4A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1C4C9FFF-548F-4082-A6D7-3BDD03583FF0}" = lport=2869 | protocol=6 | dir=in | app=system |
"{1EA32181-6A47-45EA-A432-97036E696C9E}" = rport=445 | protocol=6 | dir=out | app=system |
"{25BBEF64-C2EB-42E1-8104-76BD19F4CD7C}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{29190898-A1E0-4D83-9CB7-7A0FC56863BD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3878F2C2-26A0-4303-ADF2-861CD8ABBC68}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{46BF0836-EE9B-4415-A8CC-51569E6DCBF9}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{4B9369E0-3621-4532-ACBF-8F6296EDF794}" = rport=2869 | protocol=6 | dir=out | app=system |
"{567AC368-76D7-40AD-ACC4-A1060DB00F1E}" = rport=138 | protocol=17 | dir=out | app=system |
"{57D0EE13-A74E-4385-9EB7-22B96859B7A0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{599ADA87-3FE1-4411-B9C2-8D575119D021}" = rport=139 | protocol=6 | dir=out | app=system |
"{627C93E8-F58B-4087-814E-F36CC087AC9A}" = rport=137 | protocol=17 | dir=out | app=system |
"{65AF83F5-C9B9-4649-BD0C-9E8F97774E95}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{7458CAB5-5CAA-4A4C-A9B4-E3B53E654E63}" = lport=445 | protocol=6 | dir=in | app=system |
"{7576343B-B240-421B-9318-E45773C1B20C}" = lport=139 | protocol=6 | dir=in | app=system |
"{860F43A2-14C8-4437-AC46-2BD6800F9216}" = lport=138 | protocol=17 | dir=in | app=system |
"{96A0CC83-C46E-46E8-A287-094D79412042}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{A899C376-5A42-40D2-9B1B-E07677FC54C2}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{AAE775DF-C398-4EB2-8317-C0ADE57D2B52}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{BB4D6405-9882-4010-83FA-6D75AEDCD5E1}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{BC229EBF-FD03-49D6-B39D-DA8EB252E7C1}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{C2A70859-0974-4F05-9384-731177631BF5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{D1DC56DB-2AB0-41D5-B94B-61F59FE55EFF}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{D2263C96-071F-47EB-9CB3-3D397F19EBC0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{F9D147EC-9215-4969-9906-14EFDD7625DC}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{14E3023C-83D1-4799-9FBB-3BB9DE02C6C2}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1840002B-99D4-4494-B7CE-7336B8C23554}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1B7C8C20-292C-41E6-B301-F818FF773EDA}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{37C2BDF4-E3FE-4463-A80E-A3F0ECF4AE88}" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{52AF5B5A-556B-4F5D-89EE-364D52DECA6A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{53333443-37A8-4F27-AD85-01698D2D3EA9}" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{563150E4-BA67-4FB1-BAAE-2811D4E1CAF9}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{6A3BB58D-8D81-4737-8C44-24E3F236AF3D}" = protocol=6 | dir=in | app=c:\program files\norton security scan\norton security scan\engine\2.7.0.52\nss.exe |
"{6F3F101E-5079-470E-9679-48BF3EEB318A}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{723C3CFA-5C2D-4C14-A230-C31054342021}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{8A6FF12F-C537-4AE4-B6B3-F976877A5DEF}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{8D6C1015-FEC1-4BE9-A7D8-3A262D63B663}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AFA6CF0A-E141-475E-8982-1872E4AC8061}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{B434CB01-6210-406B-9D78-0B03D6194023}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{B5138073-ECEF-440F-A55B-BFE2507387AB}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{C88C900A-233D-4044-A13B-8C8FD19A05D7}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{DE337FF1-EA79-4E58-83DE-2F436675AC94}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E226CB83-E4B2-49B9-9A21-67017F7B6BE0}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{EED35179-5625-473B-9EBA-B8CE0B074B88}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F5FE077D-CD0B-4966-B502-785D310E991F}" = protocol=17 | dir=in | app=c:\program files\norton security scan\norton security scan\engine\2.7.0.52\nss.exe |
"TCP Query User{12D1FBFB-F0FE-4BB9-844C-B7191AC5F3ED}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{1709F93C-AC27-49E1-A0C4-4BB71D79C590}C:\windows\system32\dplaysvr.exe" = protocol=6 | dir=in | app=c:\windows\system32\dplaysvr.exe |
"TCP Query User{417FDECA-0938-4CD2-8EEB-AFC5DB8D75F6}C:\program files\shockwave.com\wheel of fortune\product\wheel of fortune.exe" = protocol=6 | dir=in | app=c:\program files\shockwave.com\wheel of fortune\product\wheel of fortune.exe |
