Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W7 X64 infected with redirecting process


  • This topic is locked This topic is locked
18 replies to this topic

#1 Coliflor

Coliflor

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 30 October 2010 - 06:14 PM

Hi,

Around 10 days ago my W7 X64 got infected with a nasty virus that fully controlled IE redirecting it and preventing Google from working.
I ran Super Anti Spyware and after loosing the internet connection and recovering it with a Restore) I mostly recovered control of IE (sometimes gets frozen) and Google works OK. I installed MBAM and it keeps blocking IPs, many per day. I was instructed (in another place) to run ComboFix but it does not run in X64 systems. DrWeb claimed to have erradicated (BackDoor.Tdss.565 as a Process in memory: C:\Program Files (x86)\Internet Explorer\iexplore.exe:3164) but the IPs blocking and IE freezing still continue.

Meanwhile, I was instructed to run many anti-rootkit software and no success at all.

I followed the guideline and I initially forgot to attach the files. I did it now. GMER screen did not allow me selecting the options according to the Preparation Guide. The logs were 0 bytes and there was a final message that no changes to the system were detected. I could not upload the GMER log because the uploader skipped it. I have uploaded an image of the initial GMER screen. I could attach DDS but I could not attach ATTACH.TXT (the uploader says IO Error). I could paste ATTACH.TXT if required.

Many thanks in advance.Attached File  DDS.txt   29.35KB   3 downloadsAttached File  GMER screen.PNG   42.26KB   2 downloads

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 07 November 2010 - 06:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 07 November 2010 - 07:39 PM

Hi etavares,

Thanks so much for helping me with this computer. I really appreciate your help.
My computer continues having an erratic IE Browser, sometimes slow and freezes, others just OK. Malwarebytes continues blocking IPs. I have also pasted Malwarebytes log.


I have pasted below both OTL logs. Run Defogger and disabled the CD emulation thing.
Problems with GMER: I downloaded, unzipped, and run it. It did not allow changing any option. Almost every option was gray. I have an image of the GMER screen but I do not know how to attach it (I pasted it in a Word document and I am not permitted to attach it. A kind of quick scan ran from the beginning.Only Services, Registry, Files, C:, and ADS had a check mark. I could not access any other options (they were gray and unresponsive). I tried it in Safe Mode with the same results. Anyway, I ran a scan with those default options and it says that GMER has not found any system modification. The GMER log is empty (0 bytes) and cannot be uploaded.

Thanks so much again.



OTL logs

OTL logfile created on: 11/7/2010 6:00:42 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Francisco\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 287.57 Gb Total Space | 244.87 Gb Free Space | 85.15% Space Free | Partition Type: NTFS

Computer Name: PANCHO | User Name: Francisco | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/07 17:58:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
PRC - [2010/11/06 18:18:10 | 000,233,936 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
PRC - [2010/10/14 16:54:27 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/04/29 14:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 14:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/03/25 19:07:00 | 000,124,224 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2010/03/25 19:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2010/03/17 15:03:08 | 000,252,728 | ---- | M] (TOSHIBA) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
PRC - [2010/03/11 13:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) -- C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2010/02/24 03:54:48 | 002,454,840 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
PRC - [2010/01/28 19:34:01 | 000,103,792 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
PRC - [2009/12/25 17:21:16 | 000,034,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
PRC - [2009/08/25 15:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 15:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 15:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/24 17:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
PRC - [2007/01/04 18:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/10/22 22:24:02 | 000,620,152 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/11/07 17:58:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2009/07/13 20:15:31 | 000,154,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\imagehlp.dll
MOD - [2009/07/13 20:09:00 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/04/06 16:53:14 | 000,258,928 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV:64bit: - [2010/03/25 19:07:00 | 000,079,504 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2010/03/15 11:56:20 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/02/23 19:57:42 | 000,835,952 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV:64bit: - [2010/02/05 19:44:48 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/11/06 00:05:28 | 000,489,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/10/21 11:30:36 | 000,531,520 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\ThpSrv.exe -- (Thpsrv)
SRV:64bit: - [2009/07/28 17:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/10/14 16:54:27 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/06/25 12:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/04/29 14:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/04/09 01:54:44 | 000,332,272 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\ProgramData\Partner\Partner.exe -- (Partner Service)
SRV - [2010/03/25 19:07:00 | 000,180,968 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe -- (McShield)
SRV - [2010/03/25 19:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2010/03/25 19:07:00 | 000,020,792 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe -- (McAfeeEngineService)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/11 13:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2010/01/28 19:34:01 | 000,103,792 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe -- (Norton PC Checkup Application Launcher)
SRV - [2009/12/03 21:30:18 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/10/06 11:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009/08/25 15:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/08/24 17:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe -- (PCCUJobMgr)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/01/04 18:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\yjbydjdr.sys -- (zucpqd)
DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\fixiwo.sys -- (yxcn)
DRV:64bit: - File not found [Kernel | Auto | Stopped] -- C:\windows\SysNative\drivers\regi.sys -- (regi)
DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\vsllakl.sys -- (iyqg)
DRV:64bit: - [2010/09/22 23:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/06/25 12:07:26 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2010/05/26 09:39:08 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\65E4.tmp -- (MEMSWEEP2)
DRV:64bit: - [2010/04/29 14:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2010/03/25 19:07:00 | 000,469,400 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2010/03/25 19:07:00 | 000,120,096 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2010/03/25 19:07:00 | 000,097,576 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2010/03/25 19:07:00 | 000,084,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfetdik.sys -- (mfetdik)
DRV:64bit: - [2010/03/25 19:07:00 | 000,078,896 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2010/03/15 12:06:28 | 006,403,072 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atipmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/03/15 11:00:58 | 000,188,928 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/03/10 20:51:32 | 000,316,464 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/01/12 16:37:34 | 000,325,152 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/12/02 17:01:24 | 000,213,280 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2009/11/06 14:56:06 | 001,550,848 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/10/09 21:41:20 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/09/23 12:25:22 | 000,144,496 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\jmcr.sys -- (JMCR)
DRV:64bit: - [2009/07/30 23:02:36 | 000,044,912 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)
DRV:64bit: - [2009/07/30 22:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2009/07/14 17:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/29 18:16:20 | 000,014,784 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\Thpevm.sys -- (Thpevm)
DRV:64bit: - [2009/06/29 12:25:22 | 000,034,880 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\thpdrv.sys -- (Thpdrv)
DRV:64bit: - [2009/06/22 19:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
DRV:64bit: - [2009/06/19 21:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/05 11:00:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig?brand=TSNA&bmod=TSNA
IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.cooperativa.cl/
IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll (McAfee, Inc.)
O2:64bit: - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner64.dll (Google Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (TOSHIBA Media Controller Plug-in) - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-525092100-270286419-1632534797-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [] File not found
O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [ThpSrv] C:\windows\SysNative\thpsrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosNC] C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe (Toshiba)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\windows\SysWow64\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\windows\SysWow64\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
O8:64bit: - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*



