Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Protection fake


  • This topic is locked This topic is locked
16 replies to this topic

#1 cathyb9

cathyb9

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 06 February 2011 - 07:41 PM

As requested, I'm reposting this query with logs.

My computer was infected with a fake antispyware scam virus Spyware Protection, probably from an infected link. I may have removed it, but how can I ensure the computer is clean?

Symptoms were that the program Spyware Protection appeared in the Start menu, along with an icon on the windows 7 toolbar from which pop ups emerged telling me that several programs were infected with a virus, and that to get rid of it I had to register Spyware Protection.

I downloaded Malware Bytes. It was blocked from downloading and installing until I renamed the install file and then ran it. It then installed. I tried then to run the program, but it was blocked. I renamed the program itself, and then it ran.

It found Rogue.SecurityCentral in a file called defender.exe and as a registry value as
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Protection

What steps should I now take to ensure the system is clean?

System: Windows 7 64-bit Home Premium 6.1.7600
Antispy/Antivirus/Firewall: Kaspersky Pure 9.0.0.192
Laptop Model Toshiba Satellite A500

Thanks for your help!

DDS log follows. Because this is a Windows 7 64-bit system, GMER doesn't work.


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Catherine at 11:25:45.07 on Mon 07/02/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.4061.2675 [GMT 11:00]

AV: Kaspersky PURE *Enabled/Updated* {AE1D740B-8F0F-D137-211D-873D44B3F4AE}
SP: Kaspersky PURE *Enabled/Updated* {157C95EF-A935-DEB9-1BAD-BC4F3F34BE13}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky PURE *Enabled* {9626F52E-C560-D06F-0A42-2E08BA60B3D5}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\windows\system32\Dwm.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\ThpSrv.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\HDMICtrlMan\HCMSoundChanger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\ehome\ehRecvr.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTime.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Users\Catherine\Downloads\dds.scr
C:\windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TRCMan] C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll, C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll
BHO-X64: link filter bho - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
mRun-x64: [(Default)]
mRun-x64: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun-x64: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun-x64: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun-x64: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [ThpSrv] C:\windows\system32\thpsrv /logon
mRun-x64: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun-x64: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun-x64: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
mRun-x64: [HDMICtrlMan] %ProgramFiles%\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
mRun-x64: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun-x64: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
mRun-x64: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AppInit_DLLs-X64: C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll,C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\CATHER~1\AppData\Roaming\Mozilla\Firefox\Profiles\bvyi15r2.default\
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

============= SERVICES / DRIVERS ===============

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\System32\drivers\CSCrySec.sys [2010-12-28 85048]
R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\Windows\System32\drivers\klbg.sys [2009-10-14 40464]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\Windows\System32\drivers\thpdrv.sys [2009-6-30 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\Windows\System32\drivers\Thpevm.sys [2009-6-30 14784]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2010-12-16 482384]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\System32\drivers\CSVirtualDiskDrv.sys [2010-12-28 66104]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2009-9-14 27152]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AVP;Kaspersky PURE;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe [2009-12-25 340456]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-7-18 181616]
R2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-7-15 42368]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-11 46448]
R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2009-8-11 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\Windows\System32\drivers\TVALZFL.sys [2009-6-20 14472]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-30 70656]
R3 enecirhid;ENE CIR HID Receiver;C:\Windows\System32\drivers\enecirhid.sys [2009-5-20 14848]
R3 enecirhidma;ENE CIR HIDmini Filter;C:\Windows\System32\drivers\enecirhidma.sys [2008-4-25 6656]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2009-10-2 21008]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-12-28 86120]
R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2010-12-16 35008]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-12-16 215040]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-12-16 51576]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-8-4 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2009-8-5 826224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-28 135664]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-12-28 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2009-8-1 140712]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2009-5-15 5435904]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-28 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2011-02-04 21:19:57 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{9A00B7BD-E58E-4F81-8AB1-A4EEE19913BA}\mpengine.dll
2011-02-04 21:08:15 48648 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2011-02-04 21:08:11 336192 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-02-04 07:38:09 -------- d-----w- C:\Users\CATHER~1\AppData\Roaming\Malwarebytes
2011-02-04 07:38:01 38224 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-04 07:38:00 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-04 07:37:57 24152 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-02-04 07:37:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-02-03 03:32:45 -------- d-----w- C:\Program Files\iTunes
2011-02-03 03:32:45 -------- d-----w- C:\Program Files\iPod
2011-02-03 03:32:45 -------- d-----w- C:\Program Files (x86)\iTunes
2011-01-27 10:59:49 720896 ----a-w- C:\windows\System32\odbc32.dll
2011-01-27 10:59:49 573440 ----a-w- C:\windows\SysWow64\odbc32.dll
2011-01-27 10:59:49 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-01-27 10:59:48 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-01-27 10:59:48 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-01-27 10:59:48 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-01-27 10:59:48 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-01-27 10:59:48 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-01-27 10:59:48 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-01-27 10:59:48 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll

==================== Find3M ====================

2010-11-29 06:38:30 94208 ----a-w- C:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 06:38:30 69632 ----a-w- C:\windows\SysWow64\QuickTime.qts

============= FINISH: 11:26:59.25 ===============

Attached Files


Edited by cathyb9, 06 February 2011 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 10 February 2011 - 06:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


In your reply, please post both OTL logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 10 February 2011 - 07:13 PM

Here is my description of the problem again

My computer was infected with a fake antispyware scam virus Spyware Protection, probably from an infected link. I may have removed it, but how can I ensure the computer is clean?

Symptoms were that the program Spyware Protection appeared in the Start menu, along with an icon on the windows 7 toolbar from which pop ups emerged telling me that several programs were infected with a virus, and that to get rid of it I had to register Spyware Protection.

I downloaded Malware Bytes. It was blocked from downloading and installing until I renamed the install file and then ran it. It then installed. I tried then to run the program, but it was blocked. I renamed the program itself, and then it ran.

It found Rogue.SecurityCentral in a file called defender.exe and as a registry value as
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Protection

What steps should I now take to ensure the system is clean?

System: Windows 7 64-bit Home Premium 6.1.7600
Antispy/Antivirus/Firewall: Kaspersky Pure 9.0.0.192
Laptop Model Toshiba Satellite A500


Since then, I am being alerted that the disk needs checking, which I scheduled to do on reboot. I restart, I get the notification that the disk needs to be checked, and if I want to abandon the check I need to press any key within 10 seconds. However, after the countdown, the computer freezes and there is no indication that the disk check is running at all. The screen either freezes with the countdown at zero. I have left the laptop for over 24 hours, and when I come back the screen will be black and blank.

I had the hard drive of the machine replaced in mid-December under warranty. The new hard drive is still under warranty until mid-March. It might be that this new disk is failing as well and I will have to get it replaced. Luckily everything pretty much is backed up.

So there are two issues: 1. the infection with Spyware Protection; and 2. the potential that the new replacement hard drive is failing. I hope this hasn't confused anything. Please let me know what more information I need to provide.

both OTL files follow


OTL logfile created on: 2/11/2011 10:41:54 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Catherine\Downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 64.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 453.41 Gb Total Space | 243.08 Gb Free Space | 53.61% Space Free | Partition Type: NTFS
Drive F: | 1863.01 Gb Total Space | 643.86 Gb Free Space | 34.56% Space Free | Partition Type: NTFS
Drive H: | 7.45 Gb Total Space | 7.37 Gb Free Space | 99.01% Space Free | Partition Type: FAT32

Computer Name: CATHERINE-PC | User Name: Catherine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/11 10:33:52 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Catherine\Downloads\OTL(2).exe
PRC - [2011/02/08 21:20:02 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
PRC - [2011/01/05 11:59:50 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/12/16 05:30:48 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
PRC - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) -- C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
PRC - [2009/08/12 06:37:50 | 002,446,648 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
PRC - [2009/07/30 11:42:06 | 000,705,880 | ---- | M] (TOSHIBA Corporation.) -- C:\Program Files\TOSHIBA\HDMICtrlMan\HCMSoundChanger.exe
PRC - [2009/07/29 15:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
PRC - [2009/07/22 16:40:40 | 000,083,336 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
PRC - [2009/07/22 06:43:44 | 000,701,752 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe
PRC - [2009/07/18 14:52:38 | 000,181,616 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
PRC - [2009/07/15 14:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
PRC - [2009/07/14 10:24:00 | 000,304,496 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2009/03/11 13:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/02/21 04:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2009/01/14 16:33:40 | 000,034,088 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe


========== Modules (SafeList) ==========

MOD - [2011/02/11 10:33:52 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Catherine\Downloads\OTL(2).exe
MOD - [2010/08/21 16:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/08/11 06:00:50 | 000,258,928 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV:64bit: - [2009/08/06 09:20:12 | 000,488,800 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/08/05 06:15:06 | 000,826,224 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV:64bit: - [2009/08/04 13:17:56 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/07/29 10:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV:64bit: - [2009/07/14 12:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/09 04:41:02 | 000,531,520 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\ThpSrv.exe -- (Thpsrv)
SRV - [2011/01/05 11:59:50 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/01 10:59:02 | 000,051,576 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe -- (AVP)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Auto | Running] -- C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2009/07/31 00:20:36 | 000,192,368 | ---- | M] (TOSHIBA CORPORATION) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2009/07/18 14:52:38 | 000,181,616 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe -- (cfWiMAXService)
SRV - [2009/07/15 14:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe -- (ConfigFree Gadget Service)
SRV - [2009/06/11 08:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/05/23 05:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/03/11 13:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2009/02/21 04:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/12/28 00:56:44 | 000,353,296 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\SysNative\drivers\klif.sys -- (KLIF)
DRV:64bit: - [2010/09/23 00:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/01/29 01:25:02 | 000,086,120 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2010/01/13 16:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®
DRV:64bit: - [2009/12/14 12:44:24 | 000,085,048 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\CSCrySec.sys -- (CSCrySec)
DRV:64bit: - [2009/12/14 12:44:24 | 000,066,104 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV:64bit: - [2009/10/14 20:18:38 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\klbg.sys -- (KLBG)
DRV:64bit: - [2009/10/10 13:41:20 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/10/02 18:39:32 | 000,021,008 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\klmouflt.sys -- (klmouflt)
DRV:64bit: - [2009/09/14 13:46:42 | 000,027,152 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\klim6.sys -- (KLIM6)
DRV:64bit: - [2009/09/01 14:29:56 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\kl1.sys -- (kl1)
DRV:64bit: - [2009/08/18 07:15:44 | 000,286,768 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/08/01 20:13:00 | 000,140,712 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\jmcr.sys -- (JMCR)
DRV:64bit: - [2009/07/31 15:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2009/07/25 10:57:08 | 000,482,384 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tos_sps64.sys -- (tos_sps64)
DRV:64bit: - [2009/07/15 10:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2009/07/14 17:12:36 | 000,019,824 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tosrfec.sys -- (tosrfec)
DRV:64bit: - [2009/07/14 12:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 12:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 12:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 12:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 12:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 12:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/03 09:55:38 | 000,044,912 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)
DRV:64bit: - [2009/06/30 11:16:20 | 000,014,784 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\Thpevm.sys -- (Thpevm)
DRV:64bit: - [2009/06/30 05:25:22 | 000,034,880 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\thpdrv.sys -- (Thpdrv)
DRV:64bit: - [2009/06/30 05:17:00 | 000,070,656 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\enecir.sys -- (enecir)
DRV:64bit: - [2009/06/23 12:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
DRV:64bit: - [2009/06/20 14:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
DRV:64bit: - [2009/06/12 08:08:42 | 000,961,536 | ---- | M] (DiBcom) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dvb7700all.sys -- (mod7700)
DRV:64bit: - [2009/06/11 08:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009/06/11 07:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/11 07:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/11 07:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/11 07:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/11 07:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/05 13:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/05/23 17:52:30 | 000,215,040 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/05/20 16:59:00 | 000,014,848 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\enecirhid.sys -- (enecirhid)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/15 03:51:40 | 005,435,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2008/04/25 13:16:00 | 000,006,656 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\enecirhidma.sys -- (enecirhidma)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.192
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/02/08 21:20:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/02/08 21:20:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/02/08 21:20:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\THBExt [2010/12/28 00:57:12 | 000,000,000 | ---D | M]

[2010/12/28 00:32:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Catherine\AppData\Roaming\Mozilla\Extensions
[2010/12/28 00:32:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Catherine\AppData\Roaming\Mozilla\Firefox\Profiles\bvyi15r2.default\extensions
[2010/12/28 00:57:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/12/28 00:57:34 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2011/02/08 21:20:41 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2010/12/04 04:47:02 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/04 04:47:02 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/04 04:47:02 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/04 04:47:02 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/11 08:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ievkbd.dll (Kaspersky Lab)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll (Google Inc.)
O2:64bit: - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (@C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [] File not found
O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [HDMICtrlMan] C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe (TOSHIBA Corporation.)
O4:64bit: - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [ThpSrv] C:\windows\SysNative\thpsrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosNC] C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AVP] C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TRCMan] C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-131579768-3436045231-3897373272-1004..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-21-131579768-3436045231-3897373272-1004..\RunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil10l_Plugin.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O9:64bit: - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O9:64bit: - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\kloehk.dll (Kaspersky Lab)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\sbhook64.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\sbhook.dll (Kaspersky Lab)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\klogon: DllName - Reg Error: Key error. - C:\Windows\SysNative\klogon.dll (Kaspersky Lab)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/29 16:52:30 | 000,000,035 | ---- | M] () - F:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*



Drivers32:64bit: aux - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi2 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi3 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi4 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midimapper - midimap.dll (Microsoft Corporation)
Drivers32:64bit: mixer - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer2 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer3 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: mixer4 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: msacm.imaadpcm - imaadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.msadpcm - msadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msg711 - msg711.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msgsm610 - msgsm32.acm (Microsoft Corporation)
Drivers32:64bit: MSVideo8 - VfWWDM32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.i420 - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.IYUV - iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.mrle - msrle32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.msvc - msvidc32.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.UYVY - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YUY2 - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVU9 - tsbyuv.dll (Microsoft Corporation)
Drivers32:64bit: VIDC.YVYU - msyuv.dll (Microsoft Corporation)
Drivers32:64bit: wave - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave1 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave2 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave3 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wave4 - wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wavemapper - msacm32.drv (Microsoft Corporation)
Drivers32: aux - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi2 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi3 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midi4 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\windows\SysWow64\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer3 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer4 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.dvacm - C:\Program Files (x86)\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.imaadpcm - C:\windows\SysWow64\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.mpegacm - C:\Program Files (x86)\Common Files\Ulead Systems\MPEG\MPEGACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.msadpcm - C:\windows\SysWow64\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\windows\SysWow64\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\windows\SysWow64\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\windows\SysWow64\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.ulmp3acm - C:\Program Files (x86)\Common Files\Ulead Systems\MPEG\ulmp3acm.acm (Ulead systems)
Drivers32: vidc.cvid - C:\windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - C:\windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.iyuv - C:\windows\SysWow64\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\windows\SysWow64\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\windows\SysWow64\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\windows\SysWow64\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\windows\SysWow64\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave2 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave3 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wave4 - C:\windows\SysWow64\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\windows\SysWow64\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/02/08 21:20:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\xing shared
[2011/02/08 21:20:03 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\windows\SysWow64\pncrt.dll
[2011/02/08 21:20:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Real
[2011/02/08 21:19:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Real
[2011/02/08 21:19:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
[2011/02/08 21:12:55 | 000,000,000 | ---D | C] -- C:\Users\Catherine\AppData\Roaming\Real
[2011/02/07 11:33:06 | 000,000,000 | ---D | C] -- C:\Users\Catherine\AppData\Local\Diagnostics
[2011/02/04 18:38:09 | 000,000,000 | ---D | C] -- C:\Users\Catherine\AppData\Roaming\Malwarebytes
[2011/02/04 18:38:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysWow64\drivers\mbamswissarmy.sys
[2011/02/04 18:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/04 18:38:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/02/04 18:37:57 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2011/02/04 18:37:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/02/04 18:34:21 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\iexplore.exe
[2011/02/04 18:03:50 | 000,466,201 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\mbam-setup-1.50.1.1100.exe
[2011/02/03 16:33:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2011/02/03 14:33:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/02/03 14:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/02/03 14:32:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2011/02/03 14:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

========== Files - Modified Within 30 Days ==========

[2011/02/11 10:40:01 | 000,000,898 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/11 09:55:14 | 000,861,900 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2011/02/11 09:55:14 | 000,725,178 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2011/02/11 09:55:14 | 000,147,018 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2011/02/11 09:50:42 | 000,167,308 | ---- | M] () -- C:\Users\Catherine\Desktop\lime basket.JPG
[2011/02/11 09:50:42 | 000,008,504 | ---- | M] () -- C:\Users\Catherine\.recently-used.xbel
[2011/02/11 09:41:00 | 000,646,498 | R--- | M] () -- C:\Users\Catherine\Desktop\lime basket 005.JPG
[2011/02/11 06:29:54 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/02/11 01:40:01 | 000,000,894 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/11 01:29:07 | 000,016,278 | ---- | M] () -- C:\Users\Catherine\Documents\In fqtoxicity.docx
[2011/02/11 01:22:47 | 000,010,702 | ---- | M] () -- C:\Users\Catherine\Documents\zoe speach.docx
[2011/02/10 23:33:44 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/10 23:33:44 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/10 03:24:46 | 000,440,488 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2011/02/10 03:24:14 | 3193,593,856 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/09 09:53:05 | 000,011,095 | ---- | M] () -- C:\Users\Catherine\Documents\saffi pseudomonas letter.docx
[2011/02/08 21:20:47 | 000,001,959 | ---- | M] () -- C:\Users\Public\Desktop\Free Movies & Games.lnk
[2011/02/08 21:20:46 | 000,001,275 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2011/02/08 21:20:03 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\windows\SysWow64\pncrt.dll
[2011/02/07 11:34:12 | 000,003,575 | ---- | M] () -- C:\Users\Catherine\Desktop\Attach.zip
[2011/02/07 11:25:12 | 000,000,000 | ---- | M] () -- C:\Users\Catherine\defogger_reenable
[2011/02/06 12:01:00 | 001,951,012 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_01.pdf
[2011/02/06 12:01:00 | 001,480,619 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_02.pdf
[2011/02/06 12:01:00 | 000,733,115 | ---- | M] () -- C:\Users\Catherine\Desktop\PI_Module_7_AU_2010.pdf
[2011/02/06 12:01:00 | 000,704,040 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_04.pdf
[2011/02/06 12:01:00 | 000,592,922 | ---- | M] () -- C:\Users\Catherine\Desktop\PI_Module_6_AU_2010.pdf
[2011/02/06 12:01:00 | 000,498,616 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_03.pdf
[2011/02/04 18:38:01 | 000,001,120 | ---- | M] () -- C:\Users\Public\Desktop\pimpl.exe.lnk
[2011/02/04 18:34:38 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\iexplore.exe
[2011/02/04 18:18:44 | 000,866,350 | ---- | M] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/02/04 18:03:56 | 000,466,201 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\mbam-setup-1.50.1.1100.exe
[2011/02/03 16:33:52 | 000,002,025 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/02/03 14:33:27 | 000,001,794 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/02/01 17:32:55 | 000,532,206 | ---- | M] () -- C:\Users\Catherine\Desktop\manlymatessmall.jpg
[2011/02/01 17:30:00 | 002,266,852 | ---- | M] () -- C:\Users\Catherine\Desktop\_D3S8954 (1).jpg
[2011/02/01 09:26:11 | 000,106,220 | ---- | M] () -- C:\Users\Catherine\Desktop\t_manly2x1.jpg
[2011/01/29 20:11:21 | 000,012,515 | ---- | M] () -- C:\Users\Catherine\Documents\Manly Mates.docx
[2011/01/27 21:50:07 | 000,001,846 | ---- | M] () -- C:\Users\Catherine\Desktop\Photomatix Pro 4.0.2 (64-bit).lnk