"TCP Query User{7D589173-E14A-4B78-86B5-BDCB202712A8}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{8F371AF7-08D0-46C0-B015-AFF7F838A21C}C:\programdata\7def\extraav.exe" = protocol=6 | dir=in | app=c:\programdata\7def\extraav.exe |
"TCP Query User{F44D9903-E742-4739-9269-E0E2CBD7ECAE}C:\program files\infogrames interactive\scrabble complete\scrabblecomplete.exe" = protocol=6 | dir=in | app=c:\program files\infogrames interactive\scrabble complete\scrabblecomplete.exe |
"TCP Query User{F8503008-C580-46D0-9B5F-DED32DDA873B}C:\program files\shockwave.com\rock & roll jeopardy\product\rock & roll jeopardy!.exe" = protocol=6 | dir=in | app=c:\program files\shockwave.com\rock & roll jeopardy\product\rock & roll jeopardy!.exe |
"UDP Query User{225379A9-720B-4BB9-A299-0FBBEF74C47C}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{4C6C4991-BFBE-4354-8C9C-9E29A88FE383}C:\windows\system32\dplaysvr.exe" = protocol=17 | dir=in | app=c:\windows\system32\dplaysvr.exe |
"UDP Query User{4CA1761E-C273-4324-B2BE-53C5D6AA52EB}C:\program files\infogrames interactive\scrabble complete\scrabblecomplete.exe" = protocol=17 | dir=in | app=c:\program files\infogrames interactive\scrabble complete\scrabblecomplete.exe |
"UDP Query User{5092EE9B-CBCB-48BD-A298-8AAAA9D035BE}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{BDC94C21-6CB1-4D30-AD7B-E61B06329E4D}C:\program files\shockwave.com\rock & roll jeopardy\product\rock & roll jeopardy!.exe" = protocol=17 | dir=in | app=c:\program files\shockwave.com\rock & roll jeopardy\product\rock & roll jeopardy!.exe |
"UDP Query User{E7B7D0D9-085B-4911-974C-0587FD022DEF}C:\programdata\7def\extraav.exe" = protocol=17 | dir=in | app=c:\programdata\7def\extraav.exe |
"UDP Query User{F49DE091-2A0D-48CA-97B0-7590B0908C3C}C:\program files\shockwave.com\wheel of fortune\product\wheel of fortune.exe" = protocol=17 | dir=in | app=c:\program files\shockwave.com\wheel of fortune\product\wheel of fortune.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{03240EBA-04F2-4652-BC7F-B055902BDCD3}" = Memeo AutoBackup
"{062ABD24-47F8-D865-BCB6-A724A94BC9A5}" = CCC Help Japanese
"{06F2B3DC-74F4-300D-D41A-B21B46101CA2}" = Skins
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0A573F30-FB63-9A85-2E6E-39E1AC5366D0}" = Catalyst Control Center Localization Hungarian
"{0A9F311E-A4B9-4808-1D1C-0B2E7705A735}" = Catalyst Control Center Localization Spanish
"{0F15A965-99BA-BC9D-5A00-D7E1E7B2AE7F}" = Catalyst Control Center Localization French
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1700" = Canon iP1700
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14FEF8C7-0EB1-47F2-6A13-D43171D4DFBB}" = Catalyst Control Center Localization Greek
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D4D4C5C-6771-A416-0FC9-167F47C4D977}" = Catalyst Control Center Localization Polish
"{1E32C2AB-9722-5F41-7BDE-24B5AFD2BCE6}" = CCC Help Spanish
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{21AEC16B-1C21-81B4-DA88-2235CC1F7E39}" = Catalyst Control Center Localization Japanese
"{22A830A0-AF5D-4279-B668-22D004137A9D}" = MSN Toolbar
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 17
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{288306FF-D5B5-7398-0617-E52F625C6797}" = CCC Help Norwegian
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{397AC65E-CB4A-29C2-ACF9-D04444438971}" = Catalyst Control Center Localization Thai
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3B96A467-811C-F9FE-B8D6-3BC952025F44}" = Catalyst Control Center Localization Dutch
"{3BEEC9AD-FA8F-B413-6BBC-8B5DC7C8E08F}" = Catalyst Control Center Localization Portuguese
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{45ECDC05-71AC-6372-2A17-4139B6296F4F}" = ccc-core-static
"{480C3278-56A7-3F05-3829-6DC5D4B0CB06}" = CCC Help Portuguese
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{4CA4D9FC-212C-9F69-E760-DB4BEB34FEB5}" = CCC Help Thai
"{4DE0D937-FEB0-0D89-C8D6-35F600300BD4}" = CCC Help French
"{526B6DD3-0C43-2C13-7DF8-44D20D4E9853}" = CCC Help English
"{544587B1-B057-F0B3-7B19-6898ADBED9AC}" = Catalyst Control Center Localization Czech
"{571C0874-A931-EEFE-E89D-8F912F633B9F}" = CCC Help Danish
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{63427619-C918-6F3C-7318-11DDA4975241}" = ATI Catalyst Install Manager
"{63A6E9A9-A190-46D4-9430-2DB28654AFD8}" = Norton 360
"{648B4A01-F609-1D4E-556C-0F18B54E9E1C}" = Catalyst Control Center Localization Italian
"{64F18837-72CE-DC38-899C-260AF20F979A}" = CCC Help Swedish
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69C82DDB-3FBC-EBEC-AE0A-3ABF1F3BD39B}" = CCC Help Polish