Drivers32:64bit: aux - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: aux1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midimapper - midimap.dll (Microsoft Corporation)
Drivers32:64bit: mixer - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: msacm.imaadpcm - imaadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.msadpcm - msadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msg711 - msg711.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msgsm610 - msgsm32.acm (Microsoft Corporation)
Drivers32:64bit: MSVideo8 - VfWWDM32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.i420 - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.IYUV - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.mrle - msrle32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.msvc - msvidc32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.UYVY - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YUY2 - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVU9 - tsbyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVYU - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: wave - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wavemapper - msacm32.drv (Microsoft Corporation)
Drivers32: aux - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: aux1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\windows\SysWow64\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.dvacm - C:\Program Files (x86)\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.imaadpcm - C:\windows\SysWow64\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\windows\SysWow64\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\windows\SysWow64\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\windows\SysWow64\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\windows\SysWow64\sirenacm.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - C:\windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.iyuv - C:\windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\windows\SysWow64\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\windows\SysWow64\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\windows\SysWow64\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\windows\SysWow64\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/11/07 17:58:21 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
[2010/11/06 20:06:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2010/10/30 06:30:55 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2010/10/28 19:08:04 | 000,000,000 | ---D | C] -- C:\windows\Minidump
[2010/10/27 20:37:49 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Roaming\Wireshark
[2010/10/27 20:26:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinPcap
[2010/10/27 06:38:32 | 000,000,000 | -HSD | C] -- C:\DrWeb Quarantine
[2010/10/27 06:38:29 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/10/26 19:01:07 | 000,000,000 | ---D | C] -- C:\Users\Francisco\DoctorWeb
[2010/10/26 19:00:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DrWeb
[2010/10/25 19:48:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/10/25 14:14:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2010/10/24 18:46:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysWow64\drivers\mbamswissarmy.sys
[2010/10/24 18:46:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/10/24 11:56:07 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/10/24 07:40:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010/10/23 13:36:16 | 000,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2010/10/23 08:43:37 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/10/23 08:43:36 | 000,000,000 | ---D | C] -- C:\rsit
[2010/10/23 05:09:02 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Roaming\Windows Live Writer
[2010/10/23 05:09:02 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Windows Live Writer
[2010/10/23 04:55:51 | 000,000,000 | ---D | C] -- C:\windows\en
[2010/10/23 04:52:24 | 000,000,000 | ---D | C] -- C:\windows\SysNative\DRVSTORE
[2010/10/23 04:52:01 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/10/22 21:24:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\UEFI WinFlash
[2010/10/22 20:05:45 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Diagnostics
[2010/10/22 19:03:58 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/10/22 19:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/22 12:26:51 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Windows Live
[2010/10/21 20:00:07 | 000,000,000 | ---D | C] -- C:\QUARANTINE
[2010/10/20 18:03:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2010/10/20 15:03:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2010/10/20 15:03:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Security Scan
[2010/10/19 17:46:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pivot Stickfigure Animator
[2010/10/18 16:01:00 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Unity
[2010/10/17 15:05:07 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Roaming\Malwarebytes
[2010/10/17 15:05:00 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2010/10/17 15:05:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/10/17 14:31:59 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\ElevatedDiagnostics
[2010/10/14 17:37:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2010/10/14 17:33:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 8
[2010/10/14 17:26:42 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Amos 18.0
[2010/10/14 17:21:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SPSSInc
[2010/10/14 17:18:21 | 000,000,000 | ---D | C] -- C:\Users\Francisco\.spss
[2010/10/14 17:16:44 | 000,000,000 | ---D | C] -- C:\Users\Francisco\Documents\SafeNet Sentinel
[2010/10/14 17:12:44 | 000,000,000 | ---D | C] -- C:\ProgramData\SafeNet Sentinel
[2010/10/14 17:08:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SPSS
[2010/10/14 17:08:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SPSS
[2010/10/14 17:06:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SPSSInc
[2010/10/14 17:04:16 | 000,000,000 | ---D | C] -- C:\Program Files\SPSSInc
[2010/10/14 16:56:30 | 000,000,000 | ---D | C] -- C:\Users\Francisco\Documents\Updater5
[2010/10/14 16:54:29 | 000,000,000 | ---D | C] -- C:\ProgramData\FLEXnet
[2010/10/14 16:54:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Macrovision Shared
[2010/10/14 16:37:09 | 000,000,000 | ---D | C] -- C:\windows\SysWow64\spool
[2010/10/13 19:26:38 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Microsoft Help
[2010/10/12 06:05:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0
[2010/10/10 12:30:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\InterVideo
[2010/10/10 12:29:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Protexis
[2010/10/10 12:27:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Corel
[2010/10/10 12:27:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Corel
[2010/10/10 11:03:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Ulead Systems
[2010/10/10 11:03:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Ulead Systems
[2010/10/10 11:03:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ulead Systems
[4 C:\windows\SysNative\*.tmp files -> C:\windows\SysNative\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/07 17:58:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
[2010/11/07 17:12:02 | 000,000,904 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/07 11:57:16 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/07 11:57:16 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/07 11:55:42 | 000,726,316 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2010/11/07 11:55:42 | 000,624,178 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2010/11/07 11:55:42 | 000,106,522 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2010/11/07 11:50:30 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/07 11:49:12 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2010/11/07 11:49:05 | 3016,503,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/06 20:12:36 | 000,002,266 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/11/06 20:12:36 | 000,002,250 | ---- | M] () -- C:\Users\Francisco\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/06 20:11:52 | 000,002,295 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/10/30 09:56:00 | 000,000,000 | ---- | M] () -- C:\Users\Francisco\defogger_reenable
[2010/10/30 06:33:42 | 000,049,098 | ---- | M] () -- C:\Users\Francisco\Documents\New Shark.pcap
[2010/10/30 06:31:22 | 000,001,565 | ---- | M] () -- C:\Users\Public\Desktop\Wireshark.lnk
[2010/10/28 19:07:58 | 364,755,659 | ---- | M] () -- C:\windows\MEMORY.DMP
[2010/10/27 21:13:27 | 000,080,412 | ---- | M] () -- C:\Users\Francisco\Documents\Cif-vill.pcap
[2010/10/24 18:46:59 | 000,001,020 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/23 08:59:06 | 000,135,168 | ---- | M] () -- C:\zip.exe
[2010/10/23 08:59:06 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2010/10/22 18:55:28 | 000,364,032 | ---- | M] () -- C:\Users\Francisco\Desktop\rkill.exe
[2010/10/22 12:44:26 | 000,000,004 | -H-- | M] () -- C:\windows\SysWow64\iexplore.sy_
[2010/10/19 06:14:14 | 000,000,162 | -H-- | M] () -- C:\Users\Francisco\Documents\~$ancisco Cifuentes.docx
[2010/10/19 06:11:01 | 000,011,084 | ---- | M] () -- C:\Users\Francisco\Documents\Francisco Cifuentes.docx
[2010/10/16 11:13:30 | 000,430,080 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2010/10/14 17:32:09 | 000,000,114 | ---- | M] () -- C:\windows\SysWow64\prsgrc.tgz
[2010/10/14 17:32:08 | 000,000,100 | ---- | M] () -- C:\windows\SysWow64\prsgrc.dll
[2010/10/14 17:32:08 | 000,000,014 | ---- | M] () -- C:\windows\SysWow64\ssprs.tgz
[2010/10/14 17:24:32 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\grcauth2.dll
[2010/10/14 17:24:32 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\grcauth1.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\clauth2.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\clauth1.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\ssprs.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\serauth2.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\serauth1.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\nsprs.tgz
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\nsprs.dll
[2010/10/14 17:21:14 | 000,000,219 | ---- | M] () -- C:\windows\SysWow64\lsprst7.tgz
[2010/10/14 17:21:14 | 000,000,205 | ---- | M] () -- C:\windows\SysWow64\lsprst7.dll
[2010/10/14 17:21:14 | 000,000,016 | -H-- | M] () -- C:\windows\SysWow64\servdat.slm
[2010/10/14 17:20:31 | 000,000,000 | ---- | M] () -- C:\law.sp
[2010/10/14 17:04:06 | 000,001,025 | ---- | M] () -- C:\windows\SysWow64\sysprs7.tgz
[2010/10/14 17:04:06 | 000,001,025 | ---- | M] () -- C:\windows\SysWow64\sysprs7.dll
[2010/10/14 16:53:53 | 000,002,102 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
[2010/10/14 16:53:53 | 000,002,032 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/10/14 16:53:52 | 000,002,459 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/10/13 20:09:44 | 000,011,232 | ---- | M] () -- C:\Users\Francisco\Documents\5The paper clip becomes magnetized when stroked with a magnet because the domains in the magnet are lined up.docx
[2010/10/10 12:31:34 | 000,000,838 | ---- | M] () -- C:\Users\Public\Desktop\Corel WinDVD.lnk
[2010/10/10 11:04:19 | 000,002,204 | ---- | M] () -- C:\Users\Public\Desktop\Ulead Burn.Now 4.5 SE.lnk
[4 C:\windows\SysNative\*.tmp files -> C:\windows\SysNative\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/06 20:12:36 | 000,002,266 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/11/06 20:12:36 | 000,002,250 | ---- | C] () -- C:\Users\Francisco\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/06 20:11:52 | 000,002,295 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/11/06 20:07:06 | 000,000,904 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/06 20:07:05 | 000,000,900 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/30 09:56:00 | 000,000,000 | ---- | C] () -- C:\Users\Francisco\defogger_reenable
[2010/10/30 06:33:42 | 000,049,098 | ---- | C] () -- C:\Users\Francisco\Documents\New Shark.pcap
[2010/10/30 06:31:22 | 000,001,565 | ---- | C] () -- C:\Users\Public\Desktop\Wireshark.lnk
[2010/10/28 19:07:58 | 364,755,659 | ---- | C] () -- C:\windows\MEMORY.DMP
[2010/10/27 21:13:27 | 000,080,412 | ---- | C] () -- C:\Users\Francisco\Documents\Cif-vill.pcap
[2010/10/24 18:46:59 | 000,001,020 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/23 08:47:17 | 000,135,168 | ---- | C] () -- C:\zip.exe
[2010/10/23 08:47:17 | 000,000,574 | ---- | C] () -- C:\cleanup.bat
[2010/10/22 20:46:32 | 000,364,032 | ---- | C] () -- C:\Users\Francisco\Desktop\rkill.exe
[2010/10/22 12:44:26 | 000,000,004 | -H-- | C] () -- C:\windows\SysWow64\iexplore.sy_
[2010/10/19 06:14:14 | 000,000,162 | -H-- | C] () -- C:\Users\Francisco\Documents\~$ancisco Cifuentes.docx
[2010/10/19 06:11:00 | 000,011,084 | ---- | C] () -- C:\Users\Francisco\Documents\Francisco Cifuentes.docx
[2010/10/14 17:24:32 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\grcauth2.dll
[2010/10/14 17:24:32 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\grcauth1.dll
[2010/10/14 17:24:32 | 000,000,114 | ---- | C] () -- C:\windows\SysWow64\prsgrc.tgz
[2010/10/14 17:24:32 | 000,000,100 | ---- | C] () -- C:\windows\SysWow64\prsgrc.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\clauth2.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\clauth1.dll
[2010/10/14 17:24:01 | 000,000,014 | ---- | C] () -- C:\windows\SysWow64\ssprs.tgz
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\ssprs.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\serauth2.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\serauth1.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\nsprs.tgz
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\nsprs.dll
[2010/10/14 17:20:31 | 000,000,000 | ---- | C] () -- C:\law.sp
[2010/10/14 17:04:06 | 000,001,025 | ---- | C] () -- C:\windows\SysWow64\sysprs7.tgz
[2010/10/14 17:04:06 | 000,001,025 | ---- | C] () -- C:\windows\SysWow64\sysprs7.dll
[2010/10/14 17:04:06 | 000,000,219 | ---- | C] () -- C:\windows\SysWow64\lsprst7.tgz
[2010/10/14 17:04:06 | 000,000,205 | ---- | C] () -- C:\windows\SysWow64\lsprst7.dll
[2010/10/14 17:04:06 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\servdat.slm
[2010/10/14 16:44:57 | 000,002,459 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/10/14 16:44:57 | 000,002,102 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
[2010/10/14 16:44:57 | 000,002,032 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/10/13 20:09:43 | 000,011,232 | ---- | C] () -- C:\Users\Francisco\Documents\5The paper clip becomes magnetized when stroked with a magnet because the domains in the magnet are lined up.docx
[2010/10/10 12:31:34 | 000,000,838 | ---- | C] () -- C:\Users\Public\Desktop\Corel WinDVD.lnk
[2010/10/10 11:04:19 | 000,002,204 | ---- | C] () -- C:\Users\Public\Desktop\Ulead Burn.Now 4.5 SE.lnk
[2010/10/05 18:18:42 | 000,000,426 | ---- | C] () -- C:\windows\BRWMARK.INI
[2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- C:\windows\SysWow64\pthreadVC.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/04/28 06:37:00 | 000,028,672 | ---- | C] () -- C:\windows\SysWow64\SPCtl.dll
[2005/01/17 06:10:16 | 000,045,056 | ---- | C] () -- C:\windows\SysWow64\BRTCPCON.DLL
[2004/08/09 06:00:42 | 000,000,114 | ---- | C] () -- C:\windows\SysWow64\BRLMW03A.INI

========== LOP Check ==========

[2010/10/05 14:36:47 | 000,000,000 | ---D | M] -- C:\Users\Francisco\AppData\Roaming\Tific
[2010/10/13 19:47:59 | 000,000,000 | ---D | M] -- C:\Users\Francisco\AppData\Roaming\Toshiba
[2010/10/05 14:02:58 | 000,000,000 | ---D | M] -- C:\Users\Francisco\AppData\Roaming\WildTangent
[2010/10/05 01:56:26 | 000,000,000 | ---D | M] -- C:\Users\Francisco\AppData\Roaming\WinBatch
[2010/10/23 05:09:02 | 000,000,000 | ---D | M] -- C:\Users\Francisco\AppData\Roaming\Windows Live Writer
[2010/10/27 20:37:49 | 000,000,000 | ---D | M] -- C:\Users\Francisco\AppData\Roaming\Wireshark
[2009/07/14 00:08:49 | 000,014,952 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 20:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\dxtmsft.dll
[2009/07/13 20:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\dxtrans.dll
[2010/09/07 23:28:01 | 000,185,856 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\iepeers.dll

< %systemroot%\system32\*.sys /90 >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.* >
[2010/10/22 13:27:42 | 003,247,597 | ---- | M] () -- C:\1.txt
[2009/07/13 20:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010/04/09 02:07:15 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/10/23 08:59:06 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2010/10/23 08:47:17 | 000,000,050 | ---- | M] () -- C:\ekexm.txt
[2010/11/07 11:49:05 | 3016,503,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/14 17:20:31 | 000,000,000 | ---- | M] () -- C:\law.sp
[2006/12/01 22:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2010/11/07 11:49:07 | 4022,005,760 | -HS- | M] () -- C:\pagefile.sys
[2010/10/30 20:40:12 | 000,000,383 | ---- | M] () -- C:\rkill.log
[2010/10/23 08:59:06 | 000,135,168 | ---- | M] () -- C:\zip.exe

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< >

< End of report >





OTL Extras logfile created on: 11/7/2010 6:00:42 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Francisco\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 287.57 Gb Total Space | 244.87 Gb Free Space | 85.15% Space Free | Partition Type: NTFS

