Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files appeared after Run Combofix


  • This topic is locked This topic is locked
49 replies to this topic

#1 Rimma

Rimma

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 04 February 2011 - 10:52 AM

Hi guys
thank you for your help
My comp - VISTA was pretty bad lately like infected with some recording virus, like somebody is writing everything I do here. If I would have open Docts and Internet at the same time it would not let me freely navigate between the webpage and my docs. Neither between the webpages. I have the message WINDOWS STOPPED WORKING and I have to restart it of close it. And after running Combofix I still have this problem. My Shift button doesn't work anymore...
So I have ran ComboFIX and here is a log file I'm posting. But one more thing - I see a lot of strange files appeared on my Desktop which are impossible to open and when I ve tried to delete them there is a mesage like ARE YOU SURE YOU WANT TO DELETE THIS SYSTEM FILE? File names like WRL1412tmp or WRL1540.tmp and there are 15 files like that. Should I delete them?
Here is a log file

ComboFix 11-01-31.02 - Home 02/04/2011 9:11.1.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.1013.315 [GMT -5:00]
Running from: c:\users\Home\Desktop\ComboFix.exe1.exe
AV: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
SP: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\Home\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))
.

2011-02-04 14:27 . 2011-02-04 14:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-04 12:53 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{449553FA-24B3-4538-B891-84B5427D8189}\mpengine.dll
2011-02-02 15:56 . 2011-02-02 15:56 -------- d-----w- c:\users\Home\AppData\Local\SupportSoft
2011-02-02 15:54 . 2011-02-02 15:54 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-02-02 15:54 . 2011-02-02 15:54 -------- d-----w- c:\program files\ComcastUI
2011-01-12 20:44 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 20:44 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 20:44 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 20:44 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 20:44 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-12 20:44 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-01-12 20:43 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 12:54 . 2010-08-31 14:53 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-12-09 03:14 . 2010-12-09 03:14 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2006-12-29 20:15 . 2007-03-09 19:51 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2006-12-29 20:15 . 2007-03-09 19:51 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2006-12-29 20:15 . 2007-03-09 19:51 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2006-12-29 20:15 . 2007-03-09 19:51 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2007-10-20 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2007-10-20 22:07 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2009-07-24 5586208]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2009-07-24 5586208]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Google Update"="c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-12 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-19 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2006-07-20 151552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-10-27 201384]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-10-27 1655464]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:\windows\system32\DRIVERS\C7xUSBV3.sys [x]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [2010-12-20 63992]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2010-10-27 41896]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2010-10-27 27304]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-12-15 42664]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [2010-10-27 72520]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-10-27 37832]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-10-27 72840]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\F-Secure\Anti-Virus\minifilter\fsvista.sys [2010-10-27 14504]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2008-10-05 20376]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2010-11-30 130728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2011-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2026281794-1223098738-4249371228-1000Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-12 06:33]

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2026281794-1223098738-4249371228-1000UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-12 06:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Handler: soloresinternetrusengnum - {1B7043A7-84E1-443a-804F-20A75728892C} - c:\users\Home\Desktop\SOLO9R~1\SoloRes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-04 09:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-02-04 09:42:13
ComboFix-quarantined-files.txt 2011-02-04 14:42

Pre-Run: 93,313,253,376 bytes free
Post-Run: 93,252,648,960 bytes free

- - End Of File - - 3C3028196B97CE36FCD787AA9BEB00E9

Attached Files

  • Attached File  log.txt   10.21KB   2 downloads


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:37 PM

Posted 07 February 2011 - 04:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

[color=red}Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.
[/color]

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily [color=blue]disable any real-time active protection[/color] so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • [color=green]Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.[/color]

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
[color=green]-- If you encounter any problems, try running GMER in [color=blue]safe mode[/color].
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning[/color]
.

Best Regards,
oneof4.

Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:37 PM

Posted 11 February 2011 - 01:11 PM

Do you still need help?

Best Regards,
oneof4.