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C530FF7-F6F2-FD4C-0CFC-49AD3E7244A9}" = Catalyst Control Center Localization Turkish
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6CA2BE46-A562-8CA4-1C33-CC2681B2DDA1}" = CCC Help Finnish
"{6DBBEC03-716B-7954-873A-B782100831C5}" = Catalyst Control Center Graphics Full New
"{70BCBA77-83D9-2075-1F99-69D65C44B422}" = Catalyst Control Center Graphics Full Existing
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro AntiVirus
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree
"{78E6BC53-F765-2629-C028-9F3CD49F70D4}" = CCC Help Chinese Standard
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7ECE1045-66CB-2A70-7EAE-BE508AF95CF2}" = Catalyst Control Center Graphics Previews Vista
"{81F93FA5-BA87-322F-2166-4D1F0FFE196E}" = CCC Help Greek
"{8376FC56-5456-DFF9-5C36-FAB3DE39F5DF}" = Catalyst Control Center Localization Norwegian
"{85B3880D-F0D2-A50C-1464-7EF646A1D21D}" = Catalyst Control Center Localization Danish
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{890EF3F8-742F-46BD-9E8E-084B3A1F4364}" = QuickBooks Financial Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D0957A4-8EE7-E273-0BFC-9B235BEAA41A}" = CCC Help Dutch
"{8D44F868-DA59-B1BF-CC33-58B0AF8E2E39}" = Catalyst Control Center Localization Chinese Traditional
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9A3F65CA-78FA-4749-004B-23743CF642D1}" = Catalyst Control Center Localization Korean
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A5B13934-D1C9-D33B-982E-BB09A19C0F90}" = Catalyst Control Center Localization Finnish
"{A60F4402-4CCE-E695-64C6-F0636ACC347F}" = CCC Help Italian
"{A621B45A-D138-4A95-BE10-7CABA05EF94E}" = Trend Micro AntiVirus
"{A91A0484-8087-A838-9BA6-03374BE3F2CE}" = Catalyst Control Center Localization Russian
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA725670-A7B4-D1B0-4EF5-F4B2E418C9F4}" = Catalyst Control Center Localization German
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{ADBE6E56-60E7-7FC3-467A-827987BE09CE}" = Catalyst Control Center Localization Swedish
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1819DF7-D6B1-27AA-3A3B-6560C348C386}" = Catalyst Control Center Core Implementation
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B36649A3-D0DD-4706-B042-F5B384529C7A}" = Scrabble Complete
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B9CD69C2-D14E-C499-C18B-7342E5FE245E}" = Catalyst Control Center Localization Chinese Standard
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{D58A1E94-9EEA-4C6E-B9FB-D7C63DC6C941}" = Catalyst Control Center - Branding
"{D8F9F4CB-41A1-CF15-39A2-75F28E0B9991}" = CCC Help Korean
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DDA258BA-57D9-A76C-84CB-F19571A45FC8}" = ccc-utility
"{DF73BEDD-8A09-A6E2-462B-3BDF398BAFB2}" = CCC Help Czech
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"{E70A3EE1-067D-8C6C-1C89-9F3A1BA4CF2C}" = Catalyst Control Center Graphics Light
"{E87A8D96-5795-A788-18A2-3BCC20B09E7C}" = CCC Help Chinese Traditional
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EB295AF7-C2D1-D911-9E62-F288874B96F4}" = CCC Help Turkish
"{EBCD5E4C-F14A-B147-39FE-906F75AC4ACE}" = CCC Help Russian
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F36D6137-FD4C-1F67-7B2A-815BB05BB825}" = CCC Help German
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F84C1DC6-4B39-1A34-AD6E-A6EE49A3DD78}" = CCC Help Hungarian
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Cooking Academy 2: World Cuisine" = Cooking Academy 2: World Cuisine
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Elizabeth Find M.D.: Diagnosis Mystery" = Elizabeth Find M.D.: Diagnosis Mystery
"Fabulous Finds" = Fabulous Finds
"Family Feud Dream Home" = Family Feud Dream Home (remove only)
"Family Feud Hollywood Ed." = Family Feud Hollywood Ed. (remove only)
"GoBit Games Plugin_is1" = GoBit Games Plugin v1.5
"Go-Go Gourmet" = Go-Go Gourmet
"HijackThis" = HijackThis 2.0.2
"InstallShield_{03240EBA-04F2-4652-BC7F-B055902BDCD3}" = Memeo AutoBackup
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"NSS" = Norton Security Scan
"Picasa2" = Picasa 2
"PROHYBRIDR" = 2007 Microsoft Office system
"Rock & Roll JEOPARDY!®" = Rock & Roll JEOPARDY!®
"Strawberry Shortcake - Amazing Cookie Party" = Strawberry Shortcake - Amazing Cookie Party
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"THE GAME OF LIFE™ by Hasbro" = THE GAME OF LIFE™ by Hasbro
"Top Chef" = Top Chef
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Wheel of Fortune" = Wheel of Fortune
"WildTangent toshiba Master Uninstall" = TOSHIBA Games
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Zoo Vet" = Zoo Vet

