Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Diagnose HiJack Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 akorna

akorna

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 10 July 2010 - 08:37 AM

Running Windows XP on a Toshiba NB205 Netbooked - networked Brother printer: Everytime a do a Google Search I get results OK - but when I select a result, it redirects to some random advertising page or site. Running Avira Free and ran Spybot Search & Destroy:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:26:25 AM, on 7/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TAccessibility] C:\Program Files\TOSHIBA\Accessibility\TAccessibility.exe Instant
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Update Service (gupdate1cacc7aeb4eec98) (gupdate1cacc7aeb4eec98) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 6453 bytes


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:25 AM

Posted 13 July 2010 - 09:16 AM

Hello akorna, My names Syler and I will be helping you to solve your malware issues.

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
  • mbr.log

Thanks

unite.jpg


#3 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 13 July 2010 - 08:20 PM

OK - second reply to follow with logs

#4 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 13 July 2010 - 08:24 PM

OTL logfile created on: 7/13/2010 6:45:23 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 141.55 Gb Total Space | 130.52 Gb Free Space | 92.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-NB205
Current User Name: Joe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
PRC - [2010/04/19 17:14:18 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 10:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/04/06 15:43:46 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/04/02 21:32:50 | 000,073,728 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
PRC - [2009/04/01 21:48:08 | 000,210,232 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TDispVol.exe
PRC - [2009/03/18 09:49:28 | 000,827,392 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
PRC - [2009/03/17 14:36:00 | 000,283,960 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2009/03/16 19:05:04 | 000,252,288 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
PRC - [2009/03/06 06:26:38 | 000,479,320 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Atheros\ACU.exe
PRC - [2009/03/06 06:26:06 | 000,495,700 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/10/11 02:17:50 | 000,132,456 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2008/08/22 13:26:38 | 000,523,320 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\ThpSrv.exe
PRC - [2008/07/01 18:03:06 | 000,038,200 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2008/05/21 17:07:00 | 000,111,984 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2007/04/13 21:16:16 | 000,311,296 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
PRC - [2007/04/09 21:07:02 | 000,159,744 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2007/01/25 21:45:42 | 000,468,600 | ---- | M] (TOSHIBA Corporation) -- C:\TOSHIBA\IVP\ISM\Ivpsvmgr.exe
PRC - [2006/06/28 07:46:30 | 000,622,592 | ---- | M] () -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2006/05/08 18:52:04 | 000,204,800 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
PRC - [2005/06/06 13:58:44 | 000,024,576 | ---- | M] (TOSHIBA) -- C:\WINDOWS\system32\ZoomingHook.exe
PRC - [2005/01/17 19:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
MOD - [2009/03/13 18:05:14 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\TDispVol.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/04/19 17:14:18 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/06 06:26:06 | 000,495,700 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/10/11 02:17:50 | 000,132,456 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2008/08/22 13:26:38 | 000,523,320 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\ThpSrv.exe -- (Thpsrv)
SRV - [2008/05/21 17:07:00 | 000,111,984 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2005/11/14 04:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/17 19:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/26 13:37:44 | 000,048,176 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cec_uvc.sys -- (cecnuvc)
DRV - [2009/03/26 13:09:20 | 000,017,960 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2009/03/12 20:25:12 | 005,051,904 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/12 18:09:54 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2009/02/13 21:00:02 | 001,503,840 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/02/11 20:11:50 | 000,329,752 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009/01/30 20:13:20 | 000,058,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2009/01/22 19:25:26 | 000,120,064 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/08/21 13:35:24 | 000,028,536 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\thpdrv.sys -- (Thpdrv)
DRV - [2008/08/05 23:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/07/24 17:40:58 | 000,017,192 | ---- | M] (TOSHIBA ) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPwSav.sys -- (TPwSav)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 16:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/02/07 03:23:46 | 000,166,448 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/09/05 05:03:00 | 000,049,664 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2007/09/04 13:14:06 | 000,006,528 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Thpevm.SYS -- (Thpevm)
DRV - [2007/03/26 15:22:18 | 000,105,856 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tdudf.sys -- (tdudf)
DRV - [2007/02/22 18:10:30 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/02/19 15:15:32 | 000,134,016 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\trudf.sys -- (trudf)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/01/04 18:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?br...B&bmod=TSHB
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?br...B&bmod=TSHB