#4 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 15 February 2011 - 10:13 AM

here are my OTL Reprts

OTL Extras logfile created on: 2/15/2011 10:02:45 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Home\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 220.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 38.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 86.16 Gb Free Space | 58.38% Space Free | Partition Type: NTFS

Computer Name: HOME-PC | User Name: Home | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0FD05797-5E22-48C1-A37E-02746C5A27B2}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{106145B3-F546-48BE-B3E8-48F2AFA1B214}" = rport=5358 | protocol=6 | dir=out | app=system |
"{143C6A4A-382E-47D9-9348-D2C79745110D}" = lport=5358 | protocol=6 | dir=in | app=system |
"{2C028100-A842-4E07-AAE4-7EE0FF31D99D}" = rport=5357 | protocol=6 | dir=out | app=system |
"{2F03F851-2D1F-4763-8362-CEC50EF2EFC5}" = lport=3702 | protocol=17 | dir=in | app=c:\windows\system32\netproj.exe |
"{61CEB6DA-B239-4D62-B5E2-A05CCF7B8C96}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{724E57CF-67E5-4452-B76D-022269389955}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{83B2257E-9A79-4C2B-BD1B-D9C8BCDCF7DB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A4FE7C1E-3CAE-4337-9710-B6AA2BA9AD9C}" = lport=5357 | protocol=6 | dir=in | app=system |
"{AB179983-F4BD-4A41-AB61-59044CCD8A4F}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{B9BDA7BA-C76C-4EDE-A7D8-E9171141E827}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DD633EAC-56C0-46AA-8067-FEC0BA207253}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{E03794F2-5E22-4DC1-9379-673515B8DF63}" = rport=3702 | protocol=17 | dir=out | app=c:\windows\system32\netproj.exe |
"{F000BD20-BC0A-42A5-BC4F-69B5DB5DF64C}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{19AFF3F7-C40A-4ECD-ADF5-43E29791B3AE}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{23F64201-6FB8-47DB-9ABE-953F8A8B2346}" = protocol=6 | dir=in | app=c:\windows\system32\netproj.exe |
"{2755DF90-79EB-42AD-B777-B8A23A44BFB7}" = protocol=17 | dir=in | app=c:\program files\samsung electronics\mwimax u200\yotaaccess.exe |
"{415C5AB8-1564-4579-B6F5-0F387CA91810}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{5F820C8A-A04E-4661-98AE-7844B4B690F2}" = protocol=17 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{6255C7C8-2DB7-4CCE-B980-AD3987BC5214}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{6D196155-B7C1-4999-A9C4-88ADDCA387BC}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{72270438-04CA-4F72-A81F-085D00A389B4}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{7E4C7D94-BE1B-48A6-A109-63A67DB48ACB}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{822207EB-A847-4A3A-AB07-1B815D80CB64}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{99D58F51-319D-4500-BC7C-DC989F383B75}" = protocol=6 | dir=in | app=c:\program files\samsung electronics\mwimax u200\yotaaccess.exe |
"{A8EA5853-D89A-4497-A277-F8EC05EAD940}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BD6DF13B-D83E-4778-A918-CC415123B669}" = protocol=6 | dir=out | app=c:\windows\system32\netproj.exe |
"{C8799A59-BF56-4FAD-A78E-656F901B0912}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{CE497D38-9CE9-4A1D-BB34-33E77B9FA68A}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{CEBEAE0D-CB1B-4372-9FBC-204D74E03F71}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{D927705F-DFDE-4287-9314-26339755ECB1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{DB1B9EA2-B76D-441C-96B9-DB7343DAD6B1}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{DBAF5C7D-25E8-479E-83A9-AF8215ABEBF6}" = protocol=6 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"TCP Query User{4188C48A-537E-4837-8CC7-7E580DFD718B}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{58C727F1-7F14-40DB-A16E-F9961B36F71E}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{37C5A56A-00EA-347B-B7A1-5628BED56702}" = Google Talk Plugin
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A}" = MetaTrader 4.00
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{46A5D1D1-8956-497C-92FB-59C44EFA6214}" = Safari
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6740F9E3-1353-47DD-9765-BA49FC4C3479}" = Яндекс.Бар 4.2 для Internet Explorer
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}" = Microsoft redistributable runtime DLLs VS2005 SP1(x86)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C0DB380B-97B5-4BB8-AC8D-1835E61439B6}" = Microsoft redistributable runtime DLLs VS2005(x86)
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = TOSHIBA Software Modem
"CASHFLOW THE E-GAME" = CASHFLOW THE E-GAME
"CCleaner" = CCleaner (remove only)
"Desktop Dialer" = Desktop Dialer
"Driver Genius Professional Edition 2007_is1" = Driver Genius Professional Edition 2007
"F-Secure Product 303" = F-Secure Anti-Virus 2011
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Internet Offers from Toshiba" = Internet Offers
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Money2007b" = Microsoft Money Essentials
"SAPGUI710" = SAP GUI 7.10
"Solo.9.0.RusNumEng" = Соло на Клавиатуре 9
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Game Console" = TOSHIBA Game Console
"TOSHIBA Media Center Game Console" = TOSHIBA Media Center Game Console
"WinZip Self-Extractor" = WinZip Self-Extractor
"WT015803" = Blackhawk Striker 2

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ActiveTouchMeetingClient" = WebEx
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

OTL logfile created on: 2/15/2011 10:02:45 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Home\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 220.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 38.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 86.16 Gb Free Space | 58.38% Space Free | Partition Type: NTFS

Computer Name: HOME-PC | User Name: Home | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/15 10:01:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Home\Desktop\OTL.exe
PRC - [2011/02/02 11:07:39 | 000,918,184 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
PRC - [2011/02/02 11:07:38 | 000,508,584 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
PRC - [2011/01/05 18:56:02 | 000,372,904 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
PRC - [2010/12/20 07:40:27 | 000,063,992 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
PRC - [2010/10/27 13:31:41 | 000,529,064 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
PRC - [2010/10/27 13:31:24 | 000,221,864 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
PRC - [2010/10/27 13:31:14 | 000,201,384 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Common\FSM32.EXE
PRC - [2010/10/27 13:31:14 | 000,189,096 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Common\FSMA32.EXE
PRC - [2010/10/27 13:31:14 | 000,090,792 | ---- | M] (F-Secure Corporation) -- C:\Program Files\F-Secure\Common\FSHDLL32.EXE
PRC - [2009/09/04 01:14:59 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2009/04/11 01:27:48 | 000,182,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\osk.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/05 08:44:52 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\System32\atashost.exe
PRC - [2008/01/29 16:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
PRC - [2008/01/19 02:33:11 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iashost.exe
PRC - [2007/01/05 17:04:10 | 000,554,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2006/12/20 02:16:44 | 000,411,768 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2006/12/20 02:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2006/12/15 18:59:04 | 000,530,552 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2006/12/11 20:45:16 | 000,448,632 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2006/11/15 01:02:36 | 001,372,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2006/11/15 00:19:42 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/09 13:57:52 | 003,784,704 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2006/11/06 20:14:44 | 000,034,352 | ---- | M] () -- C:\Program Files\Toshiba\Utilities\KeNotify.exe
PRC - [2006/11/01 01:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/10/27 16:11:02 | 000,192,512 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2006/09/12 11:03:20 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/07/20 15:54:28 | 000,040,960 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2006/07/20 15:45:00 | 000,151,552 | ---- | M] (TOSHIBA Corporation) -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2005/12/16 05:41:28 | 000,188,416 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\ltmoh.exe


========== Modules (SafeList) ==========

MOD - [2011/02/15 10:01:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Home\Desktop\OTL.exe
MOD - [2010/10/27 13:32:38 | 000,332,456 | ---- | M] (F-Secure Corporation) -- c:\Program Files\F-Secure\HIPS\fshook32.dll
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2006/11/02 04:46:10 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msswch.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
SRV - [2011/01/20 08:44:03 | 000,797,184 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2010/12/20 07:40:27 | 000,063,992 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\F-Secure\ORSP Client\fsorsp.exe -- (FSORSPClient)
SRV - [2010/10/27 13:31:41 | 000,529,064 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe -- (FSDFWD)
SRV - [2010/10/27 13:31:24 | 000,221,864 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
SRV - [2010/10/27 13:31:14 | 000,189,096 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\F-Secure\Common\FSMA32.EXE -- (FSMA)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/04 01:14:59 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/10/05 08:44:52 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\System32\atashost.exe -- (atashost)
SRV - [2008/01/29 16:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/01/05 17:04:10 | 002,918,008 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/01/05 17:04:10 | 000,554,616 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2006/12/20 02:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/11/01 01:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/09/12 11:03:20 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/07/20 15:54:28 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2005/11/14 04:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/12/15 07:54:03 | 000,042,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\Drivers\fsbts.sys -- (fsbts)
DRV - [2010/11/29 22:01:42 | 000,130,728 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper)
DRV - [2010/10/27 13:32:38 | 000,072,520 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Program Files\F-Secure\HIPS\drivers\fshs.sys -- (F-Secure HIPS)
DRV - [2010/10/27 13:32:20 | 000,037,832 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\fses.sys -- (FSES)
DRV - [2010/10/27 13:31:41 | 000,072,840 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\fsdfw.sys -- (FSFW)
DRV - [2010/10/27 13:31:25 | 000,041,896 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys -- (F-Secure Filter)
DRV - [2010/10/27 13:31:25 | 000,027,304 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys -- (F-Secure Recognizer)
DRV - [2010/10/27 13:31:25 | 000,014,504 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\F-Secure\Anti-Virus\minifilter\fsvista.sys -- (fsvista)
DRV - [2008/02/11 19:36:10 | 002,302,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/02/11 19:36:10 | 002,302,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2007/09/26 13:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2006/11/08 22:09:24 | 001,647,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/04 12:35:50 | 000,059,392 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 04:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 04:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/10/30 12:42:28 | 001,786,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/10/27 17:14:22 | 000,179,896 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/06 01:22:14 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/09/27 22:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/31 09:53:00 | 001,161,152 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/07/28 19:25:26 | 000,019,456 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter)
DRV - [2006/07/06 16:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/02/14 13:50:52 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2005/09/27 18:57:38 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2005/08/01 19:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKCU\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


[2009/12/06 15:29:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Home\AppData\Roaming\mozilla\Firefox\Profiles\nahd6ha2.default\extensions
[2009/12/06 15:29:54 | 000,000,000 | ---D | M] (Яндекс.Бар) -- C:\Users\Home\AppData\Roaming\mozilla\Firefox\Profiles\nahd6ha2.default\extensions\yasearch@yandex.ru
[2009/12/06 15:29:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Home\AppData\Roaming\mozilla\Firefox\Profiles\nahd6ha2.default\extensions\yasearch@yandex.ru\chrome\skin\extensions-hacks

O1 HOSTS File: ([2011/02/04 09:27:28 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Яндекс.Бар) - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files\Yandex\YandexBarIE\yndbar.dll (ООО ЯНДЕКС)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Яндекс.Бар) - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files\Yandex\YandexBarIE\yndbar.dll (ООО ЯНДЕКС)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (Agere Systems)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE (TOSHIBA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: RestrictRun = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: RestrictRun = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP AG, Walldorf)
O18 - Protocol\Handler\soloresinternetrusengnum {1B7043A7-84E1-443a-804F-20A75728892C} - C:\Users\Home\Desktop\SOLO9R~1\SoloRes.dll (ErgoSolo)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe (Trend Micro Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Home\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Home\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/15 10:01:21 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Home\Desktop\OTL.exe
[2011/02/14 23:14:38 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Home\Desktop\explorer.exe
[2011/02/13 19:15:12 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2011/02/09 09:03:09 | 003,602,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/02/09 09:03:05 | 003,550,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/02/09 09:02:55 | 002,039,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/02/09 09:02:21 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/02/09 09:02:20 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/02/09 09:02:17 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/02/09 09:02:17 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/02/09 09:02:16 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/02/09 09:02:15 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/02/09 09:02:14 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/02/09 09:02:14 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/02/09 09:02:12 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/02/09 09:02:11 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/02/09 09:02:11 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/02/09 09:02:11 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/02/09 09:02:11 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/02/09 09:02:10 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/02/09 09:02:10 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/02/09 09:02:10 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/02/09 09:02:08 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/02/09 09:01:15 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2011/02/09 09:01:15 | 000,797,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll
[2011/02/09 09:01:14 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/02/09 09:01:13 | 000,979,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MFH264Dec.dll
[2011/02/09 09:01:12 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2011/02/09 09:01:11 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsRasterService.dll
[2011/02/09 09:01:10 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/02/09 09:01:09 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/02/09 09:01:08 | 001,554,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xpsservices.dll
[2011/02/09 09:01:08 | 000,357,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MFHEAACdec.dll
[2011/02/09 09:01:07 | 000,302,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfmp4src.dll
[2011/02/09 09:01:07 | 000,261,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfreadwrite.dll
[2011/02/09 09:01:05 | 000,847,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\OpcServices.dll
[2011/02/09 09:01:05 | 000,478,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll
[2011/02/09 09:01:04 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2011/02/09 09:01:02 | 002,873,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mf.dll
[2011/02/09 09:01:01 | 001,029,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2011/02/09 09:01:01 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2011/02/09 09:01:00 | 000,667,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2011/02/09 09:00:58 | 000,189,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2011/02/09 09:00:57 | 000,486,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2011/02/09 09:00:57 | 000,209,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfplat.dll
[2011/02/09 09:00:45 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2011/02/09 09:00:44 | 000,098,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfps.dll
[2011/02/09 09:00:42 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2011/02/09 08:53:13 | 000,292,352 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2011/02/09 08:53:09 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2011/02/04 09:42:50 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/02/04 09:07:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/02/04 09:00:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/02/04 09:00:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/02/04 09:00:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/02/04 09:00:24 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/02/04 08:59:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/02/02 10:56:32 | 000,000,000 | ---D | C] -- C:\Users\Home\AppData\Local\SupportSoft
[2011/02/02 10:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SupportSoft
[2011/02/02 10:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\ComcastUI
[2011/01/28 19:11:47 | 000,000,000 | ---D | C] -- C:\Users\Home\Documents\...2011
[2011/01/27 23:26:52 | 000,000,000 | ---D | C] -- C:\Users\Home\Documents\STUDY
[2007/03/09 14:51:07 | 003,100,672 | ---- | C] (SAP Technology,Inc) -- C:\Program Files\Common Files\sapxlhelper.dll
[2007/03/09 14:51:06 | 000,626,688 | ---- | C] (SAP AG) -- C:\Program Files\Common Files\sapconsaccess.dll
[2007/03/09 14:51:06 | 000,192,512 | ---- | C] (SAP Tech Inc.) -- C:\Program Files\Common Files\sapconsr3.dll
[2007/03/09 14:51:03 | 000,040,960 | ---- | C] (SAP-TECHNOLOGY) -- C:\Program Files\Common Files\DigitalSignature.ocx
[11 C:\Users\Home\Documents\*.tmp files -> C:\Users\Home\Documents\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/15 10:06:03 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2026281794-1223098738-4249371228-1000UA.job
[2011/02/15 10:01:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Home\Desktop\OTL.exe
[2011/02/15 08:37:08 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/15 08:37:08 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/15 08:36:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/15 08:36:53 | 1063,378,944 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/14 23:14:45 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Home\Desktop\explorer.exe
[2011/02/13 12:06:20 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2026281794-1223098738-4249371228-1000Core.job
[2011/02/11 17:51:01 | 000,612,282 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/02/11 17:51:00 | 000,107,948 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/02/11 17:41:49 | 000,328,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/02/09 10:13:51 | 010,091,339 | ---- | M] () -- C:\Users\Home\Desktop\