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Extra Antivirus" = Extra Antivirus
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/14/2010 5:28:34 PM | Computer Name = Owner-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/14/2010 5:38:41 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 6.0.6000.16386, time stamp
0x4549b0e1, faulting module xwtpw32.dll, version 6.0.6001.18000, time stamp 0x4791a79c,
exception code 0xc0000005, fault offset 0x00008867, process id 0x9c0, application
start time 0x01caadbda05f0407.

Error - 2/14/2010 5:43:47 PM | Computer Name = Owner-PC | Source = VSS | ID = 8194
Description =

Error - 2/14/2010 6:05:57 PM | Computer Name = Owner-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/14/2010 10:34:08 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000
Description = Faulting application AcroRd32.exe, version 8.1.0.137, time stamp 0x46444e37,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x0c0c0c0c, process id 0x414, application start time 0x01caade75719f510.

Error - 2/14/2010 10:40:31 PM | Computer Name = Owner-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/14/2010 10:51:00 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18882, time stamp
0x4b3ed243, faulting module kernel32.dll, version 6.0.6001.18215, time stamp 0x49953395,
exception code 0x0eedfade, fault offset 0x000442eb, process id 0x146c, application
start time 0x01caade9951569ab.

Error - 2/14/2010 11:01:40 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 6.0.6000.16386, time stamp
0x4549b0e1, faulting module USER32.dll, version 6.0.6001.18000, time stamp 0x4791a7a6,
exception code 0xc0000142, fault offset 0x00009cac, process id 0x1544, application
start time 0x01caadeb3210adeb.

Error - 2/14/2010 11:02:42 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18882, time stamp
0x4b3ed243, faulting module kernel32.dll, version 6.0.6001.18215, time stamp 0x49953395,
exception code 0x0eedfade, fault offset 0x000442eb, process id 0x13c4, application
start time 0x01caadeb3571da4b.

Error - 2/14/2010 11:33:22 PM | Computer Name = Owner-PC | Source = WinMgmt | ID = 10
Description =

[ Media Center Events ]
Error - 2/26/2009 6:34:52 PM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 2/26/2009 8:32:56 PM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/25/2009 3:23:20 PM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

Error - 6/9/2009 6:44:23 PM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 6/11/2009 5:57:50 PM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 8/17/2009 3:00:44 AM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

[ System Events ]
Error - 3/5/2010 12:51:09 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 12:56:19 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:01:29 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:06:40 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:11:50 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:17:00 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:19:47 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:24:57 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:30:08 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.

Error - 3/5/2010 1:35:18 AM | Computer Name = Owner-PC | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 192.168.1.103. The computer with the IP address 192.168.1.101 did
not allow the name to be claimed by this computer.


< End of report >


#5 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 02:00 AM

Sam,
I was not able to upload the results of the GMER scan. It was rejected for exceeding the size limit. I divided it in half and this is the first of two attachments.

Thank you,
Ed

Attached Files



#6 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 02:02 AM

And finally the second half of the GMER log is attached to this post.

Thank you for your patience Sam.

Ed

#7 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 02:10 AM

The second half of the GMER log has been rejected four times for exceeding size limit.
I will try to send the second half in the morning. Thank you for you patience.

Ed





#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:13 AM

Posted 05 March 2010 - 08:08 PM

When you ran Gmer did you remember to uncheck these sections?

* Sections
* IAT/EAT
* Drives/Partition other than Systemdrive, which is typically C:\
* Show All (This is important, so do not miss it.)



Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O2 - BHO: (&UpdateCheck.dll) - {D34D56E9-B37B-4C37-A854-1AC144592D5C} - C:\Windows\System32\UpdateCheck.dll ()
    O4 - HKU\S-1-5-21-1085965913-235832656-310955751-1000..\Run: [F5JMWNZTHI] C:\Users\Owner\AppData\Local\Temp\Ggd.exe ()
    [2010/02/08 18:30:17 | 000,000,120 | ---- | C] () -- C:\Users\Owner\AppData\Local\Bxucubucamotig.dat
    [2010/02/08 18:30:17 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Local\Treguvahoh.bin
    [2010/03/05 00:18:02 | 000,000,240 | -H-- | M] () -- C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    [2010/03/04 23:56:02 | 000,000,286 | -H-- | M] () -- C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
    @Alternate Data Stream - 99 bytes -> C:\ProgramData\TEMP:7E95B6FD
    @Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:C210B4D5
    @Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:829B37EE
    @Alternate Data Stream - 161 bytes -> C:\ProgramData\TEMP:7A639C45
    @Alternate Data Stream - 154 bytes -> C:\ProgramData\TEMP:80DDCCC1
    @Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:47ADFAF3
    @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:9371B810
    @Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:CA4300C6
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:26FE5B17
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:58D2A680

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.


========================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 09:47 PM

Sam,
Yes, to the best of my recollection I unchecked the boxes that you specified for the GMER scan. Here are the logs from the new OTL scans.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D34D56E9-B37B-4C37-A854-1AC144592D5C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D34D56E9-B37B-4C37-A854-1AC144592D5C}\ deleted successfully.
C:\Windows\System32\UpdateCheck.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1085965913-235832656-310955751-1000\Software\Microsoft\Windows\CurrentVersion\Run\\F5JMWNZTHI deleted successfully.
C:\Users\Owner\AppData\Local\Temp\Ggd.exe moved successfully.
C:\Users\Owner\AppData\Local\Bxucubucamotig.dat moved successfully.
C:\Users\Owner\AppData\Local\Treguvahoh.bin moved successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job moved successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job moved successfully.
ADS C:\ProgramData\TEMP:7E95B6FD deleted successfully.
ADS C:\ProgramData\TEMP:C210B4D5 deleted successfully.
ADS C:\ProgramData\TEMP:829B37EE deleted successfully.
ADS C:\ProgramData\TEMP:7A639C45 deleted successfully.
ADS C:\ProgramData\TEMP:80DDCCC1 deleted successfully.
ADS C:\ProgramData\TEMP:47ADFAF3 deleted successfully.
ADS C:\ProgramData\TEMP:9371B810 deleted successfully.
ADS C:\ProgramData\TEMP:CA4300C6 deleted successfully.
ADS C:\ProgramData\TEMP:26FE5B17 deleted successfully.
ADS C:\ProgramData\TEMP:58D2A680 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 195729286 bytes
->Temporary Internet Files folder emptied: 115375773 bytes
->Java cache emptied: 112661431 bytes
->FireFox cache emptied: 43920326 bytes
->Apple Safari cache emptied: 103451580 bytes
->Flash cache emptied: 53270 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1568723 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1043118 bytes

Total Files Cleaned = 547.00 mb


OTL by OldTimer - Version 3.1.34.0 log created on 03052010_211057

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\~DF1A0.tmp not found!
File\Folder C:\Windows\temp\~DF1BB.tmp not found!

