Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.tdss.tdl4 - BSOD after removal from MBR?


  • This topic is locked This topic is locked
11 replies to this topic

#1 netmonk

netmonk

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 23 September 2010 - 10:32 PM

Hi,

I recently used Kaspersky's TDSS tool to remove the rootkit Win32.tdss.tdl4 from a computer's MBR (/hd0/mbr). However, upon reboot, the computer now gets a BSOD and boot-loops. The strange thing is, the computer starts to load windows (I can see the windows vista logo), but then has a 1" BSOD at the bottom of the screen and the windows startup sound locks up and then reboots. It sounds more like a driver problem than an MBR problem, but I have no idea.

I can boot into safe mode, so if there's a program I can use to track down what's going on, please let me know!

Thanks in advance,
JR

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:51 AM

Posted 26 September 2010 - 01:11 AM

Hello, do you have your Vista DVD? If so, you can perform a Startup Repair.

If not, tap F8 while booting and see if you have the option to enter the Recovery Environment and do a startup repair.

Do you remember if TDSSkiller, besides TDL4, also detected something else (locked file/service that had only the delete option).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 netmonk

netmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 28 September 2010 - 12:33 PM

Thanks for the reply.

I've already tried the boot repair option, as well as a system restore, and the following commands:

bootrec.exe /fixmbr
bootrec.exe /fixboot

None of the above worked. Although the scanner said the infected file was in the MBR, I don't think that's the problem; an MBR problem. As I stated, I can boot into safe mode, and Windows TRIES to load normally -- it BSODs during about midway through while showing the windows logo. The BSOD screen only loads about 1 inch along the bottom of the screen, and the windows boot sound locks up. I managed to get the stop code using BlueScreenView, which is a Stop x7E code with the message: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

And since it boots into safe mode, it makes me think its a driver issue. I've already tried uninstalling the video, network and sound from within safe mode and tried to boot into normal mode without any luck.

Anyone have an idea?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:51 AM

Posted 28 September 2010 - 02:38 PM

Sorry, I overlooked the fact you can boot in safe mode.

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 netmonk

netmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 29 September 2010 - 09:11 AM

Hi,

When I try to run rkunhooker, it will not run and I get the following error message:

Error loading driver, NTSTATUS code: 0xC000035F

Any ideas?

Thanks.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:51 AM

Posted 29 September 2010 - 09:42 AM

This is very interesting. Do you run a 64 bit version of windows?

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 netmonk

netmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 29 September 2010 - 12:29 PM

Here is a copy of the logs, as requested:

QUOTE
OTL logfile created on: 9/29/2010 1:16:41 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = F:\Spyware Cleanup\Rootkit Cleanup
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 151.16 Gb Free Space | 81.78% Space Free | Partition Type: NTFS
Drive D: | 1.46 Gb Total Space | 1.32 Gb Free Space | 90.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 3.74 Gb Total Space | 1.25 Gb Free Space | 33.41% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/29 13:00:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\Spyware Cleanup\Rootkit Cleanup\OTL.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/29 13:00:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\Spyware Cleanup\Rootkit Cleanup\OTL.exe
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 22:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Windows\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - File not found [Auto | Stopped] -- C:\Windows\System32\FastUv32.dll -- (FastUserSwitchingCompatibility)
SRV - [2010/06/19 09:21:39 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/04/28 14:21:30 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe -- (Sony SCSI Helper Service)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/01/25 16:57:54 | 000,121,416 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe -- (ATTRcAppSvc)
SRV - [2010/01/25 16:56:10 | 000,125,512 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe -- (CAATT)
SRV - [2008/04/24 21:35:46 | 000,073,728 | ---- | M] (Toshiba) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe -- (SmartFaceVWatchSrv)
SRV - [2008/04/17 03:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2008/04/16 18:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2008/04/11 03:51:58 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/04/01 04:06:00 | 000,157,040 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\fdbpinger.exe -- (fbdpinger)
SRV - [2008/03/04 18:42:40 | 000,595,184 | ---- | M] ( ) [Auto | Stopped] -- C:\Windows\System32\dldncoms.exe -- (dldn_device)
SRV - [2008/02/06 16:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2008/01/29 13:09:58 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/24 15:27:24 | 000,312,328 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\firedog advisor\firedogAdvisorSrvHost.exe -- (firedogAdvisorSrvHost)
SRV - [2007/12/03 20:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [On_Demand | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [On_Demand | Stopped] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [On_Demand | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2005/11/14 04:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vsdatant.win7.sys -- (vsdatant7)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\System32\drivers\vsdatant.sys -- (vsdatant)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\owner\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/01/25 16:50:24 | 000,024,064 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2010/01/25 16:49:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2009/07/16 08:53:18 | 000,107,776 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhs51.sys -- (GTUHSNDISIPXP)
DRV - [2009/07/16 08:51:50 | 000,067,840 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhsbus.sys -- (GTUHSBUS)
DRV - [2009/07/16 08:49:56 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhsser.sys -- (GTUHSSER)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/08/22 10:05:42 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/04/28 19:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2008/04/23 03:36:32 | 003,551,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/04/18 03:54:16 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/15 13:05:08 | 000,118,784 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/04/11 00:25:30 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/04/09 21:00:04 | 002,095,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/02 20:26:08 | 000,062,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/18 12:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/17 14:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/12/14 14:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/12/06 21:12:48 | 000,196,400 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/11/28 17:28:04 | 000,006,656 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\faproct.sys -- (faproct)
DRV - [2007/11/16 21:34:21 | 000,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2007/11/16 21:34:21 | 000,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/09/23 16:42:24 | 000,007,168 | --S- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\faunidrv.sys -- (faunidrv)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/10/30 14:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80210
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.7.0.231
FF - prefs.js..extensions.enabledItems: {73E417CC-EFEE-473E-BC70-5D85C93594EF}:1.9.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=BCPA&o=16145&locale=en_US&apn_uid=B3935638-188F-4B7F-9959-A0377AD72EAA&apn_ptnrs=QK&apn_sauid=8B2CBF5E-EDF3-4C6E-A2C4-BEAC04A88C6C&apn_dtid=&q="