========== Files Created - No Company Name ==========

[2011/02/11 09:50:42 | 000,167,308 | ---- | C] () -- C:\Users\Catherine\Desktop\lime basket.JPG
[2011/02/11 09:50:42 | 000,008,504 | ---- | C] () -- C:\Users\Catherine\.recently-used.xbel
[2011/02/11 09:41:00 | 000,646,498 | R--- | C] () -- C:\Users\Catherine\Desktop\lime basket 005.JPG
[2011/02/11 01:29:06 | 000,016,278 | ---- | C] () -- C:\Users\Catherine\Documents\In fq.docx
[2011/02/11 01:22:46 | 000,010,702 | ---- | C] () -- C:\Users\Catherine\Documents\z speach.docx
[2011/02/09 09:53:04 | 000,011,095 | ---- | C] () -- C:\Users\Catherine\Documents\s letter.docx
[2011/02/08 21:20:47 | 000,001,959 | ---- | C] () -- C:\Users\Public\Desktop\Free Movies & Games.lnk
[2011/02/08 21:20:46 | 000,001,275 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2011/02/07 11:34:12 | 000,003,575 | ---- | C] () -- C:\Users\Catherine\Desktop\Attach.zip
[2011/02/07 11:25:12 | 000,000,000 | ---- | C] () -- C:\Users\Catherine\defogger_reenable
[2011/02/06 12:01:00 | 001,951,012 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_01.pdf
[2011/02/06 12:01:00 | 001,480,619 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_02.pdf
[2011/02/06 12:01:00 | 000,733,115 | ---- | C] () -- C:\Users\Catherine\Desktop\PI_Module_7_AU_2010.pdf
[2011/02/06 12:01:00 | 000,704,040 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_04.pdf
[2011/02/06 12:01:00 | 000,592,922 | ---- | C] () -- C:\Users\Catherine\Desktop\PI_Module_6_AU_2010.pdf
[2011/02/06 12:01:00 | 000,498,616 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_03.pdf
[2011/02/04 18:38:01 | 000,001,120 | ---- | C] () -- C:\Users\Public\Desktop\pimpl.exe.lnk
[2011/02/03 16:33:13 | 000,002,025 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/02/03 16:33:12 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/02/03 14:33:27 | 000,001,794 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/02/01 17:32:55 | 000,532,206 | ---- | C] () -- C:\Users\Catherine\Desktop\manlymatessmall.jpg
[2011/02/01 17:30:00 | 002,266,852 | ---- | C] () -- C:\Users\Catherine\Desktop\_D3S8954 (1).jpg
[2011/02/01 09:26:08 | 000,106,220 | ---- | C] () -- C:\Users\Catherine\Desktop\t_manly2x1.jpg
[2011/01/29 18:57:23 | 000,012,515 | ---- | C] () -- C:\Users\Catherine\Documents\mm.docx
[2010/12/16 05:40:44 | 000,866,350 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2010/12/16 05:26:15 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI
[2009/07/14 10:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/14 08:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/04/28 23:37:00 | 000,028,672 | ---- | C] () -- C:\windows\SysWow64\SPCtl.dll

========== LOP Check ==========

[2011/02/11 10:41:14 | 000,000,000 | ---D | M] -- C:\Users\Catherine\AppData\Roaming\gtk-2.0
[2010/12/28 20:05:00 | 000,000,000 | ---D | M] -- C:\Users\Catherine\AppData\Roaming\HDRsoft
[2011/01/05 03:36:36 | 000,000,000 | ---D | M] -- C:\Users\Catherine\AppData\Roaming\Toshiba
[2011/01/05 01:21:35 | 000,000,000 | ---D | M] -- C:\Users\Catherine\AppData\Roaming\WinBatch
[2011/01/04 02:45:55 | 000,000,000 | ---D | M] -- C:\Users\Catherine\AppData\Roaming\Windows Live Writer
[2010/03/24 00:03:10 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\Canon
[2010/01/12 13:02:04 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\CheckPoint
[2010/11/04 15:18:49 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\CoffeeCup Software
[2010/08/06 11:49:49 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/11/30 21:56:17 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\gtk-2.0
[2010/10/25 16:08:16 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\Hardcore
[2009/12/27 23:31:07 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\HDRsoft
[2009/12/10 19:59:25 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\JungleDisk
[2010/10/24 21:47:13 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\OpenCandy
[2010/11/30 03:12:15 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\Opera
[2010/10/25 16:11:14 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\PoiZone
[2009/12/27 22:36:18 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\RawTherapee
[2009/12/26 01:29:06 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\Smilebox
[2009/12/11 04:18:35 | 000,000,000 | ---D | M] -- C:\Users\Cathy B\AppData\Roaming\Toshiba
[2009/12/29 11:41:44 | 000,000,000 | ---D | M] -- C:\Users\Saffi\AppData\Roaming\CheckPoint
[2009/12/29 11:46:02 | 000,000,000 | ---D | M] -- C:\Users\Saffi\AppData\Roaming\JungleDisk
[2009/12/29 11:42:55 | 000,000,000 | ---D | M] -- C:\Users\Saffi\AppData\Roaming\MailFrontier
[2009/12/29 11:57:28 | 000,000,000 | ---D | M] -- C:\Users\Saffi\AppData\Roaming\Toshiba
[2009/07/14 16:08:49 | 000,011,194 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/14 12:15:20 | 000,380,957 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\expsrv.dll
[2009/07/14 12:15:50 | 001,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\msvbvm60.dll

< %systemroot%\system32\*.sys /90 >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.* >
[2009/07/14 12:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009/08/22 12:42:51 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/02/10 03:24:14 | 3193,593,856 | -HS- | M] () -- C:\hiberfil.sys
[2006/12/02 18:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2011/02/10 03:24:15 | 4258,127,872 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< End of report >

OTL Extras logfile created on: 2/11/2011 10:41:54 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Catherine\Downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 64.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 453.41 Gb Total Space | 243.08 Gb Free Space | 53.61% Space Free | Partition Type: NTFS
Drive F: | 1863.01 Gb Total Space | 643.86 Gb Free Space | 34.56% Space Free | Partition Type: NTFS
Drive H: | 7.45 Gb Total Space | 7.37 Gb Free Space | 99.01% Space Free | Partition Type: FAT32

Computer Name: CATHERINE-PC | User Name: Catherine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-131579768-3436045231-3897373272-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP550_series" = Canon MP550 series MP Drivers
"{1AAF3A3B-7B32-4DDF-8ABB-438DAEB46EEC}" = Windows Live Family Safety
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1E9E8BA6-FD0B-465D-AFA2-ECE10BF095F9}" = TOSHIBA Bulletin Board
"{20387B45-18A4-4D48-ABD9-A23D2CBE42B3}" = Dolby Control Center
"{46A5FBE9-ADB3-4493-A1CC-B4CFFD24D26A}" = Windows Live Family Safety
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{63DA1F6A-2E65-4367-99B9-9E39FADEC446}" = HDMI Control Manager
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{77B8B4A5-EE79-4907-A318-2DA86325B8D7}" = iTunes
"{79BF7CB8-1E09-489F-9547-DB3EE8EA3F16}" = Microsoft SQL Server Native Client
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{86177DAE-38B1-49DD-912E-35CB703AB779}" = Microsoft SQL Server VSS Writer
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B9DBB81-1F48-48B0-8CB3-051311DC73F7}" = Adobe Photoshop Lightroom 2.7 64-bit
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{C2DDF845-7107-40E8-8D2A-8719F1799570}" = TOSHIBA ReelTime
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{E4F5E48E-7155-4CF9-88CD-7F377EC9AC54}" = Bonjour
"{E5C95CA5-4565-4B9D-97ED-05088D775614}" = Apple Mobile Device Support
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"FFE7D41DF3C645075BB149E21988B63996C34187" = ENE CIR Receiver Driver
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"PhotomatixPro4.0x64_is1" = Photomatix Pro version 4.0.2
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1A59064A-12A9-469F-99F6-04BF118DBCFF}" = Kaspersky PURE
"{1B87C40B-A60B-4EF3-9A68-706CF4B69978}" = TOSHIBA Assist
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron Flash Media Controller Driver
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{50F68032-B5B7-4513-9116-C978DBD8F27A}" = DVD MovieFactory for TOSHIBA
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{554EB98C-D995-471F-8874-D2BA7BF5EB3E}" = Noiseware Professional Edition
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{63DA1F6A-2E65-4367-99B9-9E39FADEC446}" = HDMI Control Manager
"{65C0025A-2CDE-43C5-82D0-C7A56EF0DB39}" = Bing Bar Platform
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_OUTLOOKR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_OUTLOOKR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_OUTLOOKR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_OUTLOOKR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_PROHYBRIDR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_OUTLOOKR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-001A-0000-0000-0000000FF1CE}" = Microsoft Office Outlook 2007
"{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E487EE7D-EAAA-4E2A-9116-E3B477D8A74F}" = TOSHIBA USB Sleep and Charge Utility
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2004B8D-7791-4B35-A3FA-D8CA8BB4DD81}" = Direct DiscRecorder
"{F3529665-D75E-4D6D-98F0-745C78C68E9B}" = TOSHIBA ConfigFree
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FEB650EB-7639-444E-9FC2-C33EE6ED1A37}" = TOSHIBA Remote Control Manager
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"InstallShield_{1E9E8BA6-FD0B-465D-AFA2-ECE10BF095F9}" = TOSHIBA Bulletin Board
"InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}" = DVD MovieFactory for TOSHIBA
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{63DA1F6A-2E65-4367-99B9-9E39FADEC446}" = HDMI Control Manager
"InstallShield_{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"InstallShield_{C2DDF845-7107-40E8-8D2A-8719F1799570}" = TOSHIBA ReelTime
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{F2004B8D-7791-4B35-A3FA-D8CA8BB4DD81}" = Direct DiscRecorder
"InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"InstallWIX_{1A59064A-12A9-469F-99F6-04BF118DBCFF}" = Kaspersky PURE
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"OUTLOOKR" = Microsoft Office Outlook 2007
"PROHYBRIDR" = 2007 Microsoft Office system
"RealPlayer 12.0" = RealPlayer
"WildTangent toshiba Master Uninstall" = WildTangent Games
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-131579768-3436045231-3897373272-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/3/2011 11:21:06 PM | Computer Name = Catherine-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 1/4/2011 11:38:46 AM | Computer Name = Catherine-PC | Source = SideBySide | ID = 16842832
Description = Activation context generation failed for "C:\Program Files (x86)\TOSHIBA\Bluetooth
Toshiba Stack\TosBt1st.exe".Error in manifest or policy file "" on line . A component
version required by the application conflicts with another component version already
active. Conflicting components are:. Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd.manifest.
Component
2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_fa62ad231704eab7.manifest.