Registry entries deleted on Reboot...






OTL logfile created on: 3/5/2010 9:17:13 PM - Run 2
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Users\Owner\Desktop\bleeping computer results
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 231.42 Gb Total Space | 174.85 Gb Free Space | 75.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/05 00:22:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\bleeping computer results\OTL.exe
PRC - [2010/01/15 22:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/10 14:54:02 | 000,269,648 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/09/10 14:54:00 | 000,420,176 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/15 01:04:34 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/09/30 13:06:50 | 000,485,208 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/02/15 10:03:36 | 000,333,064 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2008/01/29 20:51:52 | 004,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/29 19:00:40 | 000,430,080 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2008/01/22 16:25:26 | 000,712,704 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
PRC - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/01/17 18:27:52 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2007/06/15 23:01:58 | 000,448,080 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
PRC - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/03/05 00:22:16 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\bleeping computer results\OTL.exe
MOD - [2009/04/11 01:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2009/09/10 14:54:02 | 000,269,648 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2008/02/26 13:19:46 | 000,648,456 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (tmproxy)
SRV - [2008/02/15 10:03:36 | 000,333,064 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 02:35:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/24 20:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\S-1-5-21-1085965913-235832656-310955751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1085965913-235832656-310955751-1000\S-1-5-21-1085965913-235832656-310955751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {3454C0E4-E174-42EB-89A8-F30CF94DCCE5}:1.9.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=QLbQX9xIZV43iAiVJzhbew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}: C:\Users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5} [2010/02/13 19:15:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/01 21:16:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/01 21:16:33 | 000,000,000 | ---D | M]

[2008/12/25 11:24:15 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\mozilla\Extensions
[2010/03/03 22:34:27 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\kp3echst.default\extensions
[2009/09/01 17:26:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\kp3echst.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/23 20:42:35 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\kp3echst.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/06/11 15:07:50 | 000,009,941 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Mozilla\FireFox\Profiles\kp3echst.default\searchplugins\mywebsearch.xml
[2010/03/01 21:16:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/08/04 13:36:08 | 000,352,256 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npgobitgamesplugin.dll
[2009/06/11 15:03:05 | 000,024,684 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1204.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1204.0\msneshellx.dll (Microsoft Corp.)
O3 - HKU\S-1-5-21-1085965913-235832656-310955751-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [DSS] C:\Windows\BBSTORE\DSS\DSSAGENT.EXE (Brøderbund Software)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1085965913-235832656-310955751-1000..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe ()
O4 - Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O7 - HKU\S-1-5-21-1085965913-235832656-310955751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlcm.cab (Symantec Configuration Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.56,93.188.166.62
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 21:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/03/05 21:10:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/05 02:13:58 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\bleeping computer results
[2010/03/02 07:20:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/03/02 07:20:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/03/02 07:20:27 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/03/01 23:26:22 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/03/01 16:32:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/01 16:32:00 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files - Modified Within 14 Days ==========

[2010/03/05 21:15:39 | 004,456,448 | -HS- | M] () -- C:\Users\Owner\ntuser.dat
[2010/03/05 21:14:19 | 000,000,433 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics
[2010/03/05 21:14:13 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/05 21:14:13 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/05 21:14:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/05 21:14:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/05 21:14:00 | 3084,521,472 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/05 21:13:13 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/03/05 21:13:13 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TM.blf
[2010/03/05 21:10:26 | 000,000,492 | ---- | M] () -- C:\Windows\tasks\Malwarebytes' Scheduled Scan for Owner.job
[2010/03/05 17:40:02 | 000,000,558 | ---- | M] () -- C:\Windows\tasks\Norton Security Scan for Owner.job
[2010/03/03 23:27:19 | 000,035,840 | ---- | M] () -- C:\Users\Owner\Documents\Toshiba Satellite L305D.doc
[2010/03/03 22:38:49 | 000,007,944 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2010/03/03 22:27:50 | 000,740,884 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/03 22:27:50 | 000,157,798 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/03 22:27:50 | 000,151,972 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/03 22:18:50 | 004,868,379 | -H-- | M] () -- C:\Users\Owner\AppData\Local\IconCache.db
[2010/03/02 23:02:06 | 000,001,885 | ---- | M] () -- C:\Users\Owner\Desktop\HijackThis.lnk
[2010/03/02 07:24:04 | 000,390,872 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/01 23:11:51 | 000,002,609 | ---- | M] () -- C:\Users\Owner\Desktop\Microsoft Office Word 2003.lnk
[2010/03/01 21:16:34 | 000,001,735 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/03/01 16:32:06 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/01 14:12:49 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/03/01 13:49:54 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/03/01 13:49:54 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TM.blf
[2010/02/28 19:39:35 | 000,002,838 | ---- | M] () -- C:\Windows\machine.ver
[2010/02/28 18:28:56 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/02/28 18:02:49 | 000,524,288 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{490dc9e8-1a80-11df-ac38-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 18:02:49 | 000,065,536 | -HS- | M] () -- C:\Users\Owner\ntuser.dat{490dc9e8-1a80-11df-ac38-001e3362bc7f}.TM.blf
[2010/02/23 20:13:04 | 000,019,968 | ---- | M] () -- C:\Users\Owner\Documents\Hair.doc