FF - HKLM\software\mozilla\Firefox\Extensions\\{73E417CC-EFEE-473E-BC70-5D85C93594EF}: C:\Windows\system32\config\systemprofile\AppData\Local\{73E417CC-EFEE-473E-BC70-5D85C93594EF}\ [2010/09/11 10:44:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/19 20:06:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/24 00:52:57 | 000,000,000 | ---D | M]

[2009/04/22 16:33:26 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Mozilla\Extensions
[2010/09/22 13:51:01 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\extensions
[2010/09/08 18:35:03 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(678)
[2010/09/15 09:05:10 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/08 19:05:11 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\extensions\toolbar@ask.com
[2010/09/21 11:19:55 | 000,002,556 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\searchplugins\askcom.xml
[2009/04/22 16:33:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/09/17 17:04:07 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [cfFncEnabler.exe] File not found
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\owner\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\owner\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/27 13:44:04 | 000,000,000 | ---D | C] -- C:\My Backups
[2010/09/22 14:22:32 | 000,000,000 | ---D | C] -- C:\ProgramData\ZA_PreservedFiles
[2010/09/22 14:04:23 | 000,000,000 | ---D | C] -- C:\Windows\Standalone System Sweeper
[2010/09/22 12:37:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/09/22 12:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/09/22 08:17:06 | 006,305,088 | ---- | C] (SurfRight B.V.) -- C:\Users\owner\Desktop\HitmanPro35.exe
[2010/09/22 08:17:04 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\owner\Desktop\kaspersky_rootkit_killer.exe
[2010/09/21 13:51:05 | 000,000,000 | ---D | C] -- C:\Windows\System32\ZoneLabs
[2010/09/21 13:51:04 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/09/21 13:50:30 | 000,000,000 | ---D | C] -- C:\Windows\Internet Logs
[2010/09/21 13:50:30 | 000,000,000 | ---D | C] -- C:\ProgramData\CheckPoint
[2010/09/21 13:09:06 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/09/21 13:09:06 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/09/21 13:09:06 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/09/21 13:08:51 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/09/21 12:20:03 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/09/21 12:17:22 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/09/21 12:17:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/21 12:16:48 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.0.tmp
[2010/09/21 11:16:30 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\IObit
[2010/09/21 08:54:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/09/21 08:54:27 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/09/21 08:54:27 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/16 13:27:37 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2010/09/15 14:35:05 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/09/15 14:35:05 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/09/15 14:35:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/09/15 13:40:53 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/09/14 17:27:23 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2010/09/14 17:27:19 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/09/14 09:28:17 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Avira
[2010/09/14 09:28:01 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/09/13 16:42:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2010/09/13 16:03:59 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/09/13 16:03:59 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/09/13 16:03:59 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
[2010/09/13 16:03:59 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010/09/13 16:03:59 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
[2010/09/13 16:03:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/09/13 16:03:58 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/09/13 15:44:55 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/09/13 12:33:20 | 000,000,000 | ---D | C] -- C:\Program Files\Retina-X Spyware Cleaner
[2010/09/13 12:26:58 | 000,000,000 | ---D | C] -- C:\Users\owner\Documents\Simply Super Software
[2010/09/13 09:27:12 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Malwarebytes
[2010/09/13 09:27:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/09/13 09:05:23 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2008/09/17 22:15:55 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\DLDNhcp.dll
[2008/09/17 22:15:55 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\dldninpa.dll
[2008/09/17 22:15:55 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\dldniesc.dll
[2008/09/17 22:15:54 | 001,105,920 | ---- | C] ( ) -- C:\Windows\System32\dldnserv.dll
[2008/09/17 22:15:54 | 000,843,776 | ---- | C] ( ) -- C:\Windows\System32\dldnusb1.dll
[2008/09/17 22:15:54 | 000,647,168 | ---- | C] ( ) -- C:\Windows\System32\dldnpmui.dll
[2008/09/17 22:15:54 | 000,569,344 | ---- | C] ( ) -- C:\Windows\System32\dldnlmpm.dll
[2008/09/17 22:15:54 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\dldnprox.dll
[2008/09/17 22:15:53 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\dldnhbn3.dll
[2008/09/17 22:15:52 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\dldncomm.dll
[2008/09/17 22:15:51 | 000,851,968 | ---- | C] ( ) -- C:\Windows\System32\dldncomc.dll
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/29 13:16:40 | 004,718,592 | -HS- | M] () -- C:\Users\owner\ntuser.dat