Computer Name: PANCHO | User Name: Francisco | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1AAF3A3B-7B32-4DDF-8ABB-438DAEB46EEC}" = Windows Live Family Safety
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{21E2A283-1416-AF26-6DA1-92FDE02224EB}" = ccc-utility64
"{46A5FBE9-ADB3-4493-A1CC-B4CFFD24D26A}" = Windows Live Family Safety
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{5792CD64-61B4-C448-0D22-3C51DD73AB2A}" = ATI Catalyst Install Manager
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{A0E99122-25C1-4CA4-9063-499A2A814EB6}" = TOSHIBA ReelTime
"{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{C14518AF-1A0F-4D39-8011-69BAA01CD380}" = TOSHIBA Bulletin Board
"{C25215FC-5900-48B0-B93C-8D3379027312}" = PASW Statistics 18
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02950E10-1AA3-DF62-FED5-42CBD4ADC5C1}" = CCC Help Dutch
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{118F5964-DA03-7B46-BDEA-7C3FA203D293}" = CCC Help Spanish
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1B87C40B-A60B-4EF3-9A68-706CF4B69978}" = TOSHIBA Assist
"{1CF51B76-7485-410C-D06D-23D1060974D3}" = Catalyst Control Center Core Implementation
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{21759FAC-AE5F-F171-EB4C-D2FBF66EDD04}" = CCC Help Czech
"{219B4856-468A-F0BB-8249-E630AD4E86C2}" = ccc-core-static
"{23EA31D7-28CD-F7B3-024C-6EB784F1BC79}" = CCC Help Russian
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron Flash Media Controller Driver
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{3135D885-9D9A-4B4D-8D45-9DB05DA115CA}" = Amazon Links
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3669F19D-D7C2-3240-C4EC-A57DECC124FC}" = CCC Help Japanese
"{38A0161D-7CD3-51AD-0ACB-F46DD34D2FF6}" = CCC Help Greek
"{39670BCD-6300-21D8-78A4-ECD68D0C4D95}" = CCC Help Chinese Standard
"{3B843B38-04B1-4CE6-8888-586273E0F289}" = Quickbooks Financial Center
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{46A46830-50AA-3326-7A57-72BB03E6B3EC}" = CCC Help Hungarian
"{47984ADB-54E9-BE8F-E39F-8B1FAAD4B192}" = CCC Help Polish
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{5449FB4F-1802-4D5B-A6D8-087DB1142147}" = Realtek HDMI Audio Driver for ATI
"{5570C266-C606-85BC-6E23-C858566E02DB}" = CCC Help Swedish
"{5AF550B4-BB67-4E7E-82F1-2C4300279050}" = ToshibaRegistration
"{5C1F18D2-F6B7-4242-B803-B5A78648185D}" = Corel WinDVD
"{5E620377-939F-3E6B-F328-4A69D9CA0D1B}" = CCC Help French
"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{654F7484-88C5-46DC-AB32-C66BCB0E2102}" = TOSHIBA Sleep Utility
"{65D9DA69-4C22-46CA-B762-A338CAC94599}" = Amos 18
"{65F5F454-0029-045D-82ED-126F650B5C8F}" = Catalyst Control Center Graphics Previews Vista
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{836775DC-DC27-BC0C-7770-68E2591F6CC6}" = CCC Help Norwegian
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86236CB1-023D-82B2-A706-74ECFFA91A8E}" = Catalyst Control Center Graphics Previews Common
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B4BD0EF-A058-3F42-0AD8-763267A735D0}" = Catalyst Control Center Graphics Full New
"{8BD785CF-30C7-4182-B250-0D5FCE78D4DD}" = Catalyst Control Center - Branding
"{8BE504E9-0677-87AC-07D2-1A1428E17A92}" = Catalyst Control Center InstallProxy
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91D25D3C-A6D8-78D4-CDE7-F70B93389A03}" = CCC Help Italian
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = TOSHIBA Application Installer
"{983CD6FE-8320-4B80-A8F6-0D0366E0AA22}" = TOSHIBA Media Controller
"{9CD5AC28-04E5-07A5-100D-953D2B3A8747}" = Catalyst Control Center Graphics Full Existing
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA951B10-7089-4D60-B288-516E641F48E6}" = McAfee Agent
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Franšais, Deutsch
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AD8D84C3-D43A-776D-E4A8-2A4433BCBD32}" = CCC Help Korean
"{B0402CE4-783A-773C-239B-FF45BDFB400E}" = Catalyst Control Center Localization All
"{B32B60B9-C31B-3193-257A-2381305A0851}" = CCC Help German
"{B3B66630-DA7C-BD66-DFA4-F37AC82873EE}" = CCC Help Danish
"{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"{B8615768-6D66-5E53-C4E1-6F7EC8D9BFFE}" = CCC Help English
"{C289841E-5B5F-0198-F3FF-CB361D007DA3}" = CCC Help Thai
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Toshiba Online Backup
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C7BC4EBB-D88F-019D-8ED0-F42F89096B18}" = CCC Help Turkish
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D10D079D-EFDA-9601-98F8-F935A2A411A0}" = CCC Help Chinese Traditional
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DA84ECBF-4B79-47F2-B34C-95C38484C058}" = Skype Launcher
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DFD723B7-1762-73EC-32BC-A7D9E838808D}" = Catalyst Control Center Graphics Light
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E69992ED-A7F6-406C-9280-1C156417BC49}" = TOSHIBA Quality Application
"{E819AA87-4215-D35A-6872-BF97C32A9DB3}" = CCC Help Finnish
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}" = TOSHIBA Media Controller Plug-in
"{FD1F254C-48B2-A188-0127-03855BA15D16}" = CCC Help Portuguese
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe Acrobat 8 Professional - English, Franšais, Deutsch" = Adobe Acrobat 8 Professional - English, Franšais, Deutsch
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Google Chrome" = Google Chrome
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"InstallShield_{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{A0E99122-25C1-4CA4-9063-499A2A814EB6}" = TOSHIBA ReelTime
"InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5 SE
"InstallShield_{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"InstallShield_{C14518AF-1A0F-4D39-8011-69BAA01CD380}" = TOSHIBA Bulletin Board
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"NortonPCCheckup" = Toshiba Laptop Checkup
"PROPLUS" = Microsoft Office Professional Plus 2007
"TOSHIBA Game Console" = WildTangent ORB Game Console
"WildTangent toshiba Master Uninstall" = WildTangent Games
"WinLiveSuite" = Windows Live Essentials
"WinPcapInst" = WinPcap 4.1.2
"Wireshark" = Wireshark 1.4.1
"WT083877" = Chuzzle Deluxe
"WT083885" = Zuma's Revenge
"WT083898" = Virtual Villagers - The Secret City
"WT083903" = Escape Rosecliff Island
"WT083929" = Bejeweled 2 Deluxe
"WT083957" = Jewel Quest 3
"WT083958" = Penguins!
"WT083959" = Polar Bowler
"WT083969" = Virtual Families
"WT084018" = FATE - The Traitor Soul

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/28/2010 9:08:15 PM | Computer Name = Pancho | Source = Application Error | ID = 1000
Description = Faulting application name: hhjvpv.exe, version: 0.0.0.0, time stamp:
0x4bfced95 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp:
0x4ba9b29c Exception code: 0xc0000005 Fault offset: 0x00033072 Faulting process id:
0xa80 Faulting application start time: 0x01cb7705c2229e40 Faulting application path:
C:\Users\Francisco\AppData\Local\Temp\hhjvpv.exe Faulting module path: C:\windows\SysWOW64\ntdll.dll
Report
Id: 01b72338-e2f9-11df-a520-88ae1d45886c

Error - 10/28/2010 9:21:03 PM | Computer Name = Pancho | Source = Application Error | ID = 1000
Description = Faulting application name: zlvtkt.exe, version: 0.0.0.0, time stamp:
0x4bfced95 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp:
0x4ba9b29c Exception code: 0xc0000005 Fault offset: 0x00033072 Faulting process id:
0xcb0 Faulting application start time: 0x01cb77078ad2bf8f Faulting application path:
C:\Users\Francisco\AppData\Local\Temp\zlvtkt.exe Faulting module path: C:\windows\SysWOW64\ntdll.dll
Report
Id: cb12a79b-e2fa-11df-a520-88ae1d45886c

Error - 10/28/2010 9:36:04 PM | Computer Name = Pancho | Source = Application Error | ID = 1000
Description = Faulting application name: wsjqhs.exe, version: 0.0.0.0, time stamp:
0x4bfced95 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp:
0x4ba9b29c Exception code: 0xc0000005 Fault offset: 0x00033072 Faulting process id:
0xab8 Faulting application start time: 0x01cb7709a45056da Faulting application path:
C:\Users\Francisco\AppData\Local\Temp\wsjqhs.exe Faulting module path: C:\windows\SysWOW64\ntdll.dll
Report
Id: e416d8b8-e2fc-11df-a520-88ae1d45886c

Error - 10/28/2010 9:41:07 PM | Computer Name = Pancho | Source = Application Error | ID = 1000
Description = Faulting application name: mbbsmn.exe, version: 0.0.0.0, time stamp:
0x4bfced95 Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp:
0x4ba9b29c Exception code: 0xc0000005 Fault offset: 0x00033072 Faulting process id:
0x10e0 Faulting application start time: 0x01cb770a5990fe70 Faulting application path:
C:\Users\Francisco\AppData\Local\Temp\mbbsmn.exe Faulting module path: C:\windows\SysWOW64\ntdll.dll
Report
Id: 98b8041c-e2fd-11df-a520-88ae1d45886c

Error - 10/29/2010 7:12:47 AM | Computer Name = Pancho | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16671 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 350 Start
Time: 01cb775910560feb Termination Time: 16 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id: 6c25e45e-e34d-11df-a520-88ae1d45886c

Error - 10/29/2010 7:14:35 AM | Computer Name = Pancho | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16671 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 10a4 Start
Time: 01cb775a39912321 Termination Time: 16 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id: b2e88c34-e34d-11df-a520-88ae1d45886c

Error - 10/29/2010 6:56:54 PM | Computer Name = Pancho | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16671 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: c24 Start
Time: 01cb775a7b0bbd5d Termination Time: 0 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id:

Error - 10/29/2010 7:43:06 PM | Computer Name = Pancho | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16671 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1254 Start
Time: 01cb77bd090e42b4 Termination Time: 15 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id: 4238e355-e3b6-11df-a520-88ae1d45886c

Error - 10/29/2010 7:57:09 PM | Computer Name = Pancho | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16671 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 155c Start
Time: 01cb77c30af20b2f Termination Time: 0 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id: 3806994c-e3b8-11df-a520-88ae1d45886c

Error - 10/29/2010 7:57:58 PM | Computer Name = Pancho | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 8.0.7600.16671 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1414 Start
Time: 01cb77c4ffc10de9 Termination Time: 15 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id: 569e088b-e3b8-11df-a520-88ae1d45886c

[ System Events ]
Error - 10/29/2010 8:06:32 PM | Computer Name = Pancho | Source = Service Control Manager | ID = 7000
Description = The regi service failed to start due to the following error: %%2

Error - 10/29/2010 8:06:51 PM | Computer Name = Pancho | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom iyqg yxcn zucpqd

Error - 10/30/2010 6:59:53 AM | Computer Name = Pancho | Source = Service Control Manager | ID = 7000
Description = The regi service failed to start due to the following error: %%2

Error - 10/30/2010 7:00:28 AM | Computer Name = Pancho | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom iyqg yxcn zucpqd

Error - 10/30/2010 9:15:20 AM | Computer Name = Pancho | Source = Service Control Manager | ID = 7000
Description = The regi service failed to start due to the following error: %%2

Error - 10/30/2010 9:15:36 AM | Computer Name = Pancho | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom iyqg yxcn zucpqd

Error - 10/30/2010 6:48:40 PM | Computer Name = Pancho | Source = DCOM | ID = 10016
Description =

Error - 10/30/2010 6:49:06 PM | Computer Name = Pancho | Source = DCOM | ID = 10016
Description =

Error - 10/30/2010 6:49:43 PM | Computer Name = Pancho | Source = DCOM | ID = 10016
Description =

Error - 10/30/2010 6:52:54 PM | Computer Name = Pancho | Source = DCOM | ID = 10016
Description =