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/25 20:28:59 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe ()
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe (TOSHIBA CO.,LTD.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe ()
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TAccessibility] C:\Program Files\TOSHIBA\Accessibility\TAccessibility.exe ()
O4 - HKLM..\Run: [TDispVol] C:\WINDOWS\System32\TDispVol.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ThpSrv] C:\WINDOWS\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [ZoomingHook] C:\WINDOWS\System32\ZoomingHook.exe (TOSHIBA)
O4 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/06 14:11:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{394a4312-839b-11de-87e6-00235a0d0237}\Shell - "" = AutoRun
O33 - MountPoints2\{394a4312-839b-11de-87e6-00235a0d0237}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{394a4312-839b-11de-87e6-00235a0d0237}\Shell\AutoRun\command - "" = D:\bc.exe Catalog.html -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^Joe^Start Menu^Programs^Startup^syscron.exe - C:\Documents and Settings\Joe\Start Menu\Programs\Startup\syscron.exe - File not found
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Ajogomorabule - hkey= - key= - C:\WINDOWS\Wudmnpcl.DLL File not found
MsConfig - StartUpReg: Camera Assistant Software - hkey= - key= - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
MsConfig - StartUpReg: ControlCenter3 - hkey= - key= - C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/13 18:42:23 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2010/07/10 23:17:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Joe\Recent
[2010/07/10 12:54:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\GooredFix Backups
[2010/07/10 12:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\My Documents\RegRun2
[2010/07/10 12:25:15 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/07/10 11:57:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Malwarebytes
[2010/07/10 11:57:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/10 11:57:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/10 11:57:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/10 11:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/10 11:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/10 11:54:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\My Documents\Simply Super Software
[2010/07/10 11:54:11 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/07/10 11:54:06 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/07/10 11:54:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Simply Super Software
[2010/07/10 11:54:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/07/10 07:55:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/10 06:43:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/07/10 06:42:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/07 13:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/07 13:41:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 13:28:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Local Settings\Application Data\Windows Server
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2010/07/13 18:41:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/13 18:35:46 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\AOL email.url
[2010/07/13 18:18:21 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/13 18:17:48 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/13 18:17:48 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/13 18:17:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/13 18:17:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/13 18:17:28 | 2137,444,352 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/10 23:17:53 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Joe\NTUSER.DAT
[2010/07/10 23:17:53 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Joe\ntuser.ini
[2010/07/10 23:17:48 | 004,830,020 | -H-- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\IconCache.db
[2010/07/10 22:39:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/10 12:59:57 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.lnk
[2010/07/10 12:26:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/10 12:26:13 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/07/10 12:26:13 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/07/10 11:57:08 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:54:15 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2010/07/10 09:24:35 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.msi
[2010/07/10 08:57:26 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\CCleaner.lnk
[2010/07/10 08:36:35 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/10 08:19:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\acoparoh.dll
[2010/07/10 07:44:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\asekawasaxoveseb.dll
[2010/07/10 06:28:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ubopuvebuqa.dll
[2010/07/09 22:55:07 | 000,000,091 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/09 21:29:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\awimipobe.dll
[2010/07/09 20:42:34 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ejekidonotudok.dll
[2010/07/09 20:42:04 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rparikereva.dat
[2010/07/09 20:42:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ikogitesu.bin
[2010/07/03 11:25:58 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/27 20:09:37 | 001,517,901 | ---- | M] () -- C:\Documents and Settings\Joe\My Documents\Ferrari_308_GTB_GTS_Buyer_s_Guide.pdf
[2010/06/23 22:21:07 | 000,491,328 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 22:21:07 | 000,434,266 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 22:21:07 | 000,068,386 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/10 12:26:13 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/07/10 11:57:08 | 000,000,708 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:54:15 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2010/07/10 11:54:11 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/07/10 11:54:11 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/07/10 11:54:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/07/10 11:54:11 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/07/10 09:24:34 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.msi
[2010/07/10 08:19:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\acoparoh.dll
[2010/07/10 07:55:22 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.lnk
[2010/07/10 07:44:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\asekawasaxoveseb.dll
[2010/07/10 06:28:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ubopuvebuqa.dll
[2010/07/09 22:55:07 | 000,000,091 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/07/09 21:29:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\awimipobe.dll
[2010/07/09 20:42:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ejekidonotudok.dll
[2010/07/07 14:11:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/07 13:30:47 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rparikereva.dat
[2010/07/07 13:30:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ikogitesu.bin
[2010/06/27 20:09:36 | 001,517,901 | ---- | C] () -- C:\Documents and Settings\Joe\My Documents\Ferrari_308_GTB_GTS_Buyer_s_Guide.pdf
[2009/08/08 13:02:11 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/08 13:02:11 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/08/08 13:01:38 | 000,000,227 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/08/08 13:01:38 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/08/08 13:00:55 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/08/08 12:48:46 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2009/08/07 19:22:40 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/07 15:52:46 | 000,000,013 | RHS- | C] () -- C:\WINDOWS\System32\drivers\fbd.sys
[2009/08/07 15:52:39 | 000,000,004 | RHS- | C] () -- C:\WINDOWS\System32\drivers\taishop.sys
[2009/07/09 00:28:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/07/09 00:20:57 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2009/04/06 15:54:02 | 000,000,348 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/04/06 15:33:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2009/04/06 15:23:37 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL
[2009/04/06 15:03:17 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/04/06 14:09:03 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/04/02 14:54:38 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2009/04/02 13:35:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\EKECioCtl.dll
[2009/03/31 14:13:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\HWS_Ctrl.dll
[2009/03/13 18:05:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2010/05/04 13:20:32 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/05/04 13:20:33 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/04/06 07:05:33 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/04/06 07:05:33 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/04/06 07:05:32 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >


#5 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 13 July 2010 - 08:38 PM

the site will not let me post the extras.txt file - here is the MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89D05EC5]<<
kernel: MBR read successfully
user & kernel MBR OK


#6 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 13 July 2010 - 08:41 PM

I've attached the extras.txt file

Attached Files



#7 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 14 July 2010 - 05:51 AM

Here is the text - server finally let it load.