========== Files Created - No Company Name ==========

[2010/03/03 23:27:19 | 000,035,840 | ---- | C] () -- C:\Users\Owner\Documents\Toshiba Satellite L305D.doc
[2010/03/02 23:02:06 | 000,001,885 | ---- | C] () -- C:\Users\Owner\Desktop\HijackThis.lnk
[2010/03/02 18:36:50 | 000,000,492 | ---- | C] () -- C:\Windows\tasks\Malwarebytes' Scheduled Scan for Owner.job
[2010/03/01 16:32:06 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/01 13:52:00 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/03/01 13:52:00 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/03/01 13:52:00 | 000,065,536 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{ac7194f7-2561-11df-8c8b-001e3362bc7f}.TM.blf
[2010/03/01 13:38:58 | 3084,521,472 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/28 18:22:31 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000002.regtrans-ms
[2010/02/28 18:22:31 | 000,524,288 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 18:22:31 | 000,065,536 | -HS- | C] () -- C:\Users\Owner\ntuser.dat{0fdd25e7-24c0-11df-9ed5-001e3362bc7f}.TM.blf
[2010/02/23 20:13:04 | 000,019,968 | ---- | C] () -- C:\Users\Owner\Documents\Hair.doc
[2010/02/10 16:10:09 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/06 15:59:44 | 000,000,169 | ---- | C] () -- C:\Windows\disney.ini
[2010/01/30 13:08:42 | 000,000,000 | ---- | C] () -- C:\Windows\setup32.INI
[2009/09/19 18:45:10 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/23 19:23:21 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Horns
[2009/08/23 19:23:21 | 000,000,268 | RH-- | C] () -- C:\Users\Owner\AppData\Roaming\Hip Hop
[2009/08/23 19:23:21 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdw.DAT
[2009/08/23 19:18:07 | 000,000,268 | RH-- | C] () -- C:\ProgramData\HomePageService
[2009/08/23 19:18:07 | 000,000,268 | RH-- | C] () -- C:\Users\Owner\AppData\Roaming\Help
[2009/08/23 19:18:07 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdu.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/27 10:30:34 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2009/04/20 17:24:29 | 000,007,944 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2009/01/22 19:20:36 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/12/27 13:17:42 | 000,009,216 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/22 13:06:32 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/11/22 13:06:32 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/08/27 23:26:05 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/08/27 23:26:05 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/08/27 23:26:05 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/08/27 23:26:05 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/02/13 13:15:06 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/12 21:23:20 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/12 21:23:20 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/12 21:23:20 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/12 21:23:20 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/12 21:23:20 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/12 21:23:20 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/01/20 21:24:21 | 000,148,480 | ---- | C] () -- C:\Users\Owner\AppData\Local\anogomusige.dll
[2008/01/20 21:24:21 | 000,039,936 | ---- | C] () -- C:\Users\Owner\AppData\Local\mstaten.dll
[2007/07/28 00:26:30 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 11:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/02/26 17:51:54 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Fabulous Finds
[2009/02/25 17:19:52 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Gamelab
[2009/06/13 19:29:31 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\GOL_byHasbro
[2009/05/07 17:40:16 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\iWin
[2010/02/06 16:00:47 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Leadertech
[2010/02/28 21:16:38 | 000,000,000 | -HSD | M] -- C:\Users\Owner\AppData\Roaming\lowsec
[2009/08/29 14:40:57 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Nikon
[2008/12/25 06:14:49 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\TOSHIBA
[2008/12/25 06:14:21 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Ulead Systems
[2009/05/07 19:28:21 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\WildTangent
[2010/03/05 21:13:15 | 000,032,578 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 21:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 21:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: KR10N.SYS >
[2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\drivers\KR10N.sys
[2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\DriverStore\FileRepository\kr10.inf_c681c175\KR10N.sys
[2005/09/27 03:57:00 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) MD5=A1963360E74931222A67356C8AD48378 -- C:\Windows\System32\DriverStore\FileRepository\kr10n.inf_f8c77270\KR10N.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 21:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 21:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 01:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 01:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
< End of report >



When I attempt to check for malwarebytes updates I receive this statement:

error code: 732 (0,0)

I will run the malwarebytes scan with the current version. I am running it right after I post this reply.

Thank you,
Ed



#10 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 05 March 2010 - 10:56 PM

Sam,
The malwarebytes scan has completed.
Here is the log.

Ed


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6002 Service Pack 2

3/5/2010 10:47:35 PM
mbam-log-2010-03-05 (22-47-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 247556
Time elapsed: 55 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:13 AM

Posted 06 March 2010 - 03:13 PM

Download and run this file.
http://mbam.malwarebytes.org/database/mbam-rules.exe

It should update Malwarebytes to the current version and update definitions for you.
Once you do that, run Malwarebytes again and post the resulting log for me.


Give me an update on your computer is behaving and the problems you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 06 March 2010 - 11:37 PM

Sam,
I downloaded the file (mbam-rules.exe) that you specified but I was not able to successfully install it. After a half dozen attempts I de-installed Malwarebytes and installed a fresh copy on my laptop. I was then able to check for updates. I ran a new scan and have copied the results into this reply.
Besides the frightening amount of malicious items that Malwarebytes found this time around, the only thing that I notice is that Internet Explorer 8 will not launch. The icon is in the quick start menu and the Start menu but it is inert.