[2010/09/29 13:07:16 | 000,703,388 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/29 13:07:16 | 000,598,628 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/29 13:07:16 | 000,102,986 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/29 13:03:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/29 13:02:51 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2010/09/29 09:58:39 | 000,034,560 | ---- | M] () -- C:\Windows\System32\drivers\Normandy.sys
[2010/09/28 13:44:54 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/28 13:34:52 | 000,000,680 | ---- | M] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2010/09/28 13:00:12 | 000,001,802 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/09/28 13:00:12 | 000,000,290 | ---- | M] () -- C:\Windows\tasks\Hitman Pro 3.5 Boot Task.job
[2010/09/22 15:47:26 | 000,002,200 | ---- | M] () -- C:\backup.dat
[2010/09/22 15:37:10 | 000,028,672 | ---- | M] () -- C:\BCD_Backup
[2010/09/22 09:48:30 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/09/22 08:18:39 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/22 08:18:39 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/22 08:18:38 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{a49231b1-bcfd-11df-844e-001e334b3efc}.TMContainer00000000000000000001.regtrans-ms
[2010/09/22 08:18:38 | 000,065,536 | -HS- | M] () -- C:\Users\owner\ntuser.dat{a49231b1-bcfd-11df-844e-001e334b3efc}.TM.blf
[2010/09/22 08:13:42 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/21 22:31:56 | 006,305,088 | ---- | M] (SurfRight B.V.) -- C:\Users\owner\Desktop\HitmanPro35.exe
[2010/09/21 22:28:54 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\owner\Desktop\kaspersky_rootkit_killer.exe
[2010/09/21 15:36:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/21 13:24:33 | 268,266,255 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/09/21 11:16:30 | 000,000,894 | ---- | M] () -- C:\Users\Public\Desktop\IObit Security 360.lnk
[2010/09/21 11:04:57 | 000,000,392 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0ED870D8-D95B-470E-8BB7-569057E3189A}.job
[2010/09/21 08:54:32 | 000,000,847 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 09:39:14 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/09/15 14:41:21 | 000,312,752 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/09/15 13:34:05 | 000,000,954 | ---- | M] () -- C:\Users\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/13 16:04:12 | 000,001,864 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/09/13 15:44:56 | 000,000,815 | ---- | M] () -- C:\Users\owner\Desktop\CCleaner.lnk
[2010/09/13 12:00:58 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{a49231b1-bcfd-11df-844e-001e334b3efc}.TMContainer00000000000000000002.regtrans-ms
[2010/09/08 13:07:49 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{40cba465-b1f4-11df-ab45-001e334b3efc}.TMContainer00000000000000000001.regtrans-ms
[2010/09/08 13:07:49 | 000,065,536 | -HS- | M] () -- C:\Users\owner\ntuser.dat{40cba465-b1f4-11df-ab45-001e334b3efc}.TM.blf
[2010/08/27 12:01:35 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{40cba465-b1f4-11df-ab45-001e334b3efc}.TMContainer00000000000000000002.regtrans-ms
[2010/08/15 14:28:10 | 000,524,288 | -HS- | M] () -- C:\Users\owner\ntuser.dat{f518c882-7f2a-11df-aa04-001e334b3efc}.TMContainer00000000000000000001.regtrans-ms
[2010/08/15 14:28:10 | 000,065,536 | -HS- | M] () -- C:\Users\owner\ntuser.dat{f518c882-7f2a-11df-aa04-001e334b3efc}.TM.blf
[2010/07/26 14:51:38 | 000,027,648 | ---- | M] () -- C:\Users\owner\Documents\Michael Jenkins.doc
[2010/07/26 14:51:14 | 000,012,351 | ---- | M] () -- C:\Users\owner\Documents\Michael Jenkins.docx
[2010/07/26 14:35:04 | 000,002,627 | ---- | M] () -- C:\Users\owner\Desktop\Microsoft Office Word 2007.lnk
[2010/07/19 16:42:14 | 000,000,217 | ---- | M] () -- C:\Users\owner\Desktop\launch.gx=1&.rand=42bncflv7qc6f.url
[2010/07/02 16:22:40 | 000,072,064 | ---- | M] () -- C:\Users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/29 08:45:48 | 000,034,560 | ---- | C] () -- C:\Windows\System32\drivers\Normandy.sys
[2010/09/22 15:47:24 | 000,002,200 | ---- | C] () -- C:\backup.dat
[2010/09/22 15:37:10 | 000,028,672 | ---- | C] () -- C:\BCD_Backup
[2010/09/22 13:03:15 | 000,000,680 | ---- | C] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2010/09/22 12:37:22 | 000,001,802 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/09/22 12:37:22 | 000,000,290 | ---- | C] () -- C:\Windows\tasks\Hitman Pro 3.5 Boot Task.job
[2010/09/22 08:19:19 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys
[2010/09/21 13:09:06 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/09/21 13:09:06 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/09/21 13:09:06 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/09/21 13:09:06 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/09/21 13:09:06 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/09/21 11:16:30 | 000,000,894 | ---- | C] () -- C:\Users\Public\Desktop\IObit Security 360.lnk
[2010/09/21 08:54:32 | 000,000,847 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/17 21:12:48 | 268,266,255 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/09/15 13:34:09 | 000,000,392 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{0ED870D8-D95B-470E-8BB7-569057E3189A}.job
[2010/09/15 13:34:05 | 000,000,954 | ---- | C] () -- C:\Users\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/15 13:27:50 | 000,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2010/09/13 16:04:12 | 000,001,864 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/09/13 15:44:56 | 000,000,815 | ---- | C] () -- C:\Users\owner\Desktop\CCleaner.lnk
[2010/09/10 13:08:09 | 000,524,288 | -HS- | C] () -- C:\Users\owner\ntuser.dat{a49231b1-bcfd-11df-844e-001e334b3efc}.TMContainer00000000000000000002.regtrans-ms
[2010/09/10 13:08:09 | 000,524,288 | -HS- | C] () -- C:\Users\owner\ntuser.dat{a49231b1-bcfd-11df-844e-001e334b3efc}.TMContainer00000000000000000001.regtrans-ms
[2010/09/10 13:08:09 | 000,065,536 | -HS- | C] () -- C:\Users\owner\ntuser.dat{a49231b1-bcfd-11df-844e-001e334b3efc}.TM.blf