OTL Extras logfile created on: 7/13/2010 6:45:23 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 141.55 Gb Total Space | 130.52 Gb Free Space | 92.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-NB205
Current User Name: Joe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02EED746-8C5A-43C8-BB3D-D29C8B363A4D}" = TOSHIBA Zooming Utility
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{16E8BF9A-B419-4A44-A020-30F8CFB84B9D}" = Atheros Client Utility
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21526716-DFD8-4B90-86D9-EF9F47057B3E}" = Toshiba Resources Page
"{224821ED-CADA-4A8A-AC8D-3734CC0F0931}" = Amazon Links
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{3A57482F-BEBC-47E4-ADA1-6302403C7E50}" = TOSHIBA Accessibility
"{400830CA-F056-4BBE-80A3-9DF9CA4FB889}" = TOSHIBA Direct Disc Writer
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7900D3A6-A9E8-4954-ACCB-AB15867978BF}" = TOSHIBA Hotkey Utility
"{80977342-27E8-4FF7-8B6A-D8D89461DA7F}" = TouchPad On/Off Utility
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
"{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = Toshiba Application and Driver Installer
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE}" = TOSHIBA Power Saver
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{BF5A20B4-55F7-49B8-9302-FAC7C459AF3D}" = Skype Launcher
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{E487EE7D-EAAA-4E2A-9116-E3B477D8A74F}" = TOSHIBA USB Sleep and Charge Utility
"{E69992ED-A7F6-406C-9280-1C156417BC49}" = Toshiba Quality Application
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{F0F563C4-D4AD-41C4-A8A6-26664C027D11}" = Brother MFL-Pro Suite
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"0C1E66B43FC1E6F11D2308E9D4B5ECD1E601C2E9" = Windows Driver Package - Chicony (cecnuvc) Image (03/26/2009 6.4.64.0326)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"Fn-esse" = TOSHIBA Fn-esse
"Google Chrome" = Google Chrome
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{02EED746-8C5A-43C8-BB3D-D29C8B363A4D}" = TOSHIBA Zooming Utility
"InstallShield_{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"InstallShield_{3A57482F-BEBC-47E4-ADA1-6302403C7E50}" = TOSHIBA Accessibility
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{7900D3A6-A9E8-4954-ACCB-AB15867978BF}" = TOSHIBA Hotkey Utility
"InstallShield_{80977342-27E8-4FF7-8B6A-D8D89461DA7F}" = TouchPad On/Off Utility
"InstallShield_{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE}" = TOSHIBA Power Saver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 12.0" = RealPlayer
"Trojan Remover_is1" = Trojan Remover 6.8.2
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/9/2010 9:31:52 PM | Computer Name = TOSHIBA-NB205 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17055, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/9/2010 9:31:57 PM | Computer Name = TOSHIBA-NB205 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17055, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/9/2010 9:33:31 PM | Computer Name = TOSHIBA-NB205 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17055, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/9/2010 9:33:33 PM | Computer Name = TOSHIBA-NB205 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17055, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/10/2010 8:35:25 AM | Computer Name = TOSHIBA-NB205 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/10/2010 8:35:25 AM | Computer Name = TOSHIBA-NB205 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/10/2010 12:34:50 PM | Computer Name = TOSHIBA-NB205 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/10/2010 12:34:50 PM | Computer Name = TOSHIBA-NB205 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/13/2010 6:18:21 PM | Computer Name = TOSHIBA-NB205 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/13/2010 6:18:21 PM | Computer Name = TOSHIBA-NB205 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 5/16/2010 9:26:35 PM | Computer Name = TOSHIBA-NB205 | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.2
with the system having network hardware address 00:21:E9:68:9B:10. Network operations
on this system may be disrupted as a result.

Error - 5/17/2010 1:50:43 PM | Computer Name = TOSHIBA-NB205 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0024D2A9A12D has been denied by the DHCP server 198.18.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 5/21/2010 10:08:57 PM | Computer Name = TOSHIBA-NB205 | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.2
with the system having network hardware address 00:21:E9:68:9B:10. Network operations
on this system may be disrupted as a result.

Error - 6/3/2010 4:35:33 PM | Computer Name = TOSHIBA-NB205 | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.2
with the system having network hardware address 00:21:E9:68:9B:10. Network operations
on this system may be disrupted as a result.