< End of report >

warebytes log

11:52:17 Francisco MESSAGE Protection started successfully
11:52:23 Francisco MESSAGE IP Protection started successfully
12:02:20 Francisco IP-BLOCK 91.212.226.6
12:04:13 Francisco IP-BLOCK 91.212.226.6
12:12:25 Francisco IP-BLOCK 193.27.232.75
12:14:18 Francisco IP-BLOCK 193.27.232.75
12:22:26 Francisco IP-BLOCK 193.27.232.72
12:24:13 Francisco IP-BLOCK 193.27.232.72
12:44:22 Francisco IP-BLOCK 91.212.226.6
12:54:20 Francisco IP-BLOCK 193.27.232.75
13:04:18 Francisco IP-BLOCK 193.27.232.72
13:14:15 Francisco IP-BLOCK 195.206.246.216
13:24:20 Francisco IP-BLOCK 61.61.20.132
13:34:17 Francisco IP-BLOCK 195.206.246.245
13:44:22 Francisco IP-BLOCK 61.61.20.135
14:24:29 Francisco IP-BLOCK 91.212.226.6
14:34:27 Francisco IP-BLOCK 193.27.232.75
14:40:31 Francisco IP-BLOCK 209.44.122.29
14:43:28 Francisco IP-BLOCK 91.212.226.6
14:44:25 Francisco IP-BLOCK 209.44.122.29
14:44:25 Francisco IP-BLOCK 193.27.232.72
14:46:02 Francisco IP-BLOCK 209.44.122.29
14:53:26 Francisco IP-BLOCK 193.27.232.75
14:55:43 Francisco IP-BLOCK 209.44.122.29
15:03:26 Francisco IP-BLOCK 193.27.232.72
15:04:30 Francisco IP-BLOCK 91.212.226.6
15:14:28 Francisco IP-BLOCK 193.27.232.75
15:24:33 Francisco IP-BLOCK 193.27.232.72
15:34:30 Francisco IP-BLOCK 195.206.246.216
15:44:29 Francisco IP-BLOCK 61.61.20.132
15:54:28 Francisco IP-BLOCK 195.206.246.245
16:04:33 Francisco IP-BLOCK 61.61.20.135
16:44:38 Francisco IP-BLOCK 91.212.226.6
16:54:35 Francisco IP-BLOCK 193.27.232.75
17:04:41 Francisco IP-BLOCK 193.27.232.72
17:24:30 Francisco IP-BLOCK 91.212.226.6
17:24:38 Francisco IP-BLOCK 91.212.226.6
17:34:28 Francisco IP-BLOCK 193.27.232.75
17:34:36 Francisco IP-BLOCK 193.27.232.75
17:44:33 Francisco IP-BLOCK 193.27.232.72
17:44:41 Francisco IP-BLOCK 193.27.232.72

#4 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 07 November 2010 - 07:44 PM

This is very weird.
When I tried to post my previous answer from the infected PC, I could not do it. The connection was lost when I tried to post my answer. I tried to connect to hotmail and I could not. I tried to send me an email with the text of my answer to post it from another PC and I could not. The only way I could do it was to send an email with an attachment (I know it is dangerous) and receive that email in another non-infected PC and post the answer from that computer. Did the infection took control of the webpages and is also able to affect GMER function?!

Thanks so much

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 08 November 2010 - 11:14 PM

Hello, Coliflor.

That's a symptom of several viruses. TDSS is a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Step 1

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 09 November 2010 - 03:44 PM

Here is the log.
It said that cured something.