[2010/09/09 13:22:55 | 000,001,024 | -H-- | C] () -- C:\Users\owner\ntuser.dat.LOG
[2010/08/27 12:01:35 | 000,524,288 | -HS- | C] () -- C:\Users\owner\ntuser.dat{40cba465-b1f4-11df-ab45-001e334b3efc}.TMContainer00000000000000000002.regtrans-ms
[2010/08/27 12:01:35 | 000,524,288 | -HS- | C] () -- C:\Users\owner\ntuser.dat{40cba465-b1f4-11df-ab45-001e334b3efc}.TMContainer00000000000000000001.regtrans-ms
[2010/08/27 12:01:35 | 000,065,536 | -HS- | C] () -- C:\Users\owner\ntuser.dat{40cba465-b1f4-11df-ab45-001e334b3efc}.TM.blf
[2010/07/26 14:51:37 | 000,027,648 | ---- | C] () -- C:\Users\owner\Documents\Michael Jenkins.doc
[2010/07/26 14:51:13 | 000,012,351 | ---- | C] () -- C:\Users\owner\Documents\Michael Jenkins.docx
[2010/07/19 16:31:38 | 000,000,217 | ---- | C] () -- C:\Users\owner\Desktop\launch.gx=1&.rand=42bncflv7qc6f.url
[2009/09/27 13:32:40 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/16 11:17:00 | 000,000,000 | ---- | C] () -- C:\Windows\iPlayer.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/04/23 14:17:48 | 000,000,181 | ---- | C] () -- C:\Windows\ob1.INI
[2009/04/22 16:34:43 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2009/04/22 16:34:43 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar3.dll
[2009/04/22 16:34:43 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2009/04/22 16:34:43 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2008/11/17 16:32:20 | 000,000,108 | ---- | C] () -- C:\Users\owner\AppData\Roaming\wklnhst.dat
[2008/09/18 03:01:09 | 000,360,448 | ---- | C] () -- C:\Windows\System32\dldncoin.dll
[2008/09/17 22:16:08 | 000,102,400 | ---- | C] () -- C:\Windows\System32\dldnwupd.dll
[2008/09/17 22:15:55 | 000,348,160 | ---- | C] () -- C:\Windows\System32\DLDNinst.dll
[2008/09/17 22:15:54 | 000,520,192 | ---- | C] () -- C:\Windows\System32\dldnutil.dll
[2008/09/17 22:15:53 | 000,208,896 | ---- | C] () -- C:\Windows\System32\dldngrd.dll
[2008/09/17 22:15:53 | 000,176,128 | ---- | C] () -- C:\Windows\System32\dldninsb.dll
[2008/09/17 22:15:53 | 000,176,128 | ---- | C] () -- C:\Windows\System32\dldnins.dll
[2008/09/17 22:15:53 | 000,143,360 | ---- | C] () -- C:\Windows\System32\dldnjswr.dll
[2008/09/17 22:15:53 | 000,106,496 | ---- | C] () -- C:\Windows\System32\dldninsr.dll
[2008/09/17 22:15:52 | 000,086,016 | ---- | C] () -- C:\Windows\System32\dldncub.dll
[2008/09/17 22:15:52 | 000,077,824 | ---- | C] () -- C:\Windows\System32\dldncu.dll
[2008/09/17 22:15:52 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dldncur.dll
[2008/09/17 22:15:51 | 000,077,906 | ---- | C] () -- C:\Windows\System32\DLDNcfg.dll
[2008/09/16 20:12:26 | 000,000,000 | ---- | C] () -- C:\ProgramData\UpdaterLog.txt
[2008/09/16 14:31:52 | 003,182,952 | ---- | C] () -- C:\ProgramData\dldn.log
[2008/08/22 10:05:42 | 000,026,760 | R--- | C] () -- C:\Windows\System32\drivers\swmsflt.sys
[2008/08/13 08:47:45 | 000,024,064 | ---- | C] () -- C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/04 11:45:00 | 000,005,115 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2008/07/30 14:41:37 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/07/30 14:41:35 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/07/10 21:25:20 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/07/10 21:25:20 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/07/10 21:25:20 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/07/10 21:25:20 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/05/05 14:41:42 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/04/24 21:43:50 | 000,057,344 | ---- | C] () -- C:\Windows\System32\SmartFaceVCapt.dll
[2008/04/24 21:42:44 | 000,479,232 | ---- | C] () -- C:\Windows\System32\SmartFaceVCP.dll
[2008/04/24 21:25:46 | 006,701,056 | ---- | C] () -- C:\Windows\System32\FaceHI.dll
[2008/04/24 21:25:46 | 000,995,328 | ---- | C] () -- C:\Windows\System32\FaceRec.dll
[2008/04/24 21:25:46 | 000,126,976 | ---- | C] () -- C:\Windows\System32\SmartFaceVCtrl.dll
[2008/04/24 21:23:58 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IppLib.dll
[2008/04/23 01:05:08 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/01/29 16:49:04 | 000,782,336 | ---- | C] () -- C:\Windows\System32\dldndrs.dll
[2008/01/23 08:08:21 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dldncaps.dll
[2007/10/02 10:51:09 | 000,069,632 | ---- | C] () -- C:\Windows\System32\dldncnv4.dll
[2007/04/28 10:41:49 | 000,040,960 | ---- | C] () -- C:\Windows\System32\dldnvs.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2010/05/14 15:31:53 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Bytemobile
[2010/08/08 09:39:39 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Hoyle
[2010/06/15 20:57:23 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Hoyle FaceCreator
[2010/07/21 15:25:45 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Hoyle Puzzle and Board Games
[2010/09/21 11:16:30 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\IObit
[2010/05/14 15:30:46 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Sierra Wireless
[2010/09/15 08:46:39 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Simply Super Software
[2008/08/31 17:45:03 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Smith Micro
[2008/11/17 16:33:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Template
[2008/11/15 23:30:17 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\TOSHIBA
[2008/12/27 23:10:29 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\WildTangent
[2010/09/28 13:00:12 | 000,000,290 | ---- | M] () -- C:\Windows\Tasks\Hitman Pro 3.5 Boot Task.job
[2010/06/23 20:54:17 | 000,000,266 | ---- | M] () -- C:\Windows\Tasks\Regwork.job
[2010/09/22 08:18:39 | 000,032,606 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/09/21 11:04:57 | 000,000,392 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{0ED870D8-D95B-470E-8BB7-569057E3189A}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:CB0AACC9
< End of report >