Error - 7/10/2010 10:27:36 PM | Computer Name = TOSHIBA-NB205 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 7/10/2010 10:55:13 PM | Computer Name = TOSHIBA-NB205 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 7/13/2010 6:20:01 PM | Computer Name = TOSHIBA-NB205 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:25 AM

Posted 14 July 2010 - 11:41 AM

Hi,

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#9 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 14 July 2010 - 03:57 PM

ComboFix 10-07-14.01 - Joe 07/14/2010 16:45:32.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1647 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joe\Local Settings\Application Data\Windows Server
c:\documents and settings\Joe\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Joe\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\acoparoh.dll
c:\windows\asekawasaxoveseb.dll
c:\windows\awimipobe.dll
c:\windows\ejekidonotudok.dll
c:\windows\ubopuvebuqa.dll

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-13 22:20 . 2010-07-05 18:30 3687344 ----a-w- c:\documents and settings\Joe\Application Data\Simply Super Software\Trojan Remover\fnnD.exe
2010-07-10 16:26 . 2010-07-10 16:26 2 --shatr- c:\windows\winstart.bat
2010-07-10 16:25 . 2010-07-10 16:37 -------- d-----w- c:\program files\UnHackMe
2010-07-10 15:57 . 2010-07-10 15:57 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-07-10 15:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 15:57 . 2010-07-10 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 15:57 . 2010-07-10 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 15:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 15:54 . 2010-07-13 22:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-10 15:54 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-07-10 15:54 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-07-10 15:54 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-07-10 15:54 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-07-10 15:54 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-07-10 15:54 . 2010-07-10 15:54 -------- d-----w- c:\program files\Trojan Remover
2010-07-10 15:54 . 2010-07-10 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-07-10 15:54 . 2010-07-10 15:54 -------- d-----w- c:\documents and settings\Joe\Application Data\Simply Super Software
2010-07-10 13:25 . 2010-07-10 13:25 388096 ----a-r- c:\documents and settings\Joe\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-10 11:55 . 2010-07-10 11:55 -------- d-----w- c:\program files\Trend Micro
2010-07-10 10:43 . 2010-07-10 10:43 -------- d-----w- c:\windows\system32\NtmsData
2010-07-07 18:11 . 2010-07-13 22:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 17:30 . 2010-07-10 00:42 120 ----a-w- c:\windows\Rparikereva.dat
2010-07-07 17:30 . 2010-07-10 00:42 0 ----a-w- c:\windows\Ikogitesu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 01:53 . 2009-09-07 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-10 12:57 . 2009-08-08 00:06 -------- d-----w- c:\program files\CCleaner
2010-05-04 17:20 . 2009-04-06 19:48 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-04-06 19:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2009-04-06 19:46 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2009-04-06 19:48 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2009-04-06 19:46 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-08-07 19:52 . 2009-08-07 19:52 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-08-07 19:52 . 2009-08-07 19:52 4 --sh--r- c:\windows\system32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"ACU"="c:\program files\Atheros\ACU.exe" [2009-03-06 479320]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-20 83336]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-04-03 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-13 17531392]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-03-18 827392]
"TDispVol"="TDispVol.exe" [2009-04-02 210232]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"TAccessibility"="c:\program files\TOSHIBA\Accessibility\TAccessibility.exe" [2009-02-25 110592]
"TPSMain"="TPSMain.exe" [2009-03-17 283960]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-16 252288]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^syscron.exe]
path=c:\documents and settings\Joe\Start Menu\Programs\Startup\syscron.exe
backup=c:\windows\pss\syscron.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2009-03-26 17:09 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-06-29 16:18 77824 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-06 19:43 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-26 00:27 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [8/21/2008 1:35 PM 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 1:14 PM 6528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/6/2009 8:58 PM 135336]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [7/9/2009 12:21 AM 48176]
S2 gupdate1cacc7aeb4eec98;Google Update Service (gupdate1cacc7aeb4eec98);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2010 8:26 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/6/2009 3:08 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 00:25]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 00:25]

2010-07-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ajogomorabule - c:\windows\Wudmnpcl.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-14 16:53:24
ComboFix-quarantined-files.txt 2010-07-14 20:53

Pre-Run: 140,070,723,584 bytes free
Post-Run: 140,189,810,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F6D62F07A2A1EDF7E4B88CA67AF8BDBA


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:25 AM

Posted 15 July 2010 - 08:31 AM

Hi,

That's looking better, can you let me know how the computer is running now and if you are having any more problems.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Collect::
c:\documents and settings\Joe\Start Menu\Programs\Startup\syscron.exe
c:\windows\pss\syscron.exeStartup
C:\WINDOWS\Rparikereva.dat
C:\WINDOWS\Ikogitesu.bin
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv.exe"
[-HKLM\~\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^syscron.exe]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    appmgmts.dll
    hidserv.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Then please post back here with the following logs:
  • Combofix.txt
  • SystemLook.txt

Thanks

unite.jpg


#11 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 15 July 2010 - 08:44 PM

Syler,
The google search results are no longer being re-directed - looks good - thanks

I followed instructions above, but ComboFIx hung up a the Find 3M screen Preparing log report - had to manully reboot - will try again.