Error - 1/4/2011 11:39:09 AM | Computer Name = Catherine-PC | Source = SideBySide | ID = 16842832
Description = Activation context generation failed for "C:\Program Files (x86)\TOSHIBA\Bluetooth
Toshiba Stack\Tools\AVRCPTestTool.exe".Error in manifest or policy file "" on line
. A component version required by the application conflicts with another component
version already active. Conflicting components are:. Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_fa62ad231704eab7.manifest.
Component
2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd.manifest.

Error - 1/4/2011 11:39:37 AM | Computer Name = Catherine-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 1/27/2011 6:59:31 AM | Computer Name = Catherine-PC | Source = Windows Backup | ID = 4103
Description =

Error - 1/27/2011 7:20:39 AM | Computer Name = Catherine-PC | Source = Application Error | ID = 1000
Description = Faulting application name: OUTLOOK.EXE, version: 12.0.6539.5000, time
stamp: 0x4c12486d Faulting module name: olmapi32.dll, version: 12.0.6538.5000, time
stamp: 0x4bfc6ad9 Exception code: 0xc0000005 Fault offset: 0x00051c7c Faulting process
id: 0x1354 Faulting application start time: 0x01cbbe10354ec992 Faulting application
path: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE Faulting module
path: c:\progra~2\micros~4\office12\olmapi32.dll Report Id: 77e45170-2a07-11e0-b544-0026224be8f3

Error - 1/27/2011 5:27:54 PM | Computer Name = Catherine-PC | Source = RasClient | ID = 20227
Description =

Error - 1/27/2011 5:29:27 PM | Computer Name = Catherine-PC | Source = RasClient | ID = 20227
Description =

Error - 1/27/2011 5:29:36 PM | Computer Name = Catherine-PC | Source = RasClient | ID = 20227
Description =

Error - 1/27/2011 5:30:19 PM | Computer Name = Catherine-PC | Source = RasClient | ID = 20227
Description =

[ Media Center Events ]
Error - 2/4/2011 8:22:53 AM | Computer Name = Catherine-PC | Source = MCUpdate | ID = 0
Description = 11:22:10 PM - Error connecting to the internet. 11:22:34 PM - Unable
to contact server..

Error - 2/4/2011 8:27:23 AM | Computer Name = Catherine-PC | Source = MCUpdate | ID = 0
Description = 11:23:38 PM - Error connecting to the internet. 11:23:38 PM - Unable
to contact server..

[ OSession Events ]
Error - 12/28/2010 6:45:39 PM | Computer Name = Catherine-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 651
seconds with 120 seconds of active time. This session ended with a crash.

Error - 1/2/2011 12:01:23 PM | Computer Name = Catherine-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 43
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/2/2011 9:51:41 PM | Computer Name = Catherine-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 52
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/3/2011 10:24:41 PM | Computer Name = Catherine-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 29
seconds with 0 seconds of active time. This session ended with a crash.

Error - 1/27/2011 7:20:39 AM | Computer Name = Catherine-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1725
seconds with 600 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/30/2011 8:18:23 AM | Computer Name = Catherine-PC | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume S3A8029D003.

Error - 1/30/2011 8:18:23 AM | Computer Name = Catherine-PC | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume S3A8029D003.

Error - 1/30/2011 8:18:41 AM | Computer Name = Catherine-PC | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume S3A8029D003.

Error - 1/30/2011 8:18:41 AM | Computer Name = Catherine-PC | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume S3A8029D003.

Error - 2/2/2011 11:29:22 PM | Computer Name = Catherine-PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 2/2/2011 11:29:50 PM | Computer Name = Catherine-PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 2/2/2011 11:30:50 PM | Computer Name = Catherine-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Apple Mobile Device service,
but this action failed with the following error: %%1056

Error - 2/2/2011 11:39:18 PM | Computer Name = Catherine-PC | Source = Disk | ID = 262159
Description = The device, \Device\Harddisk1\DR2, is not ready for access yet.

Error - 2/3/2011 1:27:53 AM | Computer Name = Catherine-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 3:32:51 PM on ?3/?02/?2011 was unexpected.

Error - 2/3/2011 8:34:08 AM | Computer Name = Catherine-PC | Source = volsnap | ID = 393245
Description = The shadow copies of volume F: were aborted during detection.


< End of report >

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 11 February 2011 - 06:24 PM

Hello, cathyb9.
OK, that may be related to the virus, it may not. Let's run Combofix to ensure remnants are gone.



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 11 February 2011 - 07:51 PM

Okay, I tried to run ComboFix saved as etavaresCF.exe as requested. It did not attempt to install Windows Recovery Console. The prompts suggested that it created a restore point, but then at the point where it was about to scan, an error message that the Windows Command Processor had stopped working appeared. This happened despite Kaspersky being temporarily paused, and repeated redownlodings of Combofix under different names, from both bleepingcomputer and Infosoftware. I assume this is the action of the virus?

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 12 February 2011 - 07:21 AM

It could be the virus, or it could be Kapersky. Please try it in safe mode. If you have the same issues, then please download Rkill from BleepingComputer and save it to your desktop. Note there are many files names you can download it as. Please try rkill.scr, rkill.com or eXplorer.exe and save it to your desktop. Double-click it to run. A window will pop up and may close immediately. A logfile should appear. If there is no logfile, please try running it again. And again. It may take 20 times before it 'catches' and temporarily disables the malware that is running. If after 20-30 times it didn't work, try the next file name and so on. After a logfile pops up, please try to run Combofix.

If none of the above works, do you have access to a clean computer where we can create a bootable flash drive to get around this virus?

Edited by etavares, 12 February 2011 - 07:21 AM.
fix BBCode tag


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 12 February 2011 - 09:17 AM

Yikes.

I ran rkill (after temporarily disabling Kaspersky Pure), and the log is included below. Immediately afterwards I started ComboFix, but again Command Processor hung at the point of the start of the scan. I repeated the process in Safe Mode with Networking, and this time the command processor window just closed a couple of minutes after it was supposed to start scanning.

I can get hold of a couple of clean computers, but one runs Windows XP (and is an EeePC), while the other I won't have access to for about 7 days. Is it okay to use the EeePC?

Thanks!

RKill Log:
is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 13/02/2011 at 0:29:05.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

C:\windows\SysWOW64\InfDefaultInstall.exe
C:\windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\grpconv.exe


Rkill completed on 13/02/2011 at 0:29:18.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 12 February 2011 - 10:25 AM

Hello, cathyb9.

The eeePC is fine for this, but RKill didn't shut down any bad files. Let's check your MBR. This could be Kapersky interfering.



Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 2


Please update and run a Quick Scan with MBAM and post the resulting log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 12 February 2011 - 10:59 AM

Hi again, and thanks for the quick reply! I ran MBRCheck, which did find non-standard or infected MBR, log follows. Also updated ran MalwareBytes as requested, and it found no infection.

Thanks again.