2010/11/09 15:24:02.0645 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/09 15:24:02.0645 ================================================================================
2010/11/09 15:24:02.0645 SystemInfo:
2010/11/09 15:24:02.0645
2010/11/09 15:24:02.0645 OS Version: 6.1.7600 ServicePack: 0.0
2010/11/09 15:24:02.0645 Product type: Workstation
2010/11/09 15:24:02.0645 ComputerName: PANCHO
2010/11/09 15:24:02.0645 UserName: Francisco
2010/11/09 15:24:02.0645 Windows directory: C:\windows
2010/11/09 15:24:02.0645 System windows directory: C:\windows
2010/11/09 15:24:02.0645 Running under WOW64
2010/11/09 15:24:02.0645 Processor architecture: Intel x64
2010/11/09 15:24:02.0645 Number of processors: 2
2010/11/09 15:24:02.0645 Page size: 0x1000
2010/11/09 15:24:02.0645 Boot type: Normal boot
2010/11/09 15:24:02.0645 ================================================================================
2010/11/09 15:24:02.0645 Utility is running under WOW64
2010/11/09 15:24:03.0113 Initialize success
2010/11/09 15:24:20.0070 ================================================================================
2010/11/09 15:24:20.0070 Scan started
2010/11/09 15:24:20.0070 Mode: Manual;
2010/11/09 15:24:20.0070 ================================================================================
2010/11/09 15:24:21.0817 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\windows\system32\DRIVERS\1394ohci.sys
2010/11/09 15:24:22.0301 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\windows\system32\DRIVERS\ACPI.sys
2010/11/09 15:24:22.0488 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\windows\system32\DRIVERS\acpipmi.sys
2010/11/09 15:24:22.0847 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\DRIVERS\adp94xx.sys
2010/11/09 15:24:23.0019 adpahci (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\DRIVERS\adpahci.sys
2010/11/09 15:24:23.0346 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\DRIVERS\adpu320.sys
2010/11/09 15:24:23.0580 AFD (b9384e03479d2506bc924c16a3db87bc) C:\windows\system32\drivers\afd.sys
2010/11/09 15:24:23.0767 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\DRIVERS\agp440.sys
2010/11/09 15:24:23.0861 aliide (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\DRIVERS\aliide.sys
2010/11/09 15:24:24.0048 amdide (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\DRIVERS\amdide.sys
2010/11/09 15:24:24.0220 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\DRIVERS\amdk8.sys
2010/11/09 15:24:24.0641 amdkmdag (aefaf27f1b7e52c705df4fb6c96732f6) C:\windows\system32\DRIVERS\atipmdag.sys
2010/11/09 15:24:25.0218 amdkmdap (8149db73be27950ec72767a1193153a6) C:\windows\system32\DRIVERS\atikmpag.sys
2010/11/09 15:24:25.0452 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
2010/11/09 15:24:25.0530 amdsata (7a4b413614c055935567cf88a9734d38) C:\windows\system32\DRIVERS\amdsata.sys
2010/11/09 15:24:25.0811 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\DRIVERS\amdsbs.sys
2010/11/09 15:24:26.0061 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\windows\system32\DRIVERS\amdxata.sys
2010/11/09 15:24:26.0217 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\windows\system32\drivers\appid.sys
2010/11/09 15:24:26.0341 arc (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\DRIVERS\arc.sys
2010/11/09 15:24:26.0513 arcsas (019af6924aefe7839f61c830227fe79c) C:\windows\system32\DRIVERS\arcsas.sys
2010/11/09 15:24:26.0685 AsyncMac (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
2010/11/09 15:24:26.0763 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\DRIVERS\atapi.sys
2010/11/09 15:24:27.0059 athr (d6cad7e5b05055bb8226bdcb1644da27) C:\windows\system32\DRIVERS\athrx.sys
2010/11/09 15:24:27.0355 AtiPcie (7c5d273e29dcc5505469b299c6f29163) C:\windows\system32\DRIVERS\AtiPcie.sys
2010/11/09 15:24:27.0652 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\windows\system32\DRIVERS\bxvbda.sys
2010/11/09 15:24:27.0933 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\windows\system32\DRIVERS\b57nd60a.sys
2010/11/09 15:24:28.0198 Beep (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
2010/11/09 15:24:28.0447 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
2010/11/09 15:24:28.0713 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\windows\system32\DRIVERS\bowser.sys
2010/11/09 15:24:28.0931 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\DRIVERS\BrFiltLo.sys
2010/11/09 15:24:29.0165 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\DRIVERS\BrFiltUp.sys
2010/11/09 15:24:29.0305 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
2010/11/09 15:24:29.0524 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
2010/11/09 15:24:29.0649 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
2010/11/09 15:24:29.0711 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
2010/11/09 15:24:29.0851 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\DRIVERS\bthmodem.sys
2010/11/09 15:24:30.0117 cdfs (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
2010/11/09 15:24:30.0351 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\windows\system32\DRIVERS\cdrom.sys
2010/11/09 15:24:30.0522 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\DRIVERS\circlass.sys
2010/11/09 15:24:30.0631 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
2010/11/09 15:24:30.0928 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
2010/11/09 15:24:31.0271 cmdide (e19d3f095812725d88f9001985b94edd) C:\windows\system32\DRIVERS\cmdide.sys
2010/11/09 15:24:31.0474 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\windows\system32\Drivers\cng.sys
2010/11/09 15:24:31.0614 Compbatt (102de219c3f61415f964c88e9085ad14) C:\windows\system32\DRIVERS\compbatt.sys
2010/11/09 15:24:31.0848 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\windows\system32\DRIVERS\CompositeBus.sys
2010/11/09 15:24:32.0160 crcdisk (1c827878a998c18847245fe1f34ee597) C:\windows\system32\DRIVERS\crcdisk.sys
2010/11/09 15:24:32.0550 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\windows\system32\Drivers\dfsc.sys
2010/11/09 15:24:32.0847 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
2010/11/09 15:24:33.0299 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\DRIVERS\disk.sys
2010/11/09 15:24:33.0767 drmkaud (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
2010/11/09 15:24:34.0001 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\windows\System32\drivers\dxgkrnl.sys
2010/11/09 15:24:34.0578 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\DRIVERS\evbda.sys
2010/11/09 15:24:34.0968 elxstor (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\DRIVERS\elxstor.sys
2010/11/09 15:24:35.0124 ErrDev (34a3c54752046e79a126e15c51db409b) C:\windows\system32\DRIVERS\errdev.sys
2010/11/09 15:24:35.0389 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
2010/11/09 15:24:35.0545 fastfat (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
2010/11/09 15:24:35.0764 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\DRIVERS\fdc.sys
2010/11/09 15:24:35.0935 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
2010/11/09 15:24:35.0982 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
2010/11/09 15:24:36.0123 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\DRIVERS\flpydisk.sys
2010/11/09 15:24:36.0341 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\windows\system32\drivers\fltmgr.sys
2010/11/09 15:24:36.0559 FsDepends (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
2010/11/09 15:24:36.0715 fssfltr (6c06701bf1db05405804d7eb610991ce) C:\windows\system32\DRIVERS\fssfltr.sys
2010/11/09 15:24:36.0965 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\windows\system32\drivers\Fs_Rec.sys
2010/11/09 15:24:37.0246 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\windows\system32\DRIVERS\fvevol.sys
2010/11/09 15:24:37.0511 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\DRIVERS\gagp30kx.sys
2010/11/09 15:24:37.0917 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
2010/11/09 15:24:38.0166 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\windows\system32\drivers\HdAudio.sys
2010/11/09 15:24:38.0603 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\windows\system32\DRIVERS\HDAudBus.sys
2010/11/09 15:24:38.0962 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\DRIVERS\HidBatt.sys
2010/11/09 15:24:39.0055 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\DRIVERS\hidbth.sys
2010/11/09 15:24:39.0118 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\DRIVERS\hidir.sys
2010/11/09 15:24:39.0352 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\windows\system32\DRIVERS\hidusb.sys
2010/11/09 15:24:39.0508 HpSAMD (0886d440058f203eba0e1825e4355914) C:\windows\system32\DRIVERS\HpSAMD.sys
2010/11/09 15:24:39.0773 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\windows\system32\drivers\HTTP.sys
2010/11/09 15:24:39.0929 hwpolicy (f17766a19145f111856378df337a5d79) C:\windows\system32\drivers\hwpolicy.sys
2010/11/09 15:24:40.0038 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\DRIVERS\i8042prt.sys
2010/11/09 15:24:40.0179 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\windows\system32\DRIVERS\iaStorV.sys
2010/11/09 15:24:40.0459 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\DRIVERS\iirsp.sys
2010/11/09 15:24:41.0208 IntcAzAudAddService (a73cc9bd3a7236e686be6667f0106c16) C:\windows\system32\drivers\RTKVHD64.sys
2010/11/09 15:24:41.0551 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\DRIVERS\intelide.sys
2010/11/09 15:24:41.0692 intelppm (ada036632c664caa754079041cf1f8c1) C:\windows\system32\DRIVERS\intelppm.sys
2010/11/09 15:24:41.0739 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\windows\system32\DRIVERS\ipfltdrv.sys
2010/11/09 15:24:42.0035 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\windows\system32\DRIVERS\IPMIDrv.sys
2010/11/09 15:24:42.0207 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
2010/11/09 15:24:42.0425 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
2010/11/09 15:24:42.0706 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\DRIVERS\isapnp.sys
2010/11/09 15:24:43.0033 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\windows\system32\DRIVERS\msiscsi.sys
2010/11/09 15:24:43.0657 JMCR (5bd76f820656aeaa2dce66eed8da84b9) C:\windows\system32\DRIVERS\jmcr.sys
2010/11/09 15:24:43.0969 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\DRIVERS\kbdclass.sys
2010/11/09 15:24:44.0344 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\windows\system32\DRIVERS\kbdhid.sys
2010/11/09 15:24:44.0656 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\windows\system32\Drivers\ksecdd.sys
2010/11/09 15:24:44.0952 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\windows\system32\Drivers\ksecpkg.sys
2010/11/09 15:24:45.0233 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
2010/11/09 15:24:45.0670 lltdio (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
2010/11/09 15:24:45.0841 LPCFilter (41e122f6d1448c94cc05196bc41d6bfb) C:\windows\system32\DRIVERS\LPCFilter.sys
2010/11/09 15:24:46.0247 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\DRIVERS\lsi_fc.sys
2010/11/09 15:24:46.0481 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\DRIVERS\lsi_sas.sys
2010/11/09 15:24:46.0606 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\DRIVERS\lsi_sas2.sys
2010/11/09 15:24:46.0653 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\DRIVERS\lsi_scsi.sys
2010/11/09 15:24:46.0762 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
2010/11/09 15:24:47.0011 MBAMProtector (e330051cce41eb4522e5dcebc15adcea) C:\windows\system32\drivers\mbam.sys
2010/11/09 15:24:47.0323 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\DRIVERS\megasas.sys
2010/11/09 15:24:47.0573 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\DRIVERS\MegaSR.sys
2010/11/09 15:24:47.0698 MEMSWEEP2 (d70476ad02d6fd75282b196d3b58831d) C:\windows\system32\65E4.tmp
2010/11/09 15:24:48.0025 mfeapfk (12ad015f8c2c109c6a74d25da94607fe) C:\windows\system32\drivers\mfeapfk.sys
2010/11/09 15:24:48.0259 mfeavfk (dd17753ad5fa52f3bcd3b512934690c4) C:\windows\system32\drivers\mfeavfk.sys
2010/11/09 15:24:48.0431 mfehidk (3ba96b0584ad024f03eb9835d45619c2) C:\windows\system32\drivers\mfehidk.sys
2010/11/09 15:24:48.0696 mferkdet (158c24a8ed5f2cab71a86fd775bc1727) C:\windows\system32\drivers\mferkdet.sys
2010/11/09 15:24:48.0837 mfetdik (6cfff53e82808268dd61ab4790a36426) C:\windows\system32\drivers\mfetdik.sys
2010/11/09 15:24:49.0227 Modem (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
2010/11/09 15:24:49.0632 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
2010/11/09 15:24:49.0866 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
2010/11/09 15:24:50.0069 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
2010/11/09 15:24:50.0194 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\windows\system32\drivers\mountmgr.sys
2010/11/09 15:24:50.0334 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\windows\system32\DRIVERS\mpio.sys
2010/11/09 15:24:50.0677 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
2010/11/09 15:24:50.0833 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\windows\system32\drivers\mrxdav.sys
2010/11/09 15:24:50.0896 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\windows\system32\DRIVERS\mrxsmb.sys
2010/11/09 15:24:51.0442 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\windows\system32\DRIVERS\mrxsmb10.sys
2010/11/09 15:24:51.0660 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\windows\system32\DRIVERS\mrxsmb20.sys
2010/11/09 15:24:51.0925 msahci (5c37497276e3b3a5488b23a326a754b7) C:\windows\system32\DRIVERS\msahci.sys
2010/11/09 15:24:52.0206 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\windows\system32\DRIVERS\msdsm.sys
2010/11/09 15:24:52.0409 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
2010/11/09 15:24:52.0549 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
2010/11/09 15:24:52.0612 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\DRIVERS\msisadrv.sys
2010/11/09 15:24:52.0674 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
2010/11/09 15:24:52.0830 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
2010/11/09 15:24:52.0955 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
2010/11/09 15:24:53.0017 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\windows\system32\drivers\MsRPC.sys
2010/11/09 15:24:53.0205 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\DRIVERS\mssmbios.sys
2010/11/09 15:24:53.0361 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
2010/11/09 15:24:53.0407 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\DRIVERS\MTConfig.sys
2010/11/09 15:24:53.0610 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
2010/11/09 15:24:53.0797 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
2010/11/09 15:24:53.0969 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\windows\system32\drivers\ndis.sys
2010/11/09 15:24:54.0234 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
2010/11/09 15:24:54.0375 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
2010/11/09 15:24:54.0437 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\windows\system32\DRIVERS\ndisuio.sys
2010/11/09 15:24:54.0593 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\windows\system32\DRIVERS\ndiswan.sys
2010/11/09 15:24:54.0858 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\windows\system32\drivers\NDProxy.sys
2010/11/09 15:24:55.0123 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
2010/11/09 15:24:55.0248 NetBT (9162b273a44ab9dce5b44362731d062a) C:\windows\system32\DRIVERS\netbt.sys
2010/11/09 15:24:55.0654 nfrd960 (77889813be4d166cdab78ddba990da92) C:\windows\system32\DRIVERS\nfrd960.sys
2010/11/09 15:24:55.0857 NPF (351533acc2a069b94e80bbfc177e8fdf) C:\windows\system32\drivers\npf.sys
2010/11/09 15:24:56.0231 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
2010/11/09 15:24:56.0559 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
2010/11/09 15:24:57.0198 Ntfs (356698a13c4630d5b31c37378d469196) C:\windows\system32\drivers\Ntfs.sys
2010/11/09 15:24:57.0697 Null (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
2010/11/09 15:24:57.0900 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\windows\system32\DRIVERS\nvraid.sys
2010/11/09 15:24:57.0994 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\windows\system32\DRIVERS\nvstor.sys
2010/11/09 15:24:58.0259 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\DRIVERS\nv_agp.sys
2010/11/09 15:24:58.0431 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\DRIVERS\ohci1394.sys
2010/11/09 15:24:58.0805 Parport (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\DRIVERS\parport.sys
2010/11/09 15:24:58.0992 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\windows\system32\drivers\partmgr.sys
2010/11/09 15:24:59.0117 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\windows\system32\DRIVERS\pci.sys
2010/11/09 15:24:59.0476 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\DRIVERS\pciide.sys
2010/11/09 15:24:59.0601 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\DRIVERS\pcmcia.sys
2010/11/09 15:24:59.0757 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
2010/11/09 15:24:59.0928 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
2010/11/09 15:25:00.0240 PGEffect (663962900e7fea522126ba287715bb4a) C:\windows\system32\DRIVERS\pgeffect.sys
2010/11/09 15:25:00.0521 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\windows\system32\DRIVERS\raspptp.sys
2010/11/09 15:25:00.0646 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\DRIVERS\processr.sys
2010/11/09 15:25:00.0708 Psched (ee992183bd8eaefd9973f352e587a299) C:\windows\system32\DRIVERS\pacer.sys
2010/11/09 15:25:00.0989 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\DRIVERS\ql2300.sys
2010/11/09 15:25:01.0161 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\DRIVERS\ql40xx.sys
2010/11/09 15:25:01.0332 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
2010/11/09 15:25:01.0457 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
2010/11/09 15:25:01.0519 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
2010/11/09 15:25:01.0769 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\windows\system32\DRIVERS\rasl2tp.sys
2010/11/09 15:25:01.0925 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
2010/11/09 15:25:02.0003 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
2010/11/09 15:25:02.0081 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\windows\system32\DRIVERS\rdbss.sys
2010/11/09 15:25:02.0268 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\DRIVERS\rdpbus.sys
2010/11/09 15:25:02.0440 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
2010/11/09 15:25:02.0736 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
2010/11/09 15:25:03.0017 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
2010/11/09 15:25:03.0438 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\windows\system32\drivers\RDPWD.sys
2010/11/09 15:25:03.0625 rdyboost (634b9a2181d98f15941236886164ec8b) C:\windows\system32\drivers\rdyboost.sys
2010/11/09 15:25:03.0844 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
2010/11/09 15:25:04.0031 RTHDMIAzAudService (4e821c740a675f6d040be41d59a62b1d) C:\windows\system32\drivers\RtHDMIVX.sys
2010/11/09 15:25:04.0359 RTL8167 (fd978b2bf8a9b2390dcbef435e9c1f9f) C:\windows\system32\DRIVERS\Rt64win7.sys
2010/11/09 15:25:04.0608 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\windows\system32\DRIVERS\sbp2port.sys
2010/11/09 15:25:04.0827 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\windows\system32\DRIVERS\scfilter.sys
2010/11/09 15:25:05.0014 sdbus (2c8d162efaf73abd36d8bcbb6340cae7) C:\windows\system32\DRIVERS\sdbus.sys
2010/11/09 15:25:05.0154 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
2010/11/09 15:25:05.0326 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\DRIVERS\serenum.sys
2010/11/09 15:25:05.0435 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\DRIVERS\serial.sys
2010/11/09 15:25:05.0544 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\DRIVERS\sermouse.sys
2010/11/09 15:25:05.0747 sffdisk (a554811bcd09279536440c964ae35bbf) C:\windows\system32\DRIVERS\sffdisk.sys
2010/11/09 15:25:05.0887 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\DRIVERS\sffp_mmc.sys
2010/11/09 15:25:06.0043 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\windows\system32\DRIVERS\sffp_sd.sys
2010/11/09 15:25:06.0168 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\DRIVERS\sfloppy.sys
2010/11/09 15:25:06.0231 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\DRIVERS\SiSRaid2.sys
2010/11/09 15:25:06.0371 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\DRIVERS\sisraid4.sys
2010/11/09 15:25:06.0433 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
2010/11/09 15:25:06.0605 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
2010/11/09 15:25:06.0870 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\windows\system32\DRIVERS\srv.sys
2010/11/09 15:25:07.0260 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\windows\system32\DRIVERS\srv2.sys
2010/11/09 15:25:07.0557 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\windows\system32\DRIVERS\srvnet.sys
2010/11/09 15:25:07.0837 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\DRIVERS\stexstor.sys
2010/11/09 15:25:08.0040 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\DRIVERS\swenum.sys
2010/11/09 15:25:08.0305 SynTP (470c47daba9ca3966f0ab3f835d7d135) C:\windows\system32\DRIVERS\SynTP.sys
2010/11/09 15:25:08.0758 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\windows\system32\drivers\tcpip.sys
2010/11/09 15:25:09.0210 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\windows\system32\DRIVERS\tcpip.sys
2010/11/09 15:25:09.0335 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\windows\system32\drivers\tcpipreg.sys
2010/11/09 15:25:09.0491 tdcmdpst (fd542b661bd22fa69ca789ad0ac58c29) C:\windows\system32\DRIVERS\tdcmdpst.sys
2010/11/09 15:25:09.0725 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
2010/11/09 15:25:09.0850 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\windows\system32\drivers\tdtcp.sys
2010/11/09 15:25:10.0084 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\windows\system32\DRIVERS\tdx.sys
2010/11/09 15:25:10.0489 TermDD (c448651339196c0e869a355171875522) C:\windows\system32\DRIVERS\termdd.sys
2010/11/09 15:25:10.0770 Thpdrv (c013f6acaa9761f571bd28dada7c157d) C:\windows\system32\DRIVERS\thpdrv.sys
2010/11/09 15:25:11.0113 Thpevm (b4e609047434ed948af7bdef2fa66e38) C:\windows\system32\DRIVERS\Thpevm.SYS
2010/11/09 15:25:11.0535 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\windows\system32\DRIVERS\tssecsrv.sys
2010/11/09 15:25:11.0800 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\windows\system32\DRIVERS\tunnel.sys
2010/11/09 15:25:11.0971 TVALZ (550b567f9364d8f7684c3fb3ea665a72) C:\windows\system32\DRIVERS\TVALZ_O.SYS
2010/11/09 15:25:12.0408 TVALZFL (9c7191f4b2e49bff47a6c1144b5923fa) C:\windows\system32\DRIVERS\TVALZFL.sys
2010/11/09 15:25:12.0673 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\DRIVERS\uagp35.sys
2010/11/09 15:25:12.0736 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\windows\system32\DRIVERS\udfs.sys
2010/11/09 15:25:12.0907 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\DRIVERS\uliagpkx.sys
2010/11/09 15:25:13.0110 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\windows\system32\DRIVERS\umbus.sys
2010/11/09 15:25:13.0219 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\DRIVERS\umpass.sys
2010/11/09 15:25:13.0329 usbccgp (b26afb54a534d634523c4fb66765b026) C:\windows\system32\DRIVERS\usbccgp.sys
2010/11/09 15:25:13.0578 usbcir (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\DRIVERS\usbcir.sys
2010/11/09 15:25:13.0672 usbehci (cb490987a7f6928a04bb838e3bd8a936) C:\windows\system32\DRIVERS\usbehci.sys
2010/11/09 15:25:13.0875 usbhub (18124ef0a881a00ee222d02a3ee30270) C:\windows\system32\DRIVERS\usbhub.sys
2010/11/09 15:25:13.0984 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\windows\system32\DRIVERS\usbohci.sys
2010/11/09 15:25:14.0171 usbprint (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\DRIVERS\usbprint.sys
2010/11/09 15:25:14.0233 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\windows\system32\DRIVERS\USBSTOR.SYS
2010/11/09 15:25:14.0343 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\windows\system32\DRIVERS\usbuhci.sys
2010/11/09 15:25:14.0499 usbvideo (7cb8c573c6e4a2714402cc0a36eab4fe) C:\windows\System32\Drivers\usbvideo.sys
2010/11/09 15:25:14.0717 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\DRIVERS\vdrvroot.sys
2010/11/09 15:25:14.0904 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
2010/11/09 15:25:14.0935 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
2010/11/09 15:25:14.0998 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\windows\system32\DRIVERS\vhdmp.sys
2010/11/09 15:25:15.0107 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\DRIVERS\viaide.sys
2010/11/09 15:25:15.0279 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\windows\system32\DRIVERS\volmgr.sys
2010/11/09 15:25:15.0357 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\windows\system32\drivers\volmgrx.sys
2010/11/09 15:25:15.0513 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\windows\system32\DRIVERS\volsnap.sys
2010/11/09 15:25:15.0606 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\DRIVERS\vsmraid.sys
2010/11/09 15:25:15.0669 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\system32\DRIVERS\vwifibus.sys
2010/11/09 15:25:15.0747 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
2010/11/09 15:25:15.0903 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\DRIVERS\wacompen.sys
2010/11/09 15:25:15.0965 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
2010/11/09 15:25:15.0996 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
2010/11/09 15:25:16.0121 Wd (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\DRIVERS\wd.sys
2010/11/09 15:25:16.0183 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
2010/11/09 15:25:16.0402 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
2010/11/09 15:25:16.0449 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
2010/11/09 15:25:16.0714 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\DRIVERS\wmiacpi.sys
2010/11/09 15:25:17.0010 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
2010/11/09 15:25:17.0322 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\windows\system32\drivers\WudfPf.sys
2010/11/09 15:25:17.0665 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\windows\system32\DRIVERS\WUDFRd.sys
2010/11/09 15:25:17.0853 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/09 15:25:17.0853 ================================================================================
2010/11/09 15:25:17.0853 Scan finished
2010/11/09 15:25:17.0853 ================================================================================
2010/11/09 15:25:17.0884 Detected object count: 1
2010/11/09 15:25:35.0683 \HardDisk0 - will be cured after reboot
2010/11/09 15:25:35.0683 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/09 15:25:40.0769 Deinitialize success