Thank you for all your help,
Ed




Malwarebytes' Anti-Malware 1.44
Database version: 3830
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/6/2010 11:13:01 PM
mbam-log-2010-03-06 (23-13-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 271616
Time elapsed: 1 hour(s), 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d34d56e9-b37b-4c37-a854-1ac144592d5c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\F5JMWNZTHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Environment\evapp (Rogue.Antivir2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\evuninst (Rogue.Antivir2010) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.56,93.188.166.62 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c69a1454-6db0-4bd9-a237-987efafb88f6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.56,93.188.166.62 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\Uninstall\AV (Rogue.Antivir2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\Uninstall\AV\Uninstall.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00002ad2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\rsma.tdo (Trojan.Oficla) -> Quarantined and deleted successfully.


#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:13 AM

Posted 08 March 2010 - 08:35 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 edcomitz

edcomitz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 08 March 2010 - 08:21 PM

Sam,
Here is the Combofix log.

Ed

ComboFix 10-03-08.01 - Owner 03/08/2010 20:07:31.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2941.2129 [GMT -5:00]
Running from: c:\users\Owner\Downloads\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1085965913-235832656-310955751-500
c:\program files\Common Files\Uninstall
c:\program files\Internet Explorer\msimg32.dll
c:\users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}
c:\users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}\chrome.manifest
c:\users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}\chrome\content\_cfg.js
c:\users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}\chrome\content\overlay.xul
c:\users\Owner\AppData\Local\{3454C0E4-E174-42EB-89A8-F30CF94DCCE5}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-09 01:13 . 2010-03-09 01:14 -------- d-----w- c:\users\Owner\AppData\Local\temp
2010-03-09 01:13 . 2010-03-09 01:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-08 00:03 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-08 00:03 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-07 13:55 . 2010-03-07 13:55 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-07 06:00 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-03-07 05:59 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-03-07 05:59 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-03-07 05:59 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-03-07 03:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 03:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 02:57 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-03-07 02:57 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-03-07 02:43 . 2010-02-16 14:31 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\NAVENG.SYS
2010-03-07 02:43 . 2010-02-16 14:31 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\EECTRL.SYS
2010-03-07 02:43 . 2010-02-16 14:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\CCERASER.DLL
2010-03-07 02:43 . 2010-02-16 14:31 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\ECMSVR32.DLL
2010-03-07 02:43 . 2010-02-16 14:31 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\NAVENG32.DLL
2010-03-07 02:43 . 2010-02-16 14:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\NAVEX32A.DLL
2010-03-07 02:43 . 2010-02-16 14:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\NAVEX15.SYS
2010-03-07 02:43 . 2010-02-16 14:31 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100306.004\ERASER.SYS
2010-03-07 02:41 . 2010-03-07 04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 02:10 . 2010-03-06 02:10 -------- d-----w- C:\_OTL
2010-03-02 12:20 . 2010-03-02 12:20 -------- d-----w- c:\windows\system32\ca-ES
2010-03-02 12:20 . 2010-03-02 12:20 -------- d-----w- c:\windows\system32\eu-ES
2010-03-02 12:20 . 2010-03-02 12:20 -------- d-----w- c:\windows\system32\vi-VN
2010-03-02 04:26 . 2010-03-02 04:26 -------- d-----w- c:\windows\system32\EventProviders
2010-02-17 17:30 . 2010-02-17 17:30 -------- d-----w- c:\program files\Norton 360
2010-02-17 17:30 . 2010-02-17 17:30 -------- d-----w- c:\program files\NortonInstaller(106)
2010-02-17 17:13 . 2010-02-17 17:13 -------- d-----w- c:\program files\Mozilla Firefox(105)
2010-02-17 00:59 . 2010-02-17 00:59 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2010-02-17 00:59 . 2010-02-17 00:59 -------- d-----w- c:\programdata\Malwarebytes
2010-02-17 00:57 . 2010-02-28 23:23 -------- d-----w- c:\users\Owner\uncle eds detox software
2010-02-15 04:20 . 2010-02-15 04:20 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-15 02:52 . 2010-03-01 02:16 -------- d-----w- c:\programdata\Symantec Temporary Files
2010-02-15 02:52 . 2010-02-15 02:52 0 ----a-w- c:\programdata\Symantec Temporary Files\N360S300EN.exe
2010-02-13 23:03 . 2010-02-17 02:14 -------- d-----w- c:\programdata\eca
2010-02-10 21:18 . 2010-03-01 02:16 -------- d-sh--w- c:\users\Owner\AppData\Roaming\lowsec
2010-02-10 00:52 . 2010-02-10 00:52 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 13:58 . 2008-11-22 18:07 112976 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-07 13:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-07 13:55 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-07 13:45 . 2010-03-07 13:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-07 13:45 . 2010-03-07 13:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-07 05:58 . 2008-08-28 03:53 -------- d-----w- c:\programdata\Microsoft Help
2010-03-07 02:43 . 2008-02-13 02:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-06 04:15 . 2009-02-21 05:00 -------- d-----w- c:\program files\Safari
2010-03-04 03:38 . 2009-04-20 22:24 7944 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2010-03-03 04:44 . 2008-02-13 02:32 -------- d-----w- c:\program files\Google
2010-03-03 04:02 . 2008-11-23 13:22 -------- d-----w- c:\program files\Trend Micro
2010-03-02 12:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-02 12:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-02 12:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-02 12:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-02 12:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-01 02:16 . 2009-05-08 20:48 -------- d-----w- c:\programdata\7def
2010-03-01 02:16 . 2008-02-13 02:34 -------- d-----w- c:\program files\Picasa2
2010-03-01 02:16 . 2008-08-28 03:56 -------- d-----w- c:\program files\Microsoft Works
2010-03-01 02:12 . 2009-07-22 22:01 -------- d-----w- c:\program files\NortonInstaller
2010-03-01 02:11 . 2009-06-11 20:39 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2010-02-20 03:18 . 2008-02-13 02:09 -------- d-----w- c:\programdata\Symantec
2010-02-17 17:31 . 2009-07-22 22:02 -------- d-----w- c:\programdata\Norton
2010-02-17 17:30 . 2009-07-22 22:01 -------- d-----w- c:\programdata\NortonInstaller
2010-02-17 02:33 . 2009-03-15 01:11 -------- d-----w- c:\program files\Norton Security Scan
2010-02-16 14:31 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\CCERASER.DLL
2010-02-16 14:31 . 2009-10-19 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ECMSVR32.DLL
2010-02-16 14:31 . 2009-08-27 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\NAVENG.SYS
2010-02-16 14:31 . 2009-08-27 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\EECTRL.SYS
2010-02-16 14:31 . 2009-08-27 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\NAVENG32.DLL
2010-02-16 14:31 . 2009-08-27 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\NAVEX32A.DLL
2010-02-16 14:31 . 2009-08-27 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\NAVEX15.SYS
2010-02-16 14:31 . 2009-08-27 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ERASER.SYS
2010-02-16 01:11 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-02-16 01:10 . 2008-02-13 01:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-16 01:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games
2010-02-06 21:00 . 2010-02-06 21:00 -------- d-----w- c:\users\Owner\AppData\Roaming\Leadertech
2010-02-06 21:00 . 2010-02-06 21:00 -------- d-----w- c:\programdata\QuickTime
2010-02-06 20:58 . 2010-01-30 18:09 -------- d-----w- c:\program files\The Learning Company
2010-02-06 17:51 . 2010-02-06 17:51 290 ----a-w- c:\windows\EReg077.dat
2010-02-01 23:57 . 2010-02-01 23:56 -------- d-----w- c:\program files\iTunes
2010-02-01 23:56 . 2010-02-01 23:56 -------- d-----w- c:\program files\iPod
2010-02-01 23:56 . 2008-12-25 16:28 -------- d-----w- c:\program files\Common Files\Apple
2010-02-01 23:51 . 2010-02-01 23:51 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- c:\programdata\The Learning Company
2010-01-25 12:00 . 2010-03-07 02:58 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-03-07 02:58 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-03-07 02:58 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-03-07 02:58 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-03-07 02:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-03-07 02:58 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-03-07 02:58 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-03-07 02:58 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-03-07 02:58 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-03-07 02:58 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 08:17 . 2009-06-14 00:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-06 15:39 . 2010-03-07 02:58 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-03-07 02:58 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-03-07 02:58 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-03-07 02:58 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-03-07 02:58 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-03-07 02:58 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-03-07 02:58 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 21:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 21:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 21:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 21:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 15:33 . 2009-12-31 15:33 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbAA7B.tmp.exe
2009-12-25 14:22 . 2009-12-25 14:22 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-23 15:36 . 2009-12-23 15:36 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE72C.tmp.exe
2009-12-14 09:00 . 2010-01-30 22:40 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100130.008\CCERASER.DLL
2009-12-11 11:43 . 2010-03-07 02:58 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-03-07 02:58 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-11-22 18:06 . 2008-11-22 18:06 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-11-22 18:06 . 2008-11-22 18:06 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2009-7-5 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bzoboducexuc]
2008-01-21 02:24 39936 ----a-w- c:\users\Owner\AppData\Local\mstaten.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ksamomopajeboy]
2008-01-21 02:24 148480 ----a-w- c:\users\Owner\AppData\Local\anogomusige.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 18:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:b7,4b,08,aa,03,ba,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1085965913-235832656-310955751-1000]
"EnableNotificationsRef"=dword:00000001