#12 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 15 July 2010 - 09:06 PM

OK - no hang this time:

Combofix.txt

ComboFix 10-07-15.01 - Joe 07/15/2010 21:51:28.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1616 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Ikogitesu.bin
c:\windows\pss\syscron.exeStartup
c:\windows\Rparikereva.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-16 01:40 . 2010-07-16 01:40 -------- d-----w- c:\windows\LastGood
2010-07-16 00:51 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 22:20 . 2010-07-05 18:30 3687344 ----a-w- c:\documents and settings\Joe\Application Data\Simply Super Software\Trojan Remover\fnnD.exe
2010-07-10 16:26 . 2010-07-10 16:26 2 --shatr- c:\windows\winstart.bat
2010-07-10 16:25 . 2010-07-10 16:37 -------- d-----w- c:\program files\UnHackMe
2010-07-10 15:57 . 2010-07-10 15:57 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-07-10 15:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 15:57 . 2010-07-10 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 15:57 . 2010-07-10 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 15:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 15:54 . 2010-07-13 22:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-10 15:54 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-07-10 15:54 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-07-10 15:54 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-07-10 15:54 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-07-10 15:54 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-07-10 15:54 . 2010-07-10 15:54 -------- d-----w- c:\program files\Trojan Remover
2010-07-10 15:54 . 2010-07-10 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-07-10 15:54 . 2010-07-10 15:54 -------- d-----w- c:\documents and settings\Joe\Application Data\Simply Super Software
2010-07-10 13:25 . 2010-07-10 13:25 388096 ----a-r- c:\documents and settings\Joe\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-10 11:55 . 2010-07-10 11:55 -------- d-----w- c:\program files\Trend Micro
2010-07-10 10:43 . 2010-07-10 10:43 -------- d-----w- c:\windows\system32\NtmsData
2010-07-07 18:11 . 2010-07-13 22:54 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 21:03 . 2009-09-07 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-10 12:57 . 2009-08-08 00:06 -------- d-----w- c:\program files\CCleaner
2010-06-14 14:31 . 2009-04-06 18:10 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-04 17:20 . 2009-04-06 19:48 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-04-06 19:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2009-04-06 19:46 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2009-04-06 19:48 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2009-04-06 19:46 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-08-07 19:52 . 2009-08-07 19:52 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-08-07 19:52 . 2009-08-07 19:52 4 --sh--r- c:\windows\system32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-14_20.51.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-16 01:36 . 2010-07-16 01:36 16384 c:\windows\Temp\Perflib_Perfdata_564.dat
+ 2009-08-11 22:08 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"ACU"="c:\program files\Atheros\ACU.exe" [2009-03-06 479320]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-20 83336]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-04-03 73728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-17 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-13 17531392]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-03-18 827392]
"TDispVol"="TDispVol.exe" [2009-04-02 210232]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"TAccessibility"="c:\program files\TOSHIBA\Accessibility\TAccessibility.exe" [2009-02-25 110592]
"TPSMain"="TPSMain.exe" [2009-03-17 283960]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-16 252288]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2009-03-26 17:09 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-06-29 16:18 77824 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-06 19:43 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-26 00:27 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [8/21/2008 1:35 PM 28536]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 1:14 PM 6528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/6/2009 8:58 PM 135336]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R3 cecnuvc;Chicony USB 2.0 Camera VD;c:\windows\system32\drivers\cec_uvc.sys [7/9/2009 12:21 AM 48176]
S2 gupdate1cacc7aeb4eec98;Google Update Service (gupdate1cacc7aeb4eec98);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2010 8:26 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/6/2009 3:08 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 00:25]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 00:25]

2010-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 21:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\WININET.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-07-15 21:58:18
ComboFix-quarantined-files.txt 2010-07-16 01:58
ComboFix2.txt 2010-07-14 20:53

Pre-Run: 140,080,713,728 bytes free
Post-Run: 140,073,050,112 bytes free

- - End Of File - - 724166CDA2817FE907EEAE61FDCFE05E
Upload was successful



System Look file


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:01 on 15/07/2010 by Joe (Administrator - Elevation successful)

========== filefind ==========

Searching for "appmgmts.dll"
No files found.

Searching for "hidserv.dll"
No files found.

-=End Of File=-


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:25 AM

Posted 17 July 2010 - 07:40 AM

Hi akorna,

You have a couple of system files missing, please follow the guide here for running SFC to replace the missing files.