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 09 November 2010 - 07:36 PM

Hello, Coliflor.

Looks like we got the rootkit. Are you still getting redirects?


Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

The automatic part won't work with Vista or W7. Please backup manually using ERUNT with the following instructions:
  • Please locate the ERUNT icon on the desktop. If it is not there, click Start and type ERUNT into the search box.
  • Right click the ERUNT icon in the desktop or the Start menu, and select Run as Administrator
  • Click OK at the first message box.
  • Ensure the checkboxes for both "system registry" and "current user registry" are checked. Leave the default save location in there.
  • Click OK.
  • Click Yes to create the new folder.
  • You'll get a window saying "registry backup complete" once it's done. Click OK. If you get an error message, please STOP here and let me know. Do not proceed with any additional instructions until you check back with me.



Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :files
    C:\windows\SysWow64\iexplore.sy_
    C:\zip.exe
    C:\cleanup.bat
    :OTL
    DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\yjbydjdr.sys -- (zucpqd)
    DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\fixiwo.sys -- (yxcn)
    DRV:64bit: - File not found [Kernel | Auto | Stopped] -- C:\windows\SysNative\drivers\regi.sys -- (regi)
    DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\vsllakl.sys -- (iyqg)
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\windows\SysWow64\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\windows\SysWow64\mctadmin.exe File not found
    O13 - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 09 November 2010 - 08:24 PM

Hello,

This looks very promising.

I am not getting redirected according to Malwarebytes Anti-Malware logs. It is clean since I ran the root killer. IE is smooth. I am able to send email with no problems.

I installed and ran ERUNT as an administrator. It was the same than running it right after installing it. No error message at that moment.

Downloaded and installed OTL. Copied and pasted your script. It took like 5 minutes. Asked for a Reboot. After rebooting. started again and generated a log (pasted below). At that moment a pop up windows with the header "ERU for Windows NT" says "Unable to create file: C:\Windows\ERDNT\AUtoBAckup\11-9-2010\ERDNT.INF" and continues with "Registry backup will continue, but no restore information for the ERDNT program will be saved. This means that later restoration of the registry can only be done manually, by using another OS to copy back the files."

Then, following your advice, I stopped there and did not continue with the second run of OTL for all users until you instructe me to do so.

I have a licensed copy of MBAM, should I do step 3 anyway?

Many many thanks.




First OTL log (and only one so far)
All processes killed
========== FILES ==========
C:\windows\SysWow64\iexplore.sy_ moved successfully.
C:\zip.exe moved successfully.
C:\cleanup.bat moved successfully.
========== OTL ==========
Service zucpqd stopped successfully!
Service zucpqd deleted successfully!
File C:\windows\SysNative\drivers\yjbydjdr.sys not found.
Service yxcn stopped successfully!
Service yxcn deleted successfully!
File C:\windows\SysNative\drivers\fixiwo.sys not found.
Service regi stopped successfully!
Service regi deleted successfully!
File C:\windows\SysNative\drivers\regi.sys not found.
Service iyqg stopped successfully!
Service iyqg deleted successfully!
File C:\windows\SysNative\drivers\vsllakl.sys not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Francisco
->Temp folder emptied: 356920947 bytes
->Temporary Internet Files folder emptied: 175402505 bytes
->Java cache emptied: 6253033 bytes
->Flash cache emptied: 24023 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 24576 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4840929 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50132 bytes
RecycleBin emptied: 7049427 bytes

Total Files Cleaned = 525.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 11092010_200508

Files\Folders moved on Reboot...
File\Folder C:\Users\Francisco\AppData\Local\Temp\Low\hsperfdata_Francisco\4072 not found!
C:\Users\Francisco\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y0L97TS1\01[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y0L97TS1\szcc_cdv_secondary_access_msg_home[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XSTKOLLW\embed[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XSTKOLLW\st[2] moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TX8ZSLMV\01[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TX8ZSLMV\ads[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TX8ZSLMV\blankHistory[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TX8ZSLMV\click[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TX8ZSLMV\page__pid__2010779[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NBHS64SW\clk[2].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NBHS64SW\iframe3[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NBHS64SW\strtlneq3[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LGKCY3VS\embed[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LGKCY3VS\st[1] moved successfully.
File\Folder C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L03RHW9Q\8597E8BE-B1C3-11DD-8E46-2F8F1A66B302[1].htm not found!
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L03RHW9Q\getInPage[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ESA04NG8\getInPage[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ESA04NG8\search[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ESA04NG8\search[2].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BYLRD4NO\ads[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A05TQMKY\blank[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A05TQMKY\clk[2].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A05TQMKY\iframe3[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A05TQMKY\search[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A05TQMKY\szcc_cdv_secondary_access_msg_home[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99V31FX9\mail[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5RY2QUB1\8597E8BE-B1C3-11DD-8E46-2F8F1A66B302[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5RY2QUB1\mail[1].htm moved successfully.
C:\Users\Francisco\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

#9 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 09 November 2010 - 08:33 PM

Hi,

I attempted to close the ERUNT pop up windows and another one emerged saying: "WARNING Error saving file C:\windows\ERDNT\AutoBackup\11-9-2010\BCD! Continue with the next file? [RegCreateKeyEx: 5 - Access is denied]" and offers the option Yes and No. I am not going to touch anything...

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 09 November 2010 - 09:00 PM

Click no for now. If otl rebooted ok, we don't need ERUNT anymore. You can uninstall it.

As for MBAM, just update your copy and run a quick scan.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 11 November 2010 - 06:02 AM

Hi etavares,

The computer is running smooth.

I finished the four steps. OTL for All Users (no reboor required, log pasted below), MBAM fully updated Quick scan (clean, log attached), and EST Online scans (no threats found, no log generated).

After unsuccessfully trying to clean this PC with what I should consider professional help (MBAM support) I am very impressed for how simple it seemed to make the cleaning process works following your directions.

Many many thanks.