R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\UP_date\PEDrv.sys [x]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-02-26 648456]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2009-04-02 52624]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-01-07 19160]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-23 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\kp3echst.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=QLbQX9xIZV43iAiVJzhbew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\GoBit Games\BrowserPlugin\npgobitgamesplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-AV - c:\program files\AV\Antivir.exe
MSConfigStartUp-F5JMWNZTHI - c:\users\Owner\AppData\Local\Temp\Ggd.exe
MSConfigStartUp-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
AddRemove-{718D791F-F4E8-4aa7-98A6-15FDED17BDD0} - c:\program files\Trend Micro\Internet Security\remove.exe
AddRemove-Extra Antivirus - c:\programdata\b63aa63\ExtraAV.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 20:14
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????#&W?????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-03-08 20:16:45
ComboFix-quarantined-files.txt 2010-03-09 01:16

Pre-Run: 179,369,242,624 bytes free
Post-Run: 179,316,699,136 bytes free

- - End Of File - - 7E8690DED00AA6E976DEA609575400EC


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:13 AM

Posted 09 March 2010 - 05:14 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
File::
c:\users\Owner\AppData\Local\anogomusige.dll
c:\users\Owner\AppData\Local\mstaten.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ksamomopajeboy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bzoboducexuc]

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



Let me know how your computer is behaving now.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users