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • Bitdefender report
  • New OTL log

Thanks


unite.jpg


#14 akorna

akorna
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 17 July 2010 - 12:36 PM

syler,
Here is the ESET SCAN log

C:\Qoobox\Quarantine\[4]-Submit_2010-07-15_21.01.32.zip Win32/TrojanDownloader.Carberp.H trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\acpiec.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{1E452A8B-FF85-46AC-BB2A-069DD62D4A2E}\RP2\A0000046.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{1E452A8B-FF85-46AC-BB2A-069DD62D4A2E}\RP2\A0000057.exe Win32/TrojanDownloader.Carberp.H trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{1E452A8B-FF85-46AC-BB2A-069DD62D4A2E}\RP6\A0000302.sys Win32/Olmarik.ZC trojan cleaned - quarantined


Here is the new OTS log

OTL logfile created on: 7/17/2010 1:29:23 PM - Run 2
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 141.55 Gb Total Space | 130.33 Gb Free Space | 92.08% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-NB205
Current User Name: Joe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
PRC - [2010/04/19 17:14:18 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 10:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/04/06 15:43:46 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/04/02 21:32:50 | 000,073,728 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
PRC - [2009/04/01 21:48:08 | 000,210,232 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TDispVol.exe
PRC - [2009/03/18 09:49:28 | 000,827,392 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
PRC - [2009/03/17 14:36:00 | 000,283,960 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2009/03/16 19:05:04 | 000,252,288 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
PRC - [2009/03/06 06:26:38 | 000,479,320 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Atheros\ACU.exe
PRC - [2009/03/06 06:26:06 | 000,495,700 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/10/11 02:17:50 | 000,132,456 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2008/08/22 13:26:38 | 000,523,320 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\ThpSrv.exe
PRC - [2008/07/01 18:03:06 | 000,038,200 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2008/05/21 17:07:00 | 000,111,984 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2007/04/13 21:16:16 | 000,311,296 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
PRC - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/06/28 07:46:30 | 000,622,592 | ---- | M] () -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2006/05/08 18:52:04 | 000,204,800 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
PRC - [2005/06/06 13:58:44 | 000,024,576 | ---- | M] (TOSHIBA) -- C:\WINDOWS\system32\ZoomingHook.exe
PRC - [2005/01/17 19:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
MOD - [2009/03/13 18:05:14 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\TDispVol.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/04/19 17:14:18 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/06 06:26:06 | 000,495,700 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/10/11 02:17:50 | 000,132,456 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2008/08/22 13:26:38 | 000,523,320 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\ThpSrv.exe -- (Thpsrv)
SRV - [2008/05/21 17:07:00 | 000,111,984 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2005/11/14 04:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/17 19:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Joe\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/26 13:37:44 | 000,048,176 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cec_uvc.sys -- (cecnuvc)
DRV - [2009/03/26 13:09:20 | 000,017,960 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2009/03/12 20:25:12 | 005,051,904 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/12 18:09:54 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2009/02/13 21:00:02 | 001,503,840 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/02/11 20:11:50 | 000,329,752 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009/01/30 20:13:20 | 000,058,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2009/01/22 19:25:26 | 000,120,064 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/08/21 13:35:24 | 000,028,536 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\thpdrv.sys -- (Thpdrv)
DRV - [2008/08/05 23:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/07/24 17:40:58 | 000,017,192 | ---- | M] (TOSHIBA ) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPwSav.sys -- (TPwSav)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 16:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/02/07 03:23:46 | 000,166,448 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/09/05 05:03:00 | 000,049,664 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2007/09/04 13:14:06 | 000,006,528 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Thpevm.SYS -- (Thpevm)
DRV - [2007/03/26 15:22:18 | 000,105,856 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tdudf.sys -- (tdudf)
DRV - [2007/02/22 18:10:30 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/02/19 15:15:32 | 000,134,016 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\trudf.sys -- (trudf)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/01/04 18:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?br...B&bmod=TSHB