QUOTE
OTL Extras logfile created on: 9/29/2010 1:16:41 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = F:\Spyware Cleanup\Rootkit Cleanup
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 151.16 Gb Free Space | 81.78% Space Free | Partition Type: NTFS
Drive D: | 1.46 Gb Total Space | 1.32 Gb Free Space | 90.14% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 3.74 Gb Total Space | 1.25 Gb Free Space | 33.41% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{160AABEA-ED31-4428-9022-FCB5F49B025F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{16519C5A-77C6-4599-B984-22D3D5CA9700}" = lport=138 | protocol=17 | dir=in | app=system |
"{1B542CE1-1798-4275-B3F0-17A418E54260}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1C65DAC3-29B5-4708-ADA0-47741B52E3F6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{1F0488EF-CF3E-458D-AEA7-8336107F46C4}" = rport=137 | protocol=17 | dir=out | app=system |
"{3016205A-F848-4928-85B1-568BD97BB5FC}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4016D224-2337-4CB8-A50A-E29D39E9CFF2}" = rport=445 | protocol=6 | dir=out | app=system |
"{54270F0B-F984-4F6A-B47C-2FF720CDF049}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{59EDB36C-14D6-4217-B1AE-49D8D1EE62B5}" = lport=139 | protocol=6 | dir=in | app=system |
"{5C896A64-2A8A-4FB6-98A5-3593CE66DCEA}" = rport=138 | protocol=17 | dir=out | app=system |
"{724C09B5-B5D2-470F-8E3D-38EE5C405415}" = lport=1 | protocol=6 | dir=in | name=dell v105 |
"{886FE2F9-D1EA-4D63-960C-6D01AAFB8A5D}" = rport=139 | protocol=6 | dir=out | app=system |
"{8E424642-53BC-4657-B2D5-00302E1EE51A}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{96537B9A-8287-43A6-BDC5-59EEB54A1C9D}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{A54AF58B-A7BB-40BC-B54B-818BAC3FD638}" = lport=1 | protocol=17 | dir=in | name=dell v105 |
"{A70DB922-0097-49EE-88D4-0F43731B6B18}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{C8C413C3-8680-4F74-8130-2C5185888491}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D59D5AA2-EC47-4728-99BF-B603ECFA621D}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DCF45D22-F8DE-4EBD-877B-BDEE7C06E401}" = lport=137 | protocol=17 | dir=in | app=system |
"{FF453F00-CC58-4DE5-A567-E93582F23571}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04F4B531-609B-4AAA-929C-54EFD7683EB2}" = protocol=17 | dir=in | app=c:\program files\dell v105\dldnamon.exe |
"{0B042B0C-2247-483C-9A83-8156728AE578}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{0F99941A-7E45-4E78-A984-B66D7B12D290}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldntime.exe |
"{14A77F4C-DC5E-4741-9029-4870FC3B13AE}" = protocol=17 | dir=in | app=c:\program files\dell v105\frun.exe |
"{14E05E31-290C-482C-A753-D41D1904202D}" = protocol=17 | dir=in | app=c:\windows\system32\dldncfg.exe |
"{1910983E-91D2-477D-A7C4-E23CCA3B0455}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{2198D4BE-46D5-48C4-9150-74F7B309BF9E}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{225DA006-412C-442B-91AA-C0E0D6F4806C}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{2E14D2C6-800E-48B5-8E77-46CC70FED772}" = protocol=17 | dir=in | app=c:\program files\dell v105\frun.exe |
"{2EEB78D3-DF9F-41DF-A499-34D811F66B76}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{309FB23D-1056-4260-900A-70858A9A6478}" = protocol=17 | dir=in | app=c:\program files\dell v105\dldnamon.exe |
"{327E29A8-B885-45DF-86F9-9F074DE3FFB2}" = protocol=6 | dir=in | app=c:\program files\dell v105\dldnmon.exe |
"{3A9DF1AE-83FB-49CF-B90F-6094B9033CF8}" = protocol=6 | dir=in | app=c:\windows\system32\dldncfg.exe |
"{40C72E84-290D-44CD-8266-602280A8D41C}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldnpswx.exe |
"{4655235E-1759-481F-A082-A54B2D0D5932}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{4E1A6705-9266-460A-81B7-88C391911787}" = protocol=17 | dir=in | app=c:\program files\dell v105\dldnmon.exe |
"{569D0C9D-7511-4263-B236-B531C1A9BC52}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldnjswx.exe |
"{5BFDA136-334C-47A2-A8C4-A101DB532626}" = protocol=17 | dir=in | app=c:\windows\system32\dldncoms.exe |
"{5FD89190-5260-4AB3-A1EA-DD8D3F57A2B3}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldnjswx.exe |
"{69BA4A45-B1B4-4737-9632-5CB756FC47BA}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{7212CBDC-FE57-4F56-B40B-6A9919DA2AD3}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{72A993A7-847E-4269-9B3E-2D793059B875}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldntime.exe |
"{78285735-D5ED-48DD-8A95-9829BFA4D48C}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{7B248A00-3064-47AF-8D39-3B4765D5971A}" = protocol=6 | dir=in | app=c:\program files\dell v105\frun.exe |
"{8043ECFE-3F8F-4936-A489-82915CA85D19}" = protocol=6 | dir=in | app=c:\windows\system32\zonelabs\vsmon.exe |
"{850808CF-F1F4-4940-AE1A-3649CFDD20AE}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{88ED9D9B-551F-4666-B810-DBA608D42867}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldnpswx.exe |
"{8B065B35-0F4C-41BB-97A4-FB334CDE6E40}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8E5FAF74-A11E-4669-BA92-ABA44ECA3082}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{914F3855-98C7-4EEB-BF97-02A14331FE12}" = protocol=17 | dir=in | app=c:\windows\system32\zonelabs\vsmon.exe |
"{996902BF-93C7-4C19-ABC8-1170C33437DD}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{9B49EA29-88FC-4DF6-9832-109A0C4312D4}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{9CBA145D-64DB-46A6-B2BF-08887F96239E}" = protocol=6 | dir=in | app=c:\program files\dell v105\dldnamon.exe |
"{B0F87BA6-161C-4C61-BD52-F437E0FD60BC}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{B760536F-C22F-4ABA-B1CE-282DE753608B}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{B96A67D5-33B9-4389-AE9E-66B1E9411800}" = protocol=6 | dir=in | app=c:\program files\dell v105\dldnamon.exe |
"{D1E7E71F-CE78-42D4-9505-516AE68DA867}" = protocol=17 | dir=in | app=c:\windows\system32\dldncoms.exe |
"{DA1642F2-26AD-4387-BF58-5E3DF4B86DCE}" = protocol=6 | dir=in | app=c:\windows\system32\dldncoms.exe |
"{DD0E9975-8DA0-4D06-B628-F464ABA3403E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E98D1662-BEB8-48C5-A3DB-DE8BA6E2D874}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{F2C06A5C-118B-4806-8396-009AA2930552}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{F36BD953-7543-4588-B8CB-31009BE094C4}" = protocol=6 | dir=in | app=c:\program files\dell v105\frun.exe |
"{F6AC515A-3A75-4CCF-8239-237962D56366}" = protocol=6 | dir=in | app=c:\windows\system32\dldncoms.exe |
"TCP Query User{B35E887A-BC98-4875-A70F-D3F73C6879CF}C:\program files\encore\hoyle card games 2009\hoyle card games.exe" = protocol=6 | dir=in | app=c:\program files\encore\hoyle card games 2009\hoyle card games.exe |
"TCP Query User{EEC6ECAB-7A08-4552-8DAA-B7FDAB7650B7}C:\windows\system32\spool\drivers\w32x86\3\dldnpswx.exe" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldnpswx.exe |
"TCP Query User{F32CEDB2-41D9-43A5-BFB9-B18D07C260CB}C:\program files\dell v105\dldnmon.exe" = protocol=6 | dir=in | app=c:\program files\dell v105\dldnmon.exe |
"UDP Query User{0A65884C-2C6C-4809-87B3-5AE9350DD8C4}C:\program files\dell v105\dldnmon.exe" = protocol=17 | dir=in | app=c:\program files\dell v105\dldnmon.exe |
"UDP Query User{6A36D168-869F-4718-B653-05AEA01C1EDA}C:\windows\system32\spool\drivers\w32x86\3\dldnpswx.exe" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\dldnpswx.exe |