Okay, Step 1 log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: TOSHIBA
BIOS Manufacturer: TOSHIBA
System Manufacturer: TOSHIBA
System Product Name: Satellite A500
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 215):
0x0341D000 \SystemRoot\system32\ntoskrnl.exe
0x039FA000 \SystemRoot\system32\hal.dll
0x00BB2000 \SystemRoot\system32\kdcom.dll
0x00CBD000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00D01000 \SystemRoot\system32\PSHED.dll
0x00D15000 \SystemRoot\system32\CLFS.SYS
0x00E5F000 \SystemRoot\system32\CI.dll
0x00F1F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00FC3000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E00000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00FD2000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00FDB000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00D73000 \SystemRoot\system32\DRIVERS\pci.sys
0x00FE5000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00DA6000 \SystemRoot\system32\DRIVERS\LPCFilter.sys
0x00DB5000 \SystemRoot\system32\DRIVERS\CSCrySec.sys
0x00DCC000 \SystemRoot\System32\drivers\partmgr.sys
0x00FF2000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00DE1000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00C00000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00C15000 \SystemRoot\System32\drivers\volmgrx.sys
0x00C71000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E57000 \SystemRoot\system32\DRIVERS\pciide.sys
0x00C8B000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x01061000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x0117D000 \SystemRoot\system32\DRIVERS\atapi.sys
0x01186000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x011B0000 \SystemRoot\system32\DRIVERS\msahci.sys
0x011BB000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x01000000 \SystemRoot\system32\drivers\fltmgr.sys
0x0104C000 \SystemRoot\system32\drivers\fileinfo.sys
0x0121B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01486000 \SystemRoot\System32\Drivers\msrpc.sys
0x014E4000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014FE000 \SystemRoot\System32\Drivers\cng.sys
0x01571000 \SystemRoot\System32\drivers\pcw.sys
0x01582000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0166D000 \SystemRoot\system32\drivers\ndis.sys
0x0175F000 \SystemRoot\system32\drivers\NETIO.SYS
0x017BF000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01801000 \SystemRoot\System32\drivers\tcpip.sys
0x01600000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0158C000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x0164A000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x01400000 \SystemRoot\system32\DRIVERS\tos_sps64.sys
0x019FE000 \SystemRoot\system32\DRIVERS\Thpevm.SYS
0x0164F000 \SystemRoot\system32\DRIVERS\thpdrv.sys
0x0165B000 \SystemRoot\System32\Drivers\spldr.sys
0x013BE000 \SystemRoot\System32\drivers\rdyboost.sys
0x017EA000 \SystemRoot\System32\Drivers\mup.sys
0x015D8000 \SystemRoot\system32\DRIVERS\klbg.sys
0x01663000 \SystemRoot\System32\drivers\hwpolicy.sys
0x011C6000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x015E6000 \SystemRoot\system32\DRIVERS\disk.sys
0x01A34000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01BA1000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02E45000 \SystemRoot\system32\DRIVERS\klif.sys
0x02EA2000 \SystemRoot\System32\Drivers\Null.SYS
0x02EAB000 \SystemRoot\System32\Drivers\Beep.SYS
0x02EB2000 \SystemRoot\System32\drivers\vga.sys
0x02EC0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02EE5000 \SystemRoot\System32\drivers\watchdog.sys
0x02EF5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02EFE000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02F07000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02F10000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02F1B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02F2C000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02F4A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03C28000 \SystemRoot\system32\DRIVERS\kl1.sys
0x04151000 \SystemRoot\system32\drivers\afd.sys
0x02F57000 \SystemRoot\System32\DRIVERS\netbt.sys
0x041DB000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03C00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x041E4000 \SystemRoot\system32\DRIVERS\klim6.sys
0x02F9C000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x041EE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02FB2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02FCD000 \SystemRoot\system32\DRIVERS\termdd.sys
0x0421A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0426B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04277000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x04282000 \SystemRoot\System32\drivers\discache.sys
0x04291000 \SystemRoot\System32\Drivers\dfsc.sys
0x042AF000 \SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys
0x042C2000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x042D3000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x1006A000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10D9B000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x042F9000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x10D9D000 \SystemRoot\System32\drivers\dxgmms1.sys
0x10000000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x10024000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x0447E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x044D4000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x044E5000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x04A6B000 \SystemRoot\system32\DRIVERS\NETw5s64.sys
0x051CA000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x04A00000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x04A2F000 \SystemRoot\system32\DRIVERS\tosrfec.sys
0x04A38000 \SystemRoot\system32\DRIVERS\enecir.sys
0x04A55000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x0451E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x04A5A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x0453C000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x04A69000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04588000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x04592000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x045A1000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0x045AB000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x045B8000 \SystemRoot\system32\DRIVERS\TVALZFL.sys
0x045BF000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x045D5000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x045E5000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04400000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04424000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04430000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0445F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x10031000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x10DE3000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x051FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x02E00000 \SystemRoot\system32\DRIVERS\ks.sys
0x10052000 \SystemRoot\system32\DRIVERS\circlass.sys
0x043ED000 \SystemRoot\system32\DRIVERS\umbus.sys
0x05243000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0529D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x052B2000 \SystemRoot\system32\drivers\nvhda64v.sys
0x052CB000 \SystemRoot\system32\drivers\portcls.sys
0x05308000 \SystemRoot\system32\drivers\drmk.sys
0x0532A000 \SystemRoot\system32\drivers\ksthunk.sys
0x07408000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x075E7000 \SystemRoot\system32\DRIVERS\enecirhid.sys
0x075F2000 \SystemRoot\system32\DRIVERS\enecirhidma.sys
0x05330000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x05349000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05352000 \SystemRoot\system32\DRIVERS\hidir.sys
0x05363000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x05371000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x00050000 \SystemRoot\System32\win32k.sys
0x0537E000 \SystemRoot\System32\drivers\Dxapi.sys
0x0538A000 \SystemRoot\System32\Drivers\crashdmp.sys
0x01A64000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x05398000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x02081000 \SystemRoot\System32\Drivers\dvb7700all.sys
0x02171000 \SystemRoot\System32\Drivers\BdaSup.SYS
0x02175000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x02192000 \SystemRoot\System32\Drivers\usbvideo.sys
0x021C0000 \SystemRoot\system32\DRIVERS\pgeffect.sys
0x021C7000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00500000 \SystemRoot\System32\TSDDD.dll
0x00760000 \SystemRoot\System32\cdd.dll
0x021D5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x02000000 \SystemRoot\system32\drivers\luafv.sys
0x02023000 \SystemRoot\system32\drivers\WudfPf.sys
0x02044000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x053AB000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x02059000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x05200000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x07C10000 \SystemRoot\system32\drivers\HTTP.sys
0x07CD8000 \SystemRoot\system32\DRIVERS\bowser.sys
0x07CF6000 \SystemRoot\System32\drivers\mpsdrv.sys
0x07D0E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07D3B000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07D89000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07DAC000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x07DBD000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x0969B000 \SystemRoot\system32\drivers\peauth.sys
0x09741000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0974C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x09779000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0978B000 \SystemRoot\System32\Drivers\fastfat.SYS
0x09600000 \SystemRoot\System32\DRIVERS\srv2.sys
0x09CD6000 \SystemRoot\System32\DRIVERS\srv.sys
0x09D6C000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x09C71000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77A40000 \Windows\System32\ntdll.dll
0x48530000 \Windows\System32\smss.exe
0xFFD60000 \Windows\System32\apisetschema.dll
0xFFC60000 \Windows\System32\autochk.exe
0xFFC70000 \Windows\System32\advapi32.dll
0xFFC60000 \Windows\System32\autochk.exe
0xFFC40000 \Windows\System32\imagehlp.dll
0xFFBA0000 \Windows\System32\clbcatq.dll
0x77920000 \Windows\System32\kernel32.dll
0x77820000 \Windows\System32\user32.dll
0xFFA70000 \Windows\System32\rpcrt4.dll
0xFF960000 \Windows\System32\msctf.dll
0x77C10000 \Windows\System32\psapi.dll
0xFF700000 \Windows\System32\iertutil.dll
0xFF6F0000 \Windows\System32\nsi.dll
0xFF6A0000 \Windows\System32\Wldap32.dll
0xFF5D0000 \Windows\System32\usp10.dll
0xFF3F0000 \Windows\System32\setupapi.dll
0x77C00000 \Windows\System32\normaliz.dll
0xFF310000 \Windows\System32\oleaut32.dll
0xFF290000 \Windows\System32\shlwapi.dll
0xFF240000 \Windows\System32\ws2_32.dll
0xFF1A0000 \Windows\System32\comdlg32.dll
0xFF100000 \Windows\System32\msvcrt.dll
0xFE370000 \Windows\System32\shell32.dll
0xFE350000 \Windows\System32\sechost.dll
0xFE220000 \Windows\System32\wininet.dll
0xFE1B0000 \Windows\System32\gdi32.dll
0xFE180000 \Windows\System32\imm32.dll
0xFE000000 \Windows\System32\urlmon.dll
0xFDF80000 \Windows\System32\difxapi.dll
0xFDD70000 \Windows\System32\ole32.dll
0xFDC00000 \Windows\System32\crypt32.dll
0xFDBE0000 \Windows\System32\devobj.dll
0xFDBA0000 \Windows\System32\cfgmgr32.dll
0xFDB00000 \Windows\System32\comctl32.dll
0xFDAC0000 \Windows\System32\wintrust.dll
0xFDA50000 \Windows\System32\KernelBase.dll
0xFDA40000 \Windows\System32\msasn1.dll
0x75DC0000 \Windows\SysWOW64\normaliz.dll

Processes (total 91):
0 System Idle Process
4 System
368 C:\Windows\System32\smss.exe
536 csrss.exe
604 C:\Windows\System32\wininit.exe
624 csrss.exe
664 C:\Windows\System32\services.exe
688 C:\Windows\System32\lsass.exe
696 C:\Windows\System32\lsm.exe
808 C:\Windows\System32\svchost.exe
876 C:\Windows\System32\nvvsvc.exe
920 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
400 C:\Windows\System32\svchost.exe
760 C:\Windows\System32\audiodg.exe
1028 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\svchost.exe
1236 C:\Windows\System32\winlogon.exe
1368 C:\Windows\System32\spoolsv.exe
1404 C:\Windows\System32\svchost.exe
1480 C:\Windows\System32\nvvsvc.exe
1576 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1636 C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
1700 C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
1748 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1868 C:\Windows\System32\taskhost.exe
1880 C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
1996 C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2032 C:\Windows\System32\dwm.exe
1076 C:\Windows\explorer.exe
2052 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2164 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2248 C:\Windows\System32\svchost.exe
2288 C:\Windows\System32\ThpSrv.exe
2352 C:\Windows\System32\TODDSrv.exe
2380 C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
2412 C:\Program Files\TOSHIBA\TECO\TecoService.exe
2544 C:\Windows\System32\taskeng.exe
2576 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2976 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2640 C:\Windows\System32\svchost.exe
844 C:\Windows\System32\svchost.exe
3120 WUDFHost.exe
3436 C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
3476 C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
3508 C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
3628 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3668 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3704 C:\Windows\System32\ThpSrv.exe
3924 C:\Program Files\TOSHIBA\TECO\Teco.exe
4000 C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
4056 C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
4084 C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
3116 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3936 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
3728 C:\Windows\System32\SearchIndexer.exe
3796 C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
3208 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
1652 C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
3892 C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
3900 C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
4076 C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
3896 C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe
3588 C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
4312 C:\Program Files (x86)\iTunes\iTunesHelper.exe
4384 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
4444 C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
4676 C:\Program Files\TOSHIBA\HDMICtrlMan\HCMSoundChanger.exe
3540 C:\Program Files\iPod\bin\iPodService.exe
4768 C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
2660 C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
4128 C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
2936 C:\Windows\System32\svchost.exe
4396 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3020 C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
3688 C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
1068 C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
2624 C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
3792 WmiPrvSE.exe
2712 C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
3524 C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtblfs.exe
5872 C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
5696 C:\Windows\System32\svchost.exe
4020 C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
3848 C:\Windows\System32\SearchProtocolHost.exe
5612 C:\Windows\System32\SearchFilterHost.exe
3572 dllhost.exe
5488 dllhost.exe
5572 C:\Users\Catherine\Desktop\MBRCheck.exe
3516 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK5055GSX, Rev: FG001M
PhysicalDrive1 Model Number: SeagateDesktop, Rev: 0130

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61
1863 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: A16EF68870D2ED162DDA2E379D2960A80789C94E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Step 2 log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5748

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13/02/2011 2:54:59 AM
mbam-log-2011-02-13 (02-54-59).txt

Scan type: Quick scan
Objects scanned: 177501
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 13 February 2011 - 07:37 AM

Hello, cathyb9.

Your MBR is clean...it loads the one on your C:\ drive which is a known good code. It's looking like you were able to clean the virus well. Let's do one final check, then we'll look at your hard disk issue.



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

The automatic part won't work with Vista or W7. Please backup manually using ERUNT with the following instructions:
  • Please locate the ERUNT icon on the desktop. If it is not there, click Start and type ERUNT into the search box.
  • Right click the ERUNT icon in the desktop or the Start menu, and select Run as Administrator
  • Click OK at the first message box.
  • Ensure the checkboxes for both "system registry" and "current user registry" are checked. Leave the default save location in there.
  • Click OK.
  • Click Yes to create the new folder.
  • You'll get a window saying "registry backup complete" once it's done. Click OK. If you get an error message, please STOP here and let me know. Do not proceed with any additional instructions until you check back with me.



Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: [] File not found
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=-
    ""=-
    :commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 14 February 2011 - 01:05 AM

Thanks again for the quick reply! ESET came back with some odd results - I let it scan my external drive which is where I back up to, and it found something there, as well as three files on the C:/ drive. ???

Here are the logs:

First OTL report

All processes killed
========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Catherine
->Temp folder emptied: 49951987 bytes
->Temporary Internet Files folder emptied: 84933661 bytes
->Java cache emptied: 22800 bytes
->FireFox cache emptied: 93184909 bytes
->Flash cache emptied: 50235 bytes

User: Cathy B
->Java cache emptied: 1176564 bytes
->FireFox cache emptied: 100212926 bytes
->Google Chrome cache emptied: 9485862 bytes
->Opera cache emptied: 3471663 bytes
->Flash cache emptied: 148437 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Saffi
->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18171153 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 344.00 mb


OTL by OldTimer - Version 3.2.20.6 log created on 02142011_091615

Files\Folders moved on Reboot...
C:\Users\Catherine\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Second OTL report

OTL logfile created on: 2/14/2011 9:29:50 AM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Catherine\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 68.00% Memory free
8.00 Gb Paging File | 7.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 453.41 Gb Total Space | 242.27 Gb Free Space | 53.43% Space Free | Partition Type: NTFS
Drive F: | 1863.01 Gb Total Space | 608.91 Gb Free Space | 32.68% Space Free | Partition Type: NTFS

Computer Name: CATHERINE-PC | User Name: Catherine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/14 09:14:42 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Catherine\Desktop\OTL(3).exe
PRC - [2011/02/08 21:20:02 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
PRC - [2011/01/05 11:59:50 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/12/16 05:30:48 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
PRC - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) -- C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
PRC - [2009/08/12 06:37:50 | 002,446,648 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
PRC - [2009/07/22 16:40:40 | 000,083,336 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
PRC - [2009/07/22 06:43:44 | 000,701,752 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe
PRC - [2009/07/18 14:52:38 | 000,181,616 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
PRC - [2009/07/15 14:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
PRC - [2009/03/11 13:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/02/21 04:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2009/01/14 16:33:40 | 000,034,088 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe


========== Modules (SafeList) ==========

MOD - [2011/02/14 09:14:42 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Catherine\Desktop\OTL(3).exe
MOD - [2010/08/21 16:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/08/11 06:00:50 | 000,258,928 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV:64bit: - [2009/08/06 09:20:12 | 000,488,800 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/08/05 06:15:06 | 000,826,224 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV:64bit: - [2009/08/04 13:17:56 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/07/29 10:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV:64bit: - [2009/07/14 12:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/09 04:41:02 | 000,531,520 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\ThpSrv.exe -- (Thpsrv)
SRV - [2011/01/05 11:59:50 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/01 10:59:02 | 000,051,576 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/25 16:43:40 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe -- (AVP)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Auto | Running] -- C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2009/07/31 00:20:36 | 000,192,368 | ---- | M] (TOSHIBA CORPORATION) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2009/07/18 14:52:38 | 000,181,616 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe -- (cfWiMAXService)
SRV - [2009/07/15 14:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe -- (ConfigFree Gadget Service)
SRV - [2009/06/11 08:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/05/23 05:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/03/11 13:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2009/02/21 04:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/12/28 00:56:44 | 000,353,296 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\SysNative\drivers\klif.sys -- (KLIF)
DRV:64bit: - [2010/09/23 00:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/01/29 01:25:02 | 000,086,120 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2010/01/13 16:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®
DRV:64bit: - [2009/12/14 12:44:24 | 000,085,048 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\CSCrySec.sys -- (CSCrySec)
DRV:64bit: - [2009/12/14 12:44:24 | 000,066,104 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV:64bit: - [2009/10/14 20:18:38 | 000,040,464 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\klbg.sys -- (KLBG)
DRV:64bit: - [2009/10/10 13:41:20 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/10/02 18:39:32 | 000,021,008 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\klmouflt.sys -- (klmouflt)
DRV:64bit: - [2009/09/14 13:46:42 | 000,027,152 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\klim6.sys -- (KLIM6)
DRV:64bit: - [2009/09/01 14:29:56 | 000,157,712 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\kl1.sys -- (kl1)
DRV:64bit: - [2009/08/18 07:15:44 | 000,286,768 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/08/01 20:13:00 | 000,140,712 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\jmcr.sys -- (JMCR)
DRV:64bit: - [2009/07/31 15:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2009/07/25 10:57:08 | 000,482,384 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tos_sps64.sys -- (tos_sps64)
DRV:64bit: - [2009/07/15 10:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2009/07/14 17:12:36 | 000,019,824 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tosrfec.sys -- (tosrfec)
DRV:64bit: - [2009/07/14 12:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 12:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 12:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 12:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 12:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 12:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/03 09:55:38 | 000,044,912 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)
DRV:64bit: - [2009/06/30 11:16:20 | 000,014,784 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\Thpevm.sys -- (Thpevm)
DRV:64bit: - [2009/06/30 05:25:22 | 000,034,880 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\thpdrv.sys -- (Thpdrv)
DRV:64bit: - [2009/06/30 05:17:00 | 000,070,656 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\enecir.sys -- (enecir)
DRV:64bit: - [2009/06/23 12:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
DRV:64bit: - [2009/06/20 14:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
DRV:64bit: - [2009/06/12 08:08:42 | 000,961,536 | ---- | M] (DiBcom) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dvb7700all.sys -- (mod7700)
DRV:64bit: - [2009/06/11 08:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009/06/11 07:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/11 07:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/11 07:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/11 07:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/11 07:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/05 13:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/05/23 17:52:30 | 000,215,040 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/05/20 16:59:00 | 000,014,848 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\enecirhid.sys -- (enecirhid)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/15 03:51:40 | 005,435,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2008/04/25 13:16:00 | 000,006,656 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\enecirhidma.sys -- (enecirhidma)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSAU&bmod=TSAU
IE - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.192
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/02/08 21:20:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/02/08 21:20:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/02/14 09:27:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\THBExt [2010/12/28 00:57:12 | 000,000,000 | ---D | M]

[2010/12/28 00:32:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Catherine\AppData\Roaming\Mozilla\Extensions
[2010/12/28 00:32:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Catherine\AppData\Roaming\Mozilla\Firefox\Profiles\bvyi15r2.default\extensions
[2010/12/28 00:57:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/12/28 00:57:34 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2011/02/08 21:20:41 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2010/12/04 04:47:02 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/04 04:47:02 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/04 04:47:02 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/04 04:47:02 | 000,001,135 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/11 08:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ievkbd.dll (Kaspersky Lab)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll (Google Inc.)
O2:64bit: - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (@C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O3:64bit: - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-131579768-3436045231-3897373272-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TRCMan] C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKU\S-1-5-21-131579768-3436045231-3897373272-1004..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Users\Catherine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O9:64bit: - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O9:64bit: - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\sbhook64.dll (Kaspersky Lab)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\kloehk.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\sbhook.dll (Kaspersky Lab)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\klogon: DllName - Reg Error: Key error. - C:\Windows\SysNative\klogon.dll (Kaspersky Lab)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/29 16:52:30 | 000,000,035 | ---- | M] () - F:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/14 09:16:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/14 09:14:38 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Catherine\Desktop\OTL(3).exe
[2011/02/14 07:39:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/02/14 07:39:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2011/02/14 07:34:51 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Catherine\Desktop\erunt-setup.exe
[2011/02/13 21:13:56 | 000,000,000 | ---D | C] -- C:\Users\Catherine\Documents\HDD 1
[2011/02/13 21:11:25 | 000,000,000 | ---D | C] -- C:\Users\Catherine\Documents\HDD 3
[2011/02/13 21:10:14 | 000,000,000 | ---D | C] -- C:\Users\Catherine\Documents\HDD 2
[2011/02/13 00:54:05 | 000,000,000 | --SD | C] -- C:\etavares
[2011/02/13 00:53:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
[2011/02/12 11:45:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/02/12 11:45:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/02/12 11:45:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/02/12 11:05:25 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/02/12 11:05:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/02/09 14:36:49 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msfeeds.dll
[2011/02/09 14:36:48 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeeds.dll
[2011/02/09 14:36:48 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iepeers.dll
[2011/02/09 14:36:47 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\html.iec
[2011/02/09 14:36:47 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\html.iec
[2011/02/09 14:36:47 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iepeers.dll
[2011/02/09 14:36:47 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmled.dll
[2011/02/09 14:36:47 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmled.dll
[2011/02/09 14:36:47 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\licmgr10.dll
[2011/02/09 14:36:47 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\licmgr10.dll
[2011/02/09 14:36:47 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msfeedssync.exe
[2011/02/09 14:36:47 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeedssync.exe
[2011/02/09 14:36:18 | 000,264,192 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\upnp.dll
[2011/02/09 14:36:17 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\upnp.dll
[2011/02/09 14:36:16 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\davclnt.dll
[2011/02/09 14:36:15 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\davclnt.dll
[2011/02/09 14:36:15 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wscapi.dll
[2011/02/09 14:36:15 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wscapi.dll
[2011/02/09 14:36:15 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\slwga.dll
[2011/02/09 14:36:15 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\slwga.dll
[2011/02/09 14:36:09 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\winsrv.dll
[2011/02/09 14:36:07 | 001,837,568 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\d3d10warp.dll
[2011/02/09 14:36:07 | 001,170,944 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\d3d10warp.dll
[2011/02/09 14:36:07 | 000,902,656 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\d2d1.dll
[2011/02/09 14:36:06 | 001,540,608 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\DWrite.dll
[2011/02/09 14:36:06 | 001,074,176 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\DWrite.dll
[2011/02/09 14:36:06 | 000,739,840 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\d2d1.dll
[2011/02/09 14:36:06 | 000,662,528 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\XpsPrint.dll
[2011/02/09 14:36:05 | 001,863,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ExplorerFrame.dll
[2011/02/09 14:36:05 | 000,470,016 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\XpsGdiConverter.dll
[2011/02/09 14:36:05 | 000,442,880 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\XpsPrint.dll
[2011/02/09 14:36:05 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\d3d10_1core.dll
[2011/02/09 14:36:05 | 000,283,648 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\XpsGdiConverter.dll
[2011/02/09 14:36:05 | 000,218,624 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\d3d10_1core.dll
[2011/02/09 14:36:04 | 001,495,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ExplorerFrame.dll
[2011/02/09 14:36:04 | 000,265,088 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\drivers\dxgmms1.sys
[2011/02/09 14:36:04 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\XpsRasterService.dll
[2011/02/09 14:36:04 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\d3d10_1.dll
[2011/02/09 14:36:04 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\d3d10_1.dll
[2011/02/09 14:36:04 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\cdd.dll
[2011/02/09 14:36:04 | 000,135,168 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\XpsRasterService.dll
[2011/02/09 14:35:55 | 000,852,480 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript.dll
[2011/02/09 14:35:55 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\jscript.dll
[2011/02/09 14:35:55 | 000,612,352 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\vbscript.dll
[2011/02/09 14:35:53 | 005,510,528 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntoskrnl.exe
[2011/02/09 14:35:52 | 003,901,824 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntoskrnl.exe
[2011/02/09 14:35:52 | 001,739,176 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntdll.dll
[2011/02/09 14:35:51 | 003,957,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntkrnlpa.exe
[2011/02/09 14:35:50 | 000,366,080 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysNative\atmfd.dll
[2011/02/09 14:35:50 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysWow64\atmfd.dll
[2011/02/09 14:35:50 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\windows\SysNative\atmlib.dll
[2011/02/09 14:35:50 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\windows\SysWow64\atmlib.dll
[2011/02/08 21:20:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\xing shared
[2011/02/08 21:20:36 | 000,198,848 | ---- | C] (RealNetworks, Inc.) -- C:\windows\SysWow64\rmoc3260.dll
[2011/02/08 21:20:04 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\windows\SysWow64\pndx5016.dll
[2011/02/08 21:20:04 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\windows\SysWow64\pndx5032.dll
[2011/02/08 21:20:03 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\windows\SysWow64\pncrt.dll
[2011/02/08 21:20:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Real
[2011/02/08 21:20:00 | 000,499,712 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msvcp71.dll
[2011/02/08 21:20:00 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msvcr71.dll
[2011/02/08 21:19:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Real
[2011/02/08 21:19:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
[2011/02/08 21:12:55 | 000,000,000 | ---D | C] -- C:\Users\Catherine\AppData\Roaming\Real
[2011/02/07 11:33:06 | 000,000,000 | ---D | C] -- C:\Users\Catherine\AppData\Local\Diagnostics
[2011/02/04 18:38:09 | 000,000,000 | ---D | C] -- C:\Users\Catherine\AppData\Roaming\Malwarebytes
[2011/02/04 18:38:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysWow64\drivers\mbamswissarmy.sys
[2011/02/04 18:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/04 18:38:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/02/04 18:37:57 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2011/02/04 18:37:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/02/04 18:34:21 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\iexplore.exe
[2011/02/04 18:03:50 | 000,466,201 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\mbam-setup-1.50.1.1100.exe
[2011/02/03 16:33:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2011/02/03 14:33:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/02/03 14:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/02/03 14:32:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2011/02/03 14:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/01/27 21:59:49 | 000,720,896 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\odbc32.dll
[2011/01/27 21:59:49 | 000,573,440 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\odbc32.dll

========== Files - Modified Within 30 Days ==========

[2011/02/14 09:27:57 | 000,002,025 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/02/14 09:26:47 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/14 09:26:47 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/14 09:23:57 | 000,861,900 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2011/02/14 09:23:57 | 000,725,178 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2011/02/14 09:23:57 | 000,147,018 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2011/02/14 09:19:02 | 000,000,894 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/14 09:18:56 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/02/14 09:18:42 | 3193,593,856 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/14 09:14:42 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Catherine\Desktop\OTL(3).exe
[2011/02/14 08:40:01 | 000,000,898 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/14 07:39:22 | 000,001,115 | ---- | M] () -- C:\Users\Catherine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/02/14 07:39:19 | 000,000,935 | ---- | M] () -- C:\Users\Catherine\Desktop\NTREGOPT.lnk
[2011/02/14 07:39:19 | 000,000,916 | ---- | M] () -- C:\Users\Catherine\Desktop\ERUNT.lnk
[2011/02/14 07:35:13 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Catherine\Desktop\erunt-setup.exe
[2011/02/13 20:54:37 | 000,011,096 | ---- | M] () -- C:\Users\Catherine\Documents\zoe speach.docx
[2011/02/13 09:09:07 | 000,110,533 | ---- | M] () -- C:\Users\Catherine\Desktop\snowflake set.jpg
[2011/02/13 09:09:07 | 000,012,397 | ---- | M] () -- C:\Users\Catherine\.recently-used.xbel
[2011/02/13 09:06:25 | 000,029,799 | ---- | M] () -- C:\Users\Catherine\Desktop\snowflake label.jpg
[2011/02/13 02:49:33 | 000,080,384 | ---- | M] () -- C:\Users\Catherine\Desktop\MBRCheck.exe
[2011/02/13 00:31:31 | 004,266,986 | R--- | M] () -- C:\Users\Catherine\Desktop\etavares.exe
[2011/02/13 00:22:49 | 000,024,454 | ---- | M] () -- C:\Users\Catherine\Desktop\eXplorer.exe.htm
[2011/02/11 09:50:42 | 000,167,308 | ---- | M] () -- C:\Users\Catherine\Desktop\lime basket.JPG
[2011/02/11 09:41:00 | 000,646,498 | R--- | M] () -- C:\Users\Catherine\Desktop\lime basket 005.JPG
[2011/02/11 01:29:07 | 000,016,278 | ---- | M] () -- C:\Users\Catherine\Documents\In fqtoxicity.docx
[2011/02/10 03:24:46 | 000,440,488 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2011/02/09 09:53:05 | 000,011,095 | ---- | M] () -- C:\Users\Catherine\Documents\saffi pseudomonas letter.docx
[2011/02/08 21:20:47 | 000,001,959 | ---- | M] () -- C:\Users\Public\Desktop\Free Movies & Games.lnk
[2011/02/08 21:20:46 | 000,001,275 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2011/02/08 21:20:36 | 000,198,848 | ---- | M] (RealNetworks, Inc.) -- C:\windows\SysWow64\rmoc3260.dll
[2011/02/08 21:20:04 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\windows\SysWow64\pndx5016.dll
[2011/02/08 21:20:04 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\windows\SysWow64\pndx5032.dll
[2011/02/08 21:20:03 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\windows\SysWow64\pncrt.dll
[2011/02/08 21:20:00 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\msvcp71.dll
[2011/02/08 21:20:00 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\msvcr71.dll
[2011/02/07 11:34:12 | 000,003,575 | ---- | M] () -- C:\Users\Catherine\Desktop\Attach.zip
[2011/02/07 11:25:12 | 000,000,000 | ---- | M] () -- C:\Users\Catherine\defogger_reenable
[2011/02/06 12:01:00 | 001,951,012 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_01.pdf
[2011/02/06 12:01:00 | 001,480,619 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_02.pdf
[2011/02/06 12:01:00 | 000,733,115 | ---- | M] () -- C:\Users\Catherine\Desktop\PI_Module_7_AU_2010.pdf
[2011/02/06 12:01:00 | 000,704,040 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_04.pdf
[2011/02/06 12:01:00 | 000,592,922 | ---- | M] () -- C:\Users\Catherine\Desktop\PI_Module_6_AU_2010.pdf
[2011/02/06 12:01:00 | 000,498,616 | ---- | M] () -- C:\Users\Catherine\Desktop\Module_03.pdf
[2011/02/04 18:38:01 | 000,001,120 | ---- | M] () -- C:\Users\Public\Desktop\pimpl.exe.lnk
[2011/02/04 18:34:38 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\iexplore.exe
[2011/02/04 18:18:44 | 000,866,350 | ---- | M] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/02/04 18:03:56 | 000,466,201 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Catherine\Desktop\mbam-setup-1.50.1.1100.exe
[2011/02/03 14:33:27 | 000,001,794 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/02/01 17:32:55 | 000,532,206 | ---- | M] () -- C:\Users\Catherine\Desktop\manlymatessmall.jpg
[2011/02/01 17:30:00 | 002,266,852 | ---- | M] () -- C:\Users\Catherine\Desktop\_D3S8954 (1).jpg
[2011/02/01 09:26:11 | 000,106,220 | ---- | M] () -- C:\Users\Catherine\Desktop\t_manly2x1.jpg
[2011/01/29 20:11:21 | 000,012,515 | ---- | M] () -- C:\Users\Catherine\Documents\Manly Mates.docx
[2011/01/27 21:50:07 | 000,001,846 | ---- | M] () -- C:\Users\Catherine\Desktop\Photomatix Pro 4.0.2 (64-bit).lnk
[2011/01/26 17:53:10 | 000,265,088 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\drivers\dxgmms1.sys
[2011/01/26 17:31:20 | 000,144,384 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\cdd.dll

========== Files Created - No Company Name ==========

[2011/02/14 07:39:22 | 000,001,115 | ---- | C] () -- C:\Users\Catherine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/02/14 07:39:19 | 000,000,935 | ---- | C] () -- C:\Users\Catherine\Desktop\NTREGOPT.lnk
[2011/02/14 07:39:19 | 000,000,916 | ---- | C] () -- C:\Users\Catherine\Desktop\ERUNT.lnk
[2011/02/13 21:13:56 | 001,329,345 | ---- | C] () -- C:\Users\Catherine\Documents\nan80_4.zip
[2011/02/13 21:13:56 | 000,023,552 | ---- | C] () -- C:\Users\Catherine\Documents\diet.wps
[2011/02/13 09:09:07 | 000,012,397 | ---- | C] () -- C:\Users\Catherine\.recently-used.xbel
[2011/02/13 09:08:06 | 000,110,533 | ---- | C] () -- C:\Users\Catherine\Desktop\snowflake set.jpg
[2011/02/13 09:05:49 | 000,029,799 | ---- | C] () -- C:\Users\Catherine\Desktop\snowflake label.jpg
[2011/02/13 09:03:16 | 000,914,233 | ---- | C] () -- C:\Users\Catherine\Desktop\Glass Mt Rogers Tenterfield Trip 063.jpg
[2011/02/13 09:03:16 | 000,881,718 | ---- | C] () -- C:\Users\Catherine\Desktop\Glass Mt Rogers Tenterfield Trip 066.jpg
[2011/02/13 09:03:16 | 000,872,833 | ---- | C] () -- C:\Users\Catherine\Desktop\Glass Mt Rogers Tenterfield Trip 064.jpg
[2011/02/13 09:03:16 | 000,789,898 | ---- | C] () -- C:\Users\Catherine\Desktop\Glass Mt Rogers Tenterfield Trip 065.jpg
[2011/02/13 02:49:31 | 000,080,384 | ---- | C] () -- C:\Users\Catherine\Desktop\MBRCheck.exe
[2011/02/13 00:22:45 | 000,024,454 | ---- | C] () -- C:\Users\Catherine\Desktop\eXplorer.exe.htm
[2011/02/12 11:45:54 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2011/02/12 11:45:54 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/02/12 11:45:54 | 000,089,088 | ---- | C] () -- C:\windows\MBR.exe
[2011/02/12 11:45:54 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/02/12 11:45:54 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/02/12 11:43:49 | 004,266,986 | R--- | C] () -- C:\Users\Catherine\Desktop\etavares.exe
[2011/02/11 09:50:42 | 000,167,308 | ---- | C] () -- C:\Users\Catherine\Desktop\lime basket.JPG
[2011/02/11 09:41:00 | 000,646,498 | R--- | C] () -- C:\Users\Catherine\Desktop\lime basket 005.JPG
[2011/02/11 01:29:06 | 000,016,278 | ---- | C] () -- C:\Users\Catherine\Documents\In fqtoxicity.docx
[2011/02/11 01:22:46 | 000,011,096 | ---- | C] () -- C:\Users\Catherine\Documents\zoe speach.docx
[2011/02/09 09:53:04 | 000,011,095 | ---- | C] () -- C:\Users\Catherine\Documents\saffi pseudomonas letter.docx
[2011/02/08 21:20:47 | 000,001,959 | ---- | C] () -- C:\Users\Public\Desktop\Free Movies & Games.lnk
[2011/02/08 21:20:46 | 000,001,275 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2011/02/07 11:34:12 | 000,003,575 | ---- | C] () -- C:\Users\Catherine\Desktop\Attach.zip
[2011/02/07 11:25:12 | 000,000,000 | ---- | C] () -- C:\Users\Catherine\defogger_reenable
[2011/02/06 12:01:00 | 001,951,012 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_01.pdf
[2011/02/06 12:01:00 | 001,480,619 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_02.pdf
[2011/02/06 12:01:00 | 000,733,115 | ---- | C] () -- C:\Users\Catherine\Desktop\PI_Module_7_AU_2010.pdf
[2011/02/06 12:01:00 | 000,704,040 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_04.pdf
[2011/02/06 12:01:00 | 000,592,922 | ---- | C] () -- C:\Users\Catherine\Desktop\PI_Module_6_AU_2010.pdf
[2011/02/06 12:01:00 | 000,498,616 | ---- | C] () -- C:\Users\Catherine\Desktop\Module_03.pdf
[2011/02/04 18:38:01 | 000,001,120 | ---- | C] () -- C:\Users\Public\Desktop\pimpl.exe.lnk
[2011/02/03 16:33:13 | 000,002,025 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/02/03 16:33:12 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/02/03 14:33:27 | 000,001,794 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/02/01 17:32:55 | 000,532,206 | ---- | C] () -- C:\Users\Catherine\Desktop\manlymatessmall.jpg
[2011/02/01 17:30:00 | 002,266,852 | ---- | C] () -- C:\Users\Catherine\Desktop\_D3S8954 (1).jpg
[2011/02/01 09:26:08 | 000,106,220 | ---- | C] () -- C:\Users\Catherine\Desktop\t_manly2x1.jpg
[2011/01/29 18:57:23 | 000,012,515 | ---- | C] () -- C:\Users\Catherine\Documents\Manly Mates.docx
[2010/12/16 05:40:44 | 000,866,350 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2010/12/16 05:26:15 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI
[2009/07/14 10:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/14 08:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/04/28 23:37:00 | 000,028,672 | ---- | C] () -- C:\windows\SysWow64\SPCtl.dll

< End of report >


ESET Scan results

C:\Users\Catherine\Documents\HDD 1\avp2-nocd.zip probably a variant of Win32/TrojanDownloader.Agent.MTUOHQJ trojan deleted - quarantined
C:\Users\Cathy B\AppData\Roaming\OpenCandy\OpenCandy_FAFD91576A0A4DF49C4D83B71DD1F8CD\p1v1_PPIRegistryReviver_w.exe a variant of Win32/SlowPCfighter application deleted - quarantined
C:\Users\Cathy B\AppData\Roaming\OpenCandy\OpenCandy_FAFD91576A0A4DF49C4D83B71DD1F8CD\PPIRegistryReviverSetup.exe a variant of Win32/SlowPCfighter application cleaned by deleting - quarantined
F:\CATHYB-PC\Backup Set 2010-12-09 112056\Backup Files 2010-12-09 112056\Backup files 20.zip a variant of Win32/SlowPCfighter application deleted - quarantined

Edited by cathyb9, 14 February 2011 - 01:07 AM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 14 February 2011 - 07:18 PM

Hello, cathyb9.

Is the AVP file Kapersky? It looks like it may download files from the internet which many AV's flag. In regards to the registry cleaner, please see the below:

If you want to use it, we can dequarantine.

Nothing in there that's too scary.

How is your computer running at this point? Still the startup check? Anything with Spyware Protection left?


Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case ). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 14 February 2011 - 08:11 PM

Hello etavares

I'm not sure what the AVP file is at all. It was one of the files I had salvaged from a couple of old Windows 95 and Windows 2000 computers, so it's not critical.

The computer is running fine now. There is no startup check, and doesn't seem to be anything with Spyware Protection on it.

I'm confused about the registry cleaner though. I don't recall ever downloading a registry cleaner onto this machine. Onto one of the old ones, yes, but not onto this one, and it's possibly still hanging around in those old files.

Thanks again!

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 15 February 2011 - 07:07 PM

Hello, cathyb9.

They appear to be installer files for the registry cleaner, not installed programs. ESET did remove them, though. Might have been leftovers or something. I wouldn't be too concerned about it.

Everything appears clean. Let's clean up.


Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the Posted Image icon to start the program.
  • Then, click the big Posted Image button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.



Step 2

We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
  • Go to Start and type in SystemPropertiesProtection and run that program.
  • Select the System Protection tab.
  • Press Create.
  • Give the restore point a name and press create.
  • You'll see it work, then say that it was created sucessfully.


Now, we need to remove the old, infected points using DiskCleanup.
  • Click on Start --> My Computer
  • Right-click on C: and select Properties.
  • Click on Disk Cleanup.
  • Double-click Files from all users on this computer.
  • Click on More Options tab and press Clean Up... under System Restore and Shadow Copies.
  • Click OK.
  • You'll get a couple of prompts asking if you're sure you want do to this, select Yes for them.
  • Disk cleanup will remove those restore points and close itself.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares

Edited by etavares, 15 February 2011 - 07:08 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 cathyb9

cathyb9
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 16 February 2011 - 05:36 PM

Thank you very much for your help! :thumbsup: You and your fellow workers here are the good guys of the internet.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users