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/25 20:28:59 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/07/15 21:06:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe ()
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe (TOSHIBA CO.,LTD.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe ()
O4 - HKLM..\Run: [TAccessibility] C:\Program Files\TOSHIBA\Accessibility\TAccessibility.exe ()
O4 - HKLM..\Run: [TDispVol] C:\WINDOWS\System32\TDispVol.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ThpSrv] C:\WINDOWS\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [ZoomingHook] C:\WINDOWS\System32\ZoomingHook.exe (TOSHIBA)
O4 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-137079000-3616098868-2174954600-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/06 14:11:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/17 12:45:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/07/17 12:39:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/17 12:39:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/17 12:39:17 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/17 12:39:17 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/17 12:39:17 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/17 12:39:17 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/17 12:39:17 | 000,073,728 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/17 12:38:58 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/17 12:32:19 | 016,066,336 | ---- | C] (Oracle) -- C:\Documents and Settings\Joe\Desktop\jre-6u21-windows-i586.exe
[2010/07/17 07:45:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Joe\Recent
[2010/07/15 22:08:09 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/15 20:51:03 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/14 16:39:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/14 16:29:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/14 16:29:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/14 16:29:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/14 16:29:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/14 16:29:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/14 16:27:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/13 18:42:23 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2010/07/10 12:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\My Documents\RegRun2
[2010/07/10 12:25:15 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/07/10 11:57:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Malwarebytes
[2010/07/10 11:57:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/10 11:57:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/10 11:57:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/10 11:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/10 11:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/10 11:54:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\My Documents\Simply Super Software
[2010/07/10 11:54:11 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/07/10 11:54:06 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/07/10 11:54:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Simply Super Software
[2010/07/10 11:54:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/07/10 07:55:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/10 06:43:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/07/10 06:42:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/07 13:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/07 13:41:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/17 12:41:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/17 12:39:02 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/17 12:39:02 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/17 12:39:02 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/17 12:39:02 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/17 12:39:02 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/17 12:38:28 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/17 12:37:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/17 12:37:11 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/17 12:37:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/17 12:37:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/17 12:36:57 | 2137,444,352 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/17 12:36:28 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Joe\NTUSER.DAT
[2010/07/17 12:36:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Joe\ntuser.ini
[2010/07/17 12:36:19 | 005,362,070 | -H-- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\IconCache.db
[2010/07/17 12:32:19 | 016,066,336 | ---- | M] (Oracle) -- C:\Documents and Settings\Joe\Desktop\jre-6u21-windows-i586.exe
[2010/07/15 21:56:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/15 21:06:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/15 20:59:42 | 003,740,179 | R--- | M] () -- C:\Documents and Settings\Joe\Desktop\ComboFix.exe
[2010/07/15 20:56:53 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\SystemLook.exe
[2010/07/14 16:39:42 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/13 22:32:44 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.lnk
[2010/07/13 18:54:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/13 18:53:42 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\mbr.exe
[2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2010/07/13 18:35:46 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\AOL email.url
[2010/07/10 12:26:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/10 12:26:13 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/07/10 12:26:13 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/07/10 11:57:08 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:54:15 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2010/07/10 08:57:26 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\CCleaner.lnk
[2010/07/10 08:36:35 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/09 22:55:07 | 000,000,091 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/03 11:25:58 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/27 20:09:37 | 001,517,901 | ---- | M] () -- C:\Documents and Settings\Joe\My Documents\Ferrari_308_GTB_GTS_Buyer_s_Guide.pdf
[2010/06/23 22:21:07 | 000,491,328 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 22:21:07 | 000,434,266 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 22:21:07 | 000,068,386 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/15 20:56:52 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\SystemLook.exe
[2010/07/14 16:39:41 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/14 16:39:35 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/14 16:29:33 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/14 16:29:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/14 16:29:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/14 16:29:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/14 16:29:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/14 16:25:09 | 003,740,179 | R--- | C] () -- C:\Documents and Settings\Joe\Desktop\ComboFix.exe
[2010/07/13 18:53:41 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\mbr.exe
[2010/07/10 12:26:13 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/07/10 11:57:08 | 000,000,708 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:54:15 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2010/07/10 11:54:11 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/07/10 11:54:11 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/07/10 11:54:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/07/10 11:54:11 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/07/10 07:55:22 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.lnk
[2010/07/09 22:55:07 | 000,000,091 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/07/07 14:11:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/27 20:09:36 | 001,517,901 | ---- | C] () -- C:\Documents and Settings\Joe\My Documents\Ferrari_308_GTB_GTS_Buyer_s_Guide.pdf
[2009/08/08 13:02:11 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/08 13:02:11 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/08/08 13:01:38 | 000,000,227 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/08/08 13:01:38 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/08/08 13:00:55 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/08/08 12:48:46 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2009/08/07 19:22:40 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/07 15:52:46 | 000,000,013 | RHS- | C] () -- C:\WINDOWS\System32\drivers\fbd.sys
[2009/08/07 15:52:39 | 000,000,004 | RHS- | C] () -- C:\WINDOWS\System32\drivers\taishop.sys
[2009/07/09 00:28:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/07/09 00:20:57 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2009/04/06 15:54:02 | 000,000,348 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/04/06 15:33:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2009/04/06 15:23:37 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL
[2009/04/06 15:03:17 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/04/06 14:09:03 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/04/02 14:54:38 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2009/04/02 13:35:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\EKECioCtl.dll
[2009/03/31 14:13:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\HWS_Ctrl.dll
[2009/03/13 18:05:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
[2010/07/17 13:30:29 | 000,020,480 | -H-- | M] () -- C:\Documents and Settings\Joe\NTUSER.DAT.LOG
[2010/07/17 13:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe\Desktop
[2010/07/17 13:28:00 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Joe\Cookies
[2010/07/17 13:27:08 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Joe\Recent
[2010/07/17 12:45:43 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2010/07/17 12:41:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/17 12:39:37 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2010/07/17 12:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/17 12:39:36 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files\Java
[2010/07/17 12:39:36 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2010/07/17 12:38:58 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/07/17 12:38:28 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/17 12:37:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/17 12:37:11 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/17 12:37:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/17 12:37:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/17 12:36:28 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Joe\NTUSER.DAT
[2010/07/17 12:36:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Joe\ntuser.ini
[2010/07/17 12:36:19 | 005,362,070 | -H-- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\IconCache.db
[2010/07/17 12:32:19 | 016,066,336 | ---- | M] (Oracle) -- C:\Documents and Settings\Joe\Desktop\jre-6u21-windows-i586.exe
[2010/07/15 22:34:15 | 000,000,000 | ---D | M] -- C:\Program Files\TOSHIBA
[2010/07/15 21:58:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Joe\Local Settings
[2010/07/15 21:56:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/15 21:51:19 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\Joe\Application Data
[2010/07/15 21:46:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe\Local Settings\Application Data\Google
[2010/07/15 21:41:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe\Local Settings\Application Data\Temp
[2010/07/15 20:59:42 | 003,740,179 | R--- | M] () -- C:\Documents and Settings\Joe\Desktop\ComboFix.exe
[2010/07/15 20:56:53 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\SystemLook.exe
[2010/07/14 17:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/07/13 22:32:44 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.lnk
[2010/07/13 21:53:28 | 000,001,024 | -H-- | M] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2010/07/13 18:53:42 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\mbr.exe
[2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2010/07/13 18:35:46 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\AOL email.url
[2010/07/13 18:22:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/10 12:37:38 | 000,000,000 | ---D | M] -- C:\Program Files\UnHackMe
[2010/07/10 12:26:13 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/07/10 12:25:23 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Joe\My Documents
[2010/07/10 12:25:21 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Documents
[2010/07/10 11:57:50 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/10 11:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe\Application Data\Malwarebytes
[2010/07/10 11:57:08 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:57:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Desktop
[2010/07/10 11:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/10 11:54:16 | 000,000,000 | ---D | M] -- C:\Program Files\Trojan Remover
[2010/07/10 11:54:15 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2010/07/10 11:54:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/07/10 11:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe\Application Data\Simply Super Software
[2010/07/10 09:25:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Joe\Application Data\Microsoft
[2010/07/10 08:57:26 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\CCleaner.lnk
[2010/07/10 08:57:23 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/07/10 08:36:35 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/10 07:55:22 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2010/07/10 06:37:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/07/09 22:55:07 | 000,000,091 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/07 13:41:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/07 13:41:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 13:28:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Joe\Templates
[2010/07/06 17:17:13 | 000,000,000 | R--D | M] -- C:\Documents and Settings\Joe\Favorites
[2010/07/03 11:25:58 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/27 20:09:37 | 001,517,901 | ---- | M] () -- C:\Documents and Settings\Joe\My Documents\Ferrari_308_GTB_GTS_Buyer_s_Guide.pdf
[2010/06/23 22:21:07 | 000,491,328 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 22:21:07 | 000,434,266 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 22:21:07 | 000,068,386 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files - Modified Within 30 Days ==========