"UDP Query User{AE23FC68-BD1B-4A97-8A91-5E024FB257BD}C:\program files\encore\hoyle card games 2009\hoyle card games.exe" = protocol=17 | dir=in | app=c:\program files\encore\hoyle card games 2009\hoyle card games.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{07C9627A-CA0B-2AA2-062E-204359DF7BA1}" = Catalyst Control Center Core Implementation
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{0EFB2016-41D2-5F30-8F60-25250F6DABDD}" = CCC Help Thai
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1E57A11B-AB65-C6D1-F999-B3B37AB2298E}" = Catalyst Control Center Localization Japanese
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{25B932C7-EB2B-422E-910D-504FB00DAE43}" = Reader Library by Sony
"{27265B80-303E-EFFF-6052-B11F91B634C3}" = Catalyst Control Center Localization Italian
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2920435D-CE92-5024-1694-DFD43A5FF074}" = Catalyst Control Center Localization Greek
"{2CD6D3D2-1EFC-F0B4-1761-FD4FA7F8750F}" = CCC Help Finnish
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{358004B9-3A16-87FF-4487-4D6F0C70E52F}" = Catalyst Control Center Localization Russian
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{38A3E884-313A-7AE0-11BC-482DE0C8766A}" = CCC Help Czech
"{3BB12DBC-0A8E-ECE2-F179-D06B99B8CD02}" = Catalyst Control Center Localization Czech
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E0E28DC-DA90-1BA2-FA36-AA3C2E4FB74A}" = Catalyst Control Center Graphics Previews Vista
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{48AFBB60-8CF5-4605-BB04-704DD8702B80}" = VZAccess Manager for RIM
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{4C90501F-864B-5AC4-867D-6AC35BE50721}" = ccc-utility
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{55398A75-13E0-570F-BD16-2EE5D9E5523D}" = Catalyst Control Center Localization Norwegian
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F131988-3326-AD64-1817-D76A2FE3C2D3}" = CCC Help Chinese Traditional
"{5FBF37CD-B7F9-564C-BDFC-73D970CF7AF2}" = CCC Help Italian
"{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{61C63422-E5E2-8576-2B82-0E01F5AD2538}" = CCC Help English
"{61F90A4F-AD49-7FFB-F027-5B2CB64F0A70}" = Catalyst Control Center Graphics Light
"{629044C7-745A-64B8-467F-2F93ED50008B}" = CCC Help Chinese Standard
"{64236D72-5D68-44C5-A5F6-C152CED274B8}" = AT&T Communication Manager
"{65BF23C0-4EF9-27CC-7B6F-190F4008A569}" = Catalyst Control Center Localization Polish
"{65D602E4-DCDE-0743-6A0A-F1A203449F47}" = CCC Help German
"{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}" = Memeo AutoBackup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69E5255D-9D43-4CFF-8984-843ABD7753B7}" = Catalyst Control Center - Branding
"{6B4874CA-13CF-2477-B697-B448201B56B6}" = CCC Help Norwegian
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6EB0B23B-AA51-6F4E-C94C-C1015ED61EEC}" = CCC Help Japanese
"{70495081-1DC8-AD4B-C197-12138B8FBC9E}" = CCC Help Danish
"{71B929E2-3556-93DB-DEC0-FD56D3EFB473}" = Catalyst Control Center Localization Chinese Traditional
"{71C47830-182D-79FA-0790-0366E6E2C2EB}" = Catalyst Control Center Localization Spanish
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73B52EA8-8A5C-4FF5-A9F2-1A0F3259C3D2}" = TOSHIBA Application Disc Creator
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77CAD946-C573-6647-B222-B6870C072932}" = CCC Help Korean
"{7E83516C-931B-870F-5CDF-01FDF9A4AEF0}" = Catalyst Control Center Localization Turkish
"{86728841-C151-B8E4-43C6-DD289DE570B6}" = Catalyst Control Center Localization Swedish
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{86DBA852-5D5E-1856-D828-620E792EDC0D}" = Catalyst Control Center Localization Chinese Standard
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{88BA2601-8A62-7AB7-DB8A-7AA2840B7C87}" = Catalyst Control Center Localization Thai
"{890EF3F8-742F-46BD-9E8E-084B3A1F4364}" = QuickBooks Financial Center
"{8B587895-7716-1B99-5D85-3CA4AAF8A0F4}" = Catalyst Control Center Localization Dutch
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9244F321-0BBD-9D4A-C1FB-6437E3D0550D}" = Catalyst Control Center Localization German
"{93F3EBDD-4007-C233-7320-977AC0941054}" = CCC Help Turkish
"{94AB6CE0-DB26-7048-2A5B-4647EA1FC693}" = ccc-core-static
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9EE04322-6399-4010-83C1-67BC022B9BE8}" = firedog advisor
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A103C127-2168-4493-8D01-4BF180BED12C}" = CCC Help Portuguese
"{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}" = PRS-500 USB driver
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7F27ADB-3C56-0F2B-6B4B-0B8E02A49186}" = ATI Catalyst Install Manager
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AC2EE52D-05CD-8140-5D29-5AA29590971E}" = CCC Help French
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B02A78AE-EA3B-8261-AEBC-8221E22DCC1E}" = CCC Help Polish
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B1D67B62-35A8-A9A1-AA74-F6A495C8271A}" = Catalyst Control Center Localization Danish
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{BC2EA92A-A5A9-A137-5204-F150EDB05DB3}" = CCC Help Hungarian
"{BC713970-8C3C-852B-4139-636F21114B7F}" = CCC Help Dutch
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{C5F1A9C4-C041-2E95-5D7E-EF56CED2B522}" = Skins
"{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7CC05AF-067D-0D1A-1E4D-9DCBCDCC2D41}" = Catalyst Control Center Graphics Full New
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E0FC3A5D-CF52-ABA7-92EF-D9794F372121}" = Catalyst Control Center Graphics Full Existing
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EA7D1919-A6BF-979A-E3A2-F753E23D45FA}" = Catalyst Control Center Localization Hungarian
"{ED2BC5D9-20EE-FBB6-8483-240F19EFCAA5}" = CCC Help Swedish
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0345A2F-1D78-0AEA-7CBB-CEF48622EB44}" = Catalyst Control Center Localization Portuguese
"{F0646787-1A2F-34E9-A61D-9DAD69F606F8}" = CCC Help Spanish
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F50E4D66-5280-FDF8-7F55-2E47FCF23E7D}" = Catalyst Control Center Localization Korean
"{F67E6AE5-F87B-025F-2D6B-26491304393F}" = CCC Help Russian
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8024EB8-5B34-46FE-B15D-20ACF26FC20E}" = Hoyle Puzzle and Board Games
"{F9DAAC4B-5E3F-1D39-9D4B-6998664EF402}" = Catalyst Control Center Localization Finnish
"{F9F66B99-C1B3-ACEA-1F80-404CC4DD96BF}" = Catalyst Control Center Localization French
"{FA493449-3E34-4E05-8CA7-26A42E9F180E}" = CCC Help Greek
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"75070B1806113224B16C70296B90DD1AD8A53479" = Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"Dell V105" = Dell V105
"Digital Editions" = Adobe Digital Editions
"FinePix Genie_is1" = FUJIFILM MyFinePix Studio 1.0
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Hoyle Card Games" = Hoyle Card Games
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}" = Memeo AutoBackup
"InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"InterActual Player" = InterActual Player
"IObit Security 360_is1" = IObit Security 360
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.0.8)" = Mozilla Firefox (3.0.8)
"Picasa 3" = Picasa 3
"SCRABBLE" = SCRABBLE
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"WildTangent toshiba Master Uninstall" = TOSHIBA Games
"ZoneAlarm" = ZoneAlarm

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:51 AM

Posted 29 September 2010 - 12:35 PM

Lets see what the following scan shows us.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 netmonk

netmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 30 September 2010 - 01:40 PM

QUOTE
ComboFix 10-09-29.04 - owner 09/30/2010 13:21:52.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.2217 [GMT -4:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\spool\prtprocs\w32x86\CNMPD97.DLL
c:\windows\system32\spool\prtprocs\w32x86\CNMPP97.DLL

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
.

2010-09-30 17:27 . 2010-09-30 17:27 -------- d-----w- c:\users\owner\AppData\Local\temp
2010-09-30 17:27 . 2010-09-30 17:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-30 17:19 . 2010-09-30 17:20 -------- d-----w- C:\32788R22FWJFW
2010-09-29 12:45 . 2010-09-29 13:58 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2010-09-27 17:44 . 2010-09-27 17:44 -------- d-----w- C:\My Backups
2010-09-22 19:47 . 2010-09-22 19:47 2200 ----a-w- C:\backup.dat
2010-09-22 18:22 . 2010-09-22 18:22 -------- d-----w- c:\programdata\ZA_PreservedFiles
2010-09-22 18:04 . 2010-09-22 18:04 -------- d-----w- c:\windows\Standalone System Sweeper
2010-09-22 17:03 . 2010-09-28 17:34 680 ----a-w- c:\users\owner\AppData\Local\d3d9caps.dat
2010-09-22 16:37 . 2010-09-22 16:37 -------- d-----w- c:\programdata\Hitman Pro
2010-09-22 16:37 . 2010-09-22 16:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-21 17:51 . 2010-09-22 18:22 -------- d-----w- c:\windows\system32\ZoneLabs
2010-09-21 17:51 . 2010-09-21 17:51 -------- d-----w- c:\program files\Zone Labs
2010-09-21 17:50 . 2010-09-22 18:22 -------- d-----w- c:\windows\Internet Logs
2010-09-21 17:50 . 2010-09-21 17:50 -------- d-----w- c:\programdata\CheckPoint
2010-09-21 15:16 . 2010-09-21 15:16 -------- d-----w- c:\users\owner\AppData\Roaming\IObit
2010-09-21 12:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 12:54 . 2010-09-21 12:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-21 12:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-16 17:27 . 2010-09-22 16:29 -------- d-----w- c:\windows\system32\catroot2
2010-09-15 18:35 . 2010-09-15 18:36 -------- d-----w- c:\windows\system32\ca-ES
2010-09-15 18:35 . 2010-09-15 18:36 -------- d-----w- c:\windows\system32\eu-ES
2010-09-15 18:35 . 2010-09-15 18:36 -------- d-----w- c:\windows\system32\vi-VN
2010-09-15 17:40 . 2010-09-15 17:40 -------- d-----w- c:\windows\system32\EventProviders
2010-09-14 21:27 . 2010-09-14 21:27 -------- d-----w- c:\programdata\IObit
2010-09-14 21:27 . 2010-09-14 21:27 -------- d-----w- c:\program files\IObit
2010-09-14 13:28 . 2010-09-14 13:28 -------- d-----w- c:\users\owner\AppData\Roaming\Avira
2010-09-14 13:28 . 2010-09-14 13:28 -------- d-----w- c:\windows\Sun
2010-09-13 20:42 . 2010-09-13 20:42 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-09-13 20:03 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-13 20:03 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-13 20:03 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-09-13 20:03 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-09-13 20:03 . 2010-09-13 20:03 -------- d-----w- c:\programdata\Avira
2010-09-13 20:03 . 2010-09-13 20:03 -------- d-----w- c:\program files\Avira
2010-09-13 19:44 . 2010-09-13 19:45 -------- d-----w- c:\program files\CCleaner
2010-09-13 16:33 . 2010-09-15 12:46 -------- d-----w- c:\program files\Retina-X Spyware Cleaner
2010-09-13 16:10 . 2010-09-13 16:27 715152 ----a-w- c:\programdata\Simply Super Software\Trojan Remover\Data\trunins.exe
2010-09-13 13:27 . 2010-09-13 13:27 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2010-09-13 13:27 . 2010-09-13 13:27 -------- d-----w- c:\programdata\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 15:54 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infpub.dat
2010-09-28 15:54 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstrng.dat
2010-09-28 15:54 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstor.dat
2010-09-22 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-09-15 18:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-09-15 18:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-15 18:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-09-15 18:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-09-15 18:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-15 18:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-09-15 18:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\Inf\drvindex.dat
2010-09-15 12:46 . 2009-04-22 20:36 -------- d-----w- c:\program files\Trojan Remover
2010-09-15 12:46 . 2009-04-22 20:34 -------- d-----w- c:\users\owner\AppData\Roaming\Simply Super Software
2010-09-10 20:38 . 2008-07-11 00:43 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 07:02 . 2008-07-11 00:46 -------- d-----w- c:\programdata\Microsoft Help
2010-08-08 13:39 . 2010-06-15 22:50 -------- d-----w- c:\users\owner\AppData\Roaming\Hoyle
2010-07-02 20:22 . 2008-07-30 18:42 72064 ----a-w- c:\users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-19 13:21 . 2009-11-16 17:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
1601-01-01 00:00 . 1601-01-01 00:00 0 --sha-w- c:\windows\System32\temppf.sys
2008-07-30 18:41 . 2008-07-30 18:41 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-07-30 18:41 . 2008-07-30 18:41 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2010-01-27 20:30 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2008-04-29 17:33 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldnamon]
2008-03-17 21:29 16624 ----a-w- c:\program files\Dell V105\dldnamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldnmon.exe]
2008-03-17 21:29 668912 ----a-w- c:\program files\Dell V105\dldnmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\firedogadvisor]
2007-11-11 20:47 522760 ----a-w- c:\program files\firedog advisor\faAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-06-19 13:21 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reader Library Launcher]
2010-05-10 13:27 906656 ----a-w- c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-06-08 22:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe [2008-03-04 595184]
R2 faproct;Circuit City Firedog Advisor ProcessTriggerDriver;c:\windows\system32\DRIVERS\faproct.sys [2007-11-28 6656]
R2 faunidrv;UniDriver for Firedog Advisor;c:\windows\system32\DRIVERS\faunidrv.sys [2007-09-23 7168]
R2 gupdate1c9e88955b3cc60;Google Update Service (gupdate1c9e88955b3cc60);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 133104]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2010-01-25 121416]
R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [2010-01-25 125512]
R3 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
R3 fbdpinger;fbdpinger;c:\windows\fdbpinger.exe [2008-04-01 157040]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-19 30192]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\DRIVERS\gtuhsbus.sys [2009-07-16 67840]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\DRIVERS\gtuhs51.sys [2009-07-16 107776]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\DRIVERS\gtuhsser.sys [2009-07-16 8064]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 firedogAdvisorSrvHost;firedogAdvisorSrvHost;c:\program files\firedog advisor\firedogAdvisorSrvHost.exe [2007-12-24 312328]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*NewlyCreated* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-05 22:32]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 22:34]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 22:34]

2010-09-28 c:\windows\Tasks\Hitman Pro 3.5 Boot Task.job
- c:\program files\Hitman Pro 3.5\HitmanPro35.exe [2010-09-22 02:31]

2010-09-21 c:\windows\Tasks\User_Feed_Synchronization-{0ED870D8-D95B-470E-8BB7-569057E3189A}.job
- c:\windows\system32\msfeedssync.exe [2010-09-15 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BCPA&o=16145&locale=en_US&apn_uid=B3935638-188F-4B7F-9959-A0377AD72EAA&apn_ptnrs=QK&apn_sauid=8B2CBF5E-EDF3-4C6E-A2C4-BEAC04A88C6C&apn_dtid=&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {73E417CC-EFEE-473E-BC70-5D85C93594EF} - c:\windows\system32\config\systemprofile\AppData\Local\{73E417CC-EFEE-473E-BC70-5D85C93594EF}\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-osCheck - c:\program files\Norton 360\osCheck.exe
MSConfigStartUp-TP CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SymCuw.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
AddRemove-ZoneAlarm - c:\program files\Zone Labs\ZoneAlarm\zauninst.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-402309793-3304718121-4283858942-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:15,05,1c,4b,78,36,da,7b,2b,9f,5a,e5,3a,71,50,c6,0d,f1,14,a6,00,e8,7f,
c9,50,31,59,5d,48,ff,a7,b1,a3,89,20,e6,22,36,ad,c2,99,3f,73,4b,60,5c,54,7f,\
"??"=hex:25,9d,b5,5d,47,d6,72,35,db,09,4d,87,74,cf,8b,5d

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-30 13:29:07
ComboFix-quarantined-files.txt 2010-09-30 17:29

Pre-Run: 162,527,031,296 bytes free
Post-Run: 162,543,210,496 bytes free

- - End Of File - - B83DE14A729FBEEEDD4E538C0D1C31B8

Thanks!

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:51 AM

Posted 30 September 2010 - 01:55 PM

Still a firefox redirector to take care of. Please let me know how things are running after the following fix.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Firefox::
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\l6xvcs4h.default\
FF - HiddenExtension: XULRunner: {73E417CC-EFEE-473E-BC70-5D85C93594EF} - c:\windows\system32\config\systemprofile\AppData\Local\{73E417CC-EFEE-473E-BC70-5D85C93594EF}\

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 netmonk

netmonk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 30 September 2010 - 04:46 PM

Still no luck. Thanks so much for all your help so far guys n gals, unfortunately I have to throw in the towel. The customer wants her laptop back tomorrow, so I'm just going to have to wipe/reinstall in the morning. I was really hoping to have enough time to narrow this one down. Anyway, thanks again for all the effort and keep up the good work.

NM

Edited by netmonk, 30 September 2010 - 04:47 PM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:51 AM

Posted 01 October 2010 - 01:22 AM

Okay, in that case I will close this topic.

Since we are all volunteers here, we are neither able nor willing to work to deadlines. As you say, in such cases a reformat/reinstall is the the fastest solution.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users