OTL for All Users log
OTL logfile created on: 11/10/2010 5:33:34 PM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Francisco\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 287.57 Gb Total Space | 246.12 Gb Free Space | 85.59% Space Free | Partition Type: NTFS

Computer Name: PANCHO | User Name: Francisco | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/09 20:01:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
PRC - [2010/11/06 18:18:10 | 000,233,936 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
PRC - [2010/10/14 16:54:27 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/04/29 14:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 14:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/03/25 19:07:00 | 000,124,224 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2010/03/25 19:07:00 | 000,083,264 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe
PRC - [2010/03/25 19:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2010/03/17 15:03:08 | 000,252,728 | ---- | M] (TOSHIBA) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
PRC - [2010/03/11 13:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) -- C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2010/02/24 03:54:48 | 002,454,840 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
PRC - [2010/01/28 19:34:01 | 000,103,792 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
PRC - [2009/12/25 17:21:16 | 000,034,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
PRC - [2009/08/25 15:00:00 | 000,939,328 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe
PRC - [2009/08/25 15:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/08/25 15:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/08/25 15:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/08/24 17:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
PRC - [2007/01/04 18:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/10/22 22:24:02 | 000,620,152 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/11/09 20:01:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/04/06 16:53:14 | 000,258,928 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV:64bit: - [2010/03/25 19:07:00 | 000,079,504 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2010/03/15 11:56:20 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/02/23 19:57:42 | 000,835,952 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV:64bit: - [2010/02/05 19:44:48 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/11/06 00:05:28 | 000,489,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/10/21 11:30:36 | 000,531,520 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\ThpSrv.exe -- (Thpsrv)
SRV:64bit: - [2009/07/28 17:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/10/14 16:54:27 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/06/25 12:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/04/29 14:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/04/09 01:54:44 | 000,332,272 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\ProgramData\Partner\Partner.exe -- (Partner Service)
SRV - [2010/03/25 19:07:00 | 000,180,968 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe -- (McShield)
SRV - [2010/03/25 19:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2010/03/25 19:07:00 | 000,020,792 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe -- (McAfeeEngineService)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/11 13:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2010/01/28 19:34:01 | 000,103,792 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe -- (Norton PC Checkup Application Launcher)
SRV - [2009/12/03 21:30:18 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/10/06 11:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009/08/25 15:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/08/24 17:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe -- (PCCUJobMgr)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/01/04 18:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\windows\SysNative\65E4.tmp -- (MEMSWEEP2)
DRV:64bit: - [2010/09/22 23:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/06/25 12:07:26 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2010/04/29 14:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2010/03/25 19:07:00 | 000,469,400 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2010/03/25 19:07:00 | 000,120,096 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2010/03/25 19:07:00 | 000,097,576 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2010/03/25 19:07:00 | 000,084,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfetdik.sys -- (mfetdik)
DRV:64bit: - [2010/03/25 19:07:00 | 000,078,896 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2010/03/15 12:06:28 | 006,403,072 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atipmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/03/15 11:00:58 | 000,188,928 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/03/10 20:51:32 | 000,316,464 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/01/12 16:37:34 | 000,325,152 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/12/02 17:01:24 | 000,213,280 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2009/11/06 14:56:06 | 001,550,848 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/10/09 21:41:20 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/09/23 12:25:22 | 000,144,496 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\jmcr.sys -- (JMCR)
DRV:64bit: - [2009/07/30 23:02:36 | 000,044,912 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)
DRV:64bit: - [2009/07/30 22:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2009/07/14 17:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/29 18:16:20 | 000,014,784 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\Thpevm.sys -- (Thpevm)
DRV:64bit: - [2009/06/29 12:25:22 | 000,034,880 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\thpdrv.sys -- (Thpdrv)
DRV:64bit: - [2009/06/22 19:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
DRV:64bit: - [2009/06/19 21:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/05 11:00:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig?brand=TSNA&bmod=TSNA
IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.cooperativa.cl/
IE - HKU\S-1-5-21-525092100-270286419-1632534797-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll (McAfee, Inc.)
O2:64bit: - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner64.dll (Google Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (TOSHIBA Media Controller Plug-in) - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-525092100-270286419-1632534797-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [ThpSrv] C:\windows\SysNative\thpsrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosNC] C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe (Toshiba)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Francisco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\S-1-5-21-525092100-270286419-1632534797-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
O8:64bit: - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/09 20:05:08 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/09 19:57:39 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2010/11/09 19:57:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2010/11/09 19:55:23 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Francisco\Desktop\erunt-setup.exe
[2010/11/09 15:21:45 | 001,330,776 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Francisco\Desktop\boom.exe
[2010/11/07 18:18:48 | 000,000,000 | ---D | C] -- C:\Users\Francisco\Desktop\gmerb
[2010/11/07 17:58:21 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
[2010/11/06 20:06:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2010/10/30 06:30:55 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2010/10/28 19:08:04 | 000,000,000 | ---D | C] -- C:\windows\Minidump
[2010/10/27 20:37:49 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Roaming\Wireshark
[2010/10/27 20:26:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinPcap
[2010/10/27 06:38:32 | 000,000,000 | -HSD | C] -- C:\DrWeb Quarantine
[2010/10/27 06:38:29 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/10/27 06:20:42 | 000,552,960 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msdri.dll
[2010/10/27 06:20:41 | 000,961,024 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\CPFilters.dll
[2010/10/27 06:20:41 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\CPFilters.dll
[2010/10/27 06:20:40 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\MSNP.ax
[2010/10/27 06:20:40 | 000,258,560 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mpg2splt.ax
[2010/10/27 06:20:40 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\MSNP.ax
[2010/10/27 06:20:40 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mpg2splt.ax
[2010/10/27 06:20:24 | 000,027,008 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\drivers\Diskdump.sys
[2010/10/26 19:01:07 | 000,000,000 | ---D | C] -- C:\Users\Francisco\DoctorWeb
[2010/10/26 19:00:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DrWeb
[2010/10/25 19:48:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/10/25 14:14:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2010/10/24 18:46:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysWow64\drivers\mbamswissarmy.sys
[2010/10/24 18:46:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/10/24 11:56:07 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/10/24 07:40:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Panda Security
[2010/10/23 13:36:16 | 000,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2010/10/23 08:43:37 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/10/23 08:43:36 | 000,000,000 | ---D | C] -- C:\rsit
[2010/10/23 05:09:02 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Roaming\Windows Live Writer
[2010/10/23 05:09:02 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Windows Live Writer
[2010/10/23 04:55:51 | 000,000,000 | ---D | C] -- C:\windows\en
[2010/10/23 04:52:24 | 000,048,488 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\drivers\fssfltr.sys
[2010/10/23 04:52:24 | 000,000,000 | ---D | C] -- C:\windows\SysNative\DRVSTORE
[2010/10/23 04:52:01 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/10/23 04:50:27 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\XAudio2_5.dll
[2010/10/23 04:50:27 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\XAPOFX1_3.dll
[2010/10/23 04:50:26 | 000,523,088 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\d3dx10_42.dll
[2010/10/23 04:50:26 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\d3dx10_42.dll
[2010/10/22 21:33:53 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mfps.dll
[2010/10/22 21:33:52 | 000,257,024 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mfreadwrite.dll
[2010/10/22 21:33:52 | 000,196,608 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mfreadwrite.dll
[2010/10/22 21:33:51 | 001,888,256 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\WMVDECOD.DLL
[2010/10/22 21:33:51 | 001,619,456 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\WMVDECOD.DLL
[2010/10/22 21:33:50 | 004,068,864 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mf.dll
[2010/10/22 21:33:50 | 003,181,568 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mf.dll
[2010/10/22 21:24:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\UEFI WinFlash
[2010/10/22 20:05:45 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Diagnostics
[2010/10/22 19:03:58 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/10/22 19:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/22 12:26:51 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Windows Live
[2010/10/21 20:00:07 | 000,000,000 | ---D | C] -- C:\QUARANTINE
[2010/10/20 18:03:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2010/10/20 15:03:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2010/10/20 15:03:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Security Scan
[2010/10/19 17:46:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pivot Stickfigure Animator
[2010/10/18 16:01:00 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Unity
[2010/10/17 15:05:07 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Roaming\Malwarebytes
[2010/10/17 15:05:00 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2010/10/17 15:05:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/10/17 14:31:59 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\ElevatedDiagnostics
[2010/10/14 17:37:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2010/10/14 17:33:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 8
[2010/10/14 17:26:42 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Amos 18.0
[2010/10/14 17:21:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SPSSInc
[2010/10/14 17:18:21 | 000,000,000 | ---D | C] -- C:\Users\Francisco\.spss
[2010/10/14 17:16:44 | 000,000,000 | ---D | C] -- C:\Users\Francisco\Documents\SafeNet Sentinel
[2010/10/14 17:12:44 | 000,000,000 | ---D | C] -- C:\ProgramData\SafeNet Sentinel
[2010/10/14 17:08:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SPSS
[2010/10/14 17:08:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SPSS
[2010/10/14 17:06:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SPSSInc
[2010/10/14 17:04:16 | 000,000,000 | ---D | C] -- C:\Program Files\SPSSInc
[2010/10/14 16:56:30 | 000,000,000 | ---D | C] -- C:\Users\Francisco\Documents\Updater5
[2010/10/14 16:54:29 | 000,000,000 | ---D | C] -- C:\ProgramData\FLEXnet
[2010/10/14 16:54:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Macrovision Shared
[2010/10/14 16:54:20 | 000,033,368 | R--- | C] (Adobe Systems Incorporated.) -- C:\windows\SysWow64\AdobePDF.dll
[2010/10/14 16:37:09 | 000,000,000 | ---D | C] -- C:\windows\SysWow64\spool
[2010/10/14 16:32:41 | 000,033,368 | R--- | C] (Adobe Systems Incorporated.) -- C:\Users\Francisco\Desktop\AdobePDF.dll
[2010/10/14 13:16:03 | 000,148,992 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\t2embed.dll
[2010/10/14 13:16:03 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\t2embed.dll
[2010/10/14 13:16:01 | 002,085,376 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ole32.dll
[2010/10/14 13:15:59 | 000,483,840 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\StructuredQuery.dll
[2010/10/14 13:15:56 | 000,633,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\comctl32.dll
[2010/10/14 13:15:53 | 001,024,512 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wmpmde.dll
[2010/10/14 13:15:53 | 000,738,816 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wmpmde.dll
[2010/10/14 13:15:52 | 000,954,752 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mfc40.dll
[2010/10/14 13:15:51 | 000,954,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mfc40u.dll
[2010/10/14 13:15:44 | 000,702,976 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeeds.dll
[2010/10/14 13:15:44 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msfeeds.dll
[2010/10/14 13:15:43 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\licmgr10.dll
[2010/10/14 13:15:43 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\licmgr10.dll
[2010/10/14 13:15:42 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmled.dll
[2010/10/14 13:15:40 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iepeers.dll
[2010/10/14 13:15:40 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieui.dll
[2010/10/14 13:15:40 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iepeers.dll
[2010/10/14 13:15:40 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieui.dll
[2010/10/14 13:15:40 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmled.dll
[2010/10/14 13:15:38 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\html.iec
[2010/10/14 13:15:38 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\html.iec
[2010/10/14 13:15:38 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msfeedssync.exe
[2010/10/14 13:15:38 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeedssync.exe
[2010/10/14 13:15:33 | 014,627,840 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wmp.dll
[2010/10/14 13:15:32 | 011,406,848 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wmp.dll
[2010/10/14 13:15:29 | 012,625,408 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wmploc.DLL
[2010/10/14 13:15:28 | 012,625,920 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wmploc.DLL
[2010/10/14 13:15:26 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\sscore.dll
[2010/10/13 19:26:38 | 000,000,000 | ---D | C] -- C:\Users\Francisco\AppData\Local\Microsoft Help
[2010/10/12 06:05:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0

========== Files - Modified Within 30 Days ==========

[2010/11/10 17:35:43 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/10 17:27:54 | 000,000,904 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/10 17:27:25 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2010/11/09 20:17:07 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/09 20:17:07 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/09 20:14:43 | 000,726,316 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2010/11/09 20:14:43 | 000,624,178 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2010/11/09 20:14:43 | 000,106,522 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2010/11/09 20:09:26 | 3016,503,296 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/09 20:01:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Francisco\Desktop\OTL.exe
[2010/11/09 19:57:08 | 000,001,115 | ---- | M] () -- C:\Users\Francisco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/09 19:57:02 | 000,000,940 | ---- | M] () -- C:\Users\Francisco\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010/11/09 19:57:02 | 000,000,935 | ---- | M] () -- C:\Users\Francisco\Desktop\NTREGOPT.lnk
[2010/11/09 19:55:39 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Francisco\Desktop\erunt-setup.exe
[2010/11/09 15:22:06 | 001,330,776 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Francisco\Desktop\boom.exe
[2010/11/07 19:12:27 | 000,034,888 | ---- | M] () -- C:\Users\Francisco\Documents\Reply to bleeping computer 11 7.docx
[2010/11/07 18:41:25 | 000,167,989 | ---- | M] () -- C:\Users\Francisco\Desktop\GMER screen.docx
[2010/11/07 18:18:31 | 000,287,041 | ---- | M] () -- C:\Users\Francisco\Desktop\gmer.zip
[2010/11/07 18:08:47 | 000,050,477 | ---- | M] () -- C:\Users\Francisco\Desktop\Defogger.exe
[2010/11/06 20:12:36 | 000,002,266 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/11/06 20:12:36 | 000,002,250 | ---- | M] () -- C:\Users\Francisco\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/06 20:11:52 | 000,002,295 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/10/30 09:56:00 | 000,000,000 | ---- | M] () -- C:\Users\Francisco\defogger_reenable
[2010/10/30 06:33:42 | 000,049,098 | ---- | M] () -- C:\Users\Francisco\Documents\New Shark.pcap
[2010/10/30 06:31:22 | 000,001,565 | ---- | M] () -- C:\Users\Public\Desktop\Wireshark.lnk
[2010/10/28 19:07:58 | 364,755,659 | ---- | M] () -- C:\windows\MEMORY.DMP
[2010/10/27 21:13:27 | 000,080,412 | ---- | M] () -- C:\Users\Francisco\Documents\Cif-vill.pcap
[2010/10/24 18:46:59 | 000,001,020 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/22 18:55:28 | 000,364,032 | ---- | M] () -- C:\Users\Francisco\Desktop\rkill.exe
[2010/10/19 06:14:14 | 000,000,162 | -H-- | M] () -- C:\Users\Francisco\Documents\~$ancisco Cifuentes.docx
[2010/10/19 06:11:01 | 000,011,084 | ---- | M] () -- C:\Users\Francisco\Documents\Francisco Cifuentes.docx
[2010/10/16 11:13:30 | 000,430,080 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2010/10/14 17:32:09 | 000,000,114 | ---- | M] () -- C:\windows\SysWow64\prsgrc.tgz
[2010/10/14 17:32:08 | 000,000,100 | ---- | M] () -- C:\windows\SysWow64\prsgrc.dll
[2010/10/14 17:32:08 | 000,000,014 | ---- | M] () -- C:\windows\SysWow64\ssprs.tgz
[2010/10/14 17:24:32 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\grcauth2.dll
[2010/10/14 17:24:32 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\grcauth1.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\clauth2.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | M] () -- C:\windows\SysWow64\clauth1.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\ssprs.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\serauth2.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\serauth1.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\nsprs.tgz
[2010/10/14 17:24:01 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\nsprs.dll
[2010/10/14 17:21:14 | 000,000,219 | ---- | M] () -- C:\windows\SysWow64\lsprst7.tgz
[2010/10/14 17:21:14 | 000,000,205 | ---- | M] () -- C:\windows\SysWow64\lsprst7.dll
[2010/10/14 17:21:14 | 000,000,016 | -H-- | M] () -- C:\windows\SysWow64\servdat.slm
[2010/10/14 17:20:31 | 000,000,000 | ---- | M] () -- C:\law.sp
[2010/10/14 17:04:06 | 000,001,025 | ---- | M] () -- C:\windows\SysWow64\sysprs7.tgz
[2010/10/14 17:04:06 | 000,001,025 | ---- | M] () -- C:\windows\SysWow64\sysprs7.dll
[2010/10/14 16:53:53 | 000,002,102 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
[2010/10/14 16:53:53 | 000,002,032 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/10/14 16:53:52 | 000,002,459 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/10/13 20:09:44 | 000,011,232 | ---- | M] () -- C:\Users\Francisco\Documents\5The paper clip becomes magnetized when stroked with a magnet because the domains in the magnet are lined up.docx

========== Files Created - No Company Name ==========

[2010/11/09 19:57:08 | 000,001,115 | ---- | C] () -- C:\Users\Francisco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/09 19:57:02 | 000,000,940 | ---- | C] () -- C:\Users\Francisco\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010/11/09 19:57:02 | 000,000,935 | ---- | C] () -- C:\Users\Francisco\Desktop\NTREGOPT.lnk
[2010/11/07 19:12:27 | 000,034,888 | ---- | C] () -- C:\Users\Francisco\Documents\Reply to bleeping computer 11 7.docx
[2010/11/07 18:41:24 | 000,167,989 | ---- | C] () -- C:\Users\Francisco\Desktop\GMER screen.docx
[2010/11/07 18:18:24 | 000,287,041 | ---- | C] () -- C:\Users\Francisco\Desktop\gmer.zip
[2010/11/07 18:08:45 | 000,050,477 | ---- | C] () -- C:\Users\Francisco\Desktop\Defogger.exe
[2010/11/06 20:12:36 | 000,002,266 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/11/06 20:12:36 | 000,002,250 | ---- | C] () -- C:\Users\Francisco\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/06 20:11:52 | 000,002,295 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/11/06 20:07:06 | 000,000,904 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/06 20:07:05 | 000,000,900 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/30 09:56:00 | 000,000,000 | ---- | C] () -- C:\Users\Francisco\defogger_reenable
[2010/10/30 06:33:42 | 000,049,098 | ---- | C] () -- C:\Users\Francisco\Documents\New Shark.pcap
[2010/10/30 06:31:22 | 000,001,565 | ---- | C] () -- C:\Users\Public\Desktop\Wireshark.lnk
[2010/10/28 19:07:58 | 364,755,659 | ---- | C] () -- C:\windows\MEMORY.DMP
[2010/10/27 21:13:27 | 000,080,412 | ---- | C] () -- C:\Users\Francisco\Documents\Cif-vill.pcap
[2010/10/24 18:46:59 | 000,001,020 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/22 20:46:32 | 000,364,032 | ---- | C] () -- C:\Users\Francisco\Desktop\rkill.exe
[2010/10/19 06:14:14 | 000,000,162 | -H-- | C] () -- C:\Users\Francisco\Documents\~$ancisco Cifuentes.docx
[2010/10/19 06:11:00 | 000,011,084 | ---- | C] () -- C:\Users\Francisco\Documents\Francisco Cifuentes.docx
[2010/10/14 17:24:32 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\grcauth2.dll
[2010/10/14 17:24:32 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\grcauth1.dll
[2010/10/14 17:24:32 | 000,000,114 | ---- | C] () -- C:\windows\SysWow64\prsgrc.tgz
[2010/10/14 17:24:32 | 000,000,100 | ---- | C] () -- C:\windows\SysWow64\prsgrc.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\clauth2.dll
[2010/10/14 17:24:01 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\clauth1.dll
[2010/10/14 17:24:01 | 000,000,014 | ---- | C] () -- C:\windows\SysWow64\ssprs.tgz
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\ssprs.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\serauth2.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\serauth1.dll
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\nsprs.tgz
[2010/10/14 17:24:01 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\nsprs.dll
[2010/10/14 17:20:31 | 000,000,000 | ---- | C] () -- C:\law.sp
[2010/10/14 17:04:06 | 000,001,025 | ---- | C] () -- C:\windows\SysWow64\sysprs7.tgz
[2010/10/14 17:04:06 | 000,001,025 | ---- | C] () -- C:\windows\SysWow64\sysprs7.dll
[2010/10/14 17:04:06 | 000,000,219 | ---- | C] () -- C:\windows\SysWow64\lsprst7.tgz
[2010/10/14 17:04:06 | 000,000,205 | ---- | C] () -- C:\windows\SysWow64\lsprst7.dll
[2010/10/14 17:04:06 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\servdat.slm
[2010/10/14 16:44:57 | 000,002,459 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/10/14 16:44:57 | 000,002,102 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
[2010/10/14 16:44:57 | 000,002,032 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/10/13 20:09:43 | 000,011,232 | ---- | C] () -- C:\Users\Francisco\Documents\5The paper clip becomes magnetized when stroked with a magnet because the domains in the magnet are lined up.docx
[2010/10/05 18:18:42 | 000,000,426 | ---- | C] () -- C:\windows\BRWMARK.INI
[2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- C:\windows\SysWow64\pthreadVC.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/04/28 06:37:00 | 000,028,672 | ---- | C] () -- C:\windows\SysWow64\SPCtl.dll
[2005/01/17 06:10:16 | 000,045,056 | ---- | C] () -- C:\windows\SysWow64\BRTCPCON.DLL
[2004/08/09 06:00:42 | 000,000,114 | ---- | C] () -- C:\windows\SysWow64\BRLMW03A.INI

========== Custom Scans ==========


< :files >

< C:\windows\SysWow64\iexplore.sy_ >

< C:\zip.exe >

< C:\cleanup.bat >

< :OTL >

< DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\yjbydjdr.sys -- (zucpqd) >

< DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\fixiwo.sys -- (yxcn) >

< DRV:64bit: - File not found [Kernel | Auto | Stopped] -- C:\windows\SysNative\drivers\regi.sys -- (regi) >

< DRV:64bit: - File not found [Kernel | Boot | Stopped] -- C:\windows\SysNative\drivers\vsllakl.sys -- (iyqg) >

< O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. >

< O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. >

< O4:64bit: - HKLM..\Run: [] File not found >

< O4 - HKLM..\Run: [] File not found >

< O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\windows\SysWow64\mctadmin.exe File not found >

< O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\windows\SysWow64\mctadmin.exe File not found >

< O13 - gopher Prefix: missing >

< O13 - gopher Prefix: missing >

< O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) >
Invalid Switch: OnlineScanner.cab (Reg Error: Key error.)


< O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. >

< O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. >

< :Commands >

< [EmptyTemp] >

< >

< End of report >



MBAM log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5092

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/10/2010 5:48:27 PM
mbam-log-2010-11-10 (17-48-27).txt

Scan type: Quick scan
Objects scanned: 145514
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 11 November 2010 - 07:02 PM

Hello, Coliflor.

MBAM support is usually very helpful and resolves problems all the time in their forums as well. I'm sorry they weren't able to help, but thanks for appreciating our help here.


Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 22 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 22 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.



Step 2

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.



Step 3

Uninstall ComboFix and Clean Up
Click Start > Run and type combofix /Uninstall click OK (Note the space between combofix and /Uninstall) See below:
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • If that link doesn't work, try this one.
  • Double click Posted Imageicon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 11 November 2010 - 08:33 PM

I did what you instructed. The only issue was that it could not find Combofix. I did the "Combofix /Uninstall" and there was a message saying that it could not find Combofix. I checked the spelling and was correct.
I installed Hostman and will chack later about how to improve performance.

Thanks so much. This has been very amazing. The PC is like new again.

Best.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 13 November 2010 - 07:06 AM

Glad to hear it's working well again. Please download combofix again and save it to your desktop as uninstall.exe then double-click to run it.

Here's the links to CF:


Did that work to uninstall it?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Coliflor

Coliflor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 13 November 2010 - 08:39 AM

Hi etavares,

I saved it as Uninstall.exe and run it. After a while I obtained a "Win32 only" message in many languages saying "Incompatible OS. Combofix only works for workstations with Windows 2000 and XP"

I do not know whether Combofix was ever (properlly) installed. I cannot locate it in the Unistall or Change a Program list.

Thanks,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users