[2010/07/17 12:41:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/17 12:39:02 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/17 12:39:02 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/17 12:39:02 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/17 12:39:02 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/17 12:39:02 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/17 12:38:28 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/17 12:37:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/17 12:37:11 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/17 12:37:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/17 12:37:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/17 12:36:57 | 2137,444,352 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/17 12:36:28 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Joe\NTUSER.DAT
[2010/07/17 12:36:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Joe\ntuser.ini
[2010/07/17 12:36:19 | 005,362,070 | -H-- | M] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\IconCache.db
[2010/07/17 12:32:19 | 016,066,336 | ---- | M] (Oracle) -- C:\Documents and Settings\Joe\Desktop\jre-6u21-windows-i586.exe
[2010/07/15 21:56:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/15 21:06:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/15 20:59:42 | 003,740,179 | R--- | M] () -- C:\Documents and Settings\Joe\Desktop\ComboFix.exe
[2010/07/15 20:56:53 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\SystemLook.exe
[2010/07/14 16:39:42 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/13 22:32:44 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\HiJackThis.lnk
[2010/07/13 18:54:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/13 18:53:42 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\mbr.exe
[2010/07/13 18:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.exe
[2010/07/13 18:35:46 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\AOL email.url
[2010/07/10 12:26:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/10 12:26:13 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/07/10 12:26:13 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/07/10 11:57:08 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/10 11:54:15 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trojan Remover.lnk
[2010/07/10 08:57:26 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\CCleaner.lnk
[2010/07/10 08:36:35 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-137079000-3616098868-2174954600-1005.job
[2010/07/09 22:55:07 | 000,000,091 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/03 11:25:58 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/06/27 20:09:37 | 001,517,901 | ---- | M] () -- C:\Documents and Settings\Joe\My Documents\Ferrari_308_GTB_GTS_Buyer_s_Guide.pdf
[2010/06/23 22:21:07 | 000,491,328 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 22:21:07 | 000,434,266 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 22:21:07 | 000,068,386 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9

< End of report >


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:25 AM

Posted 17 July 2010 - 02:05 PM

akorna,

Everything looks ok there, except you still have some system files missing, did you run sfc /scannow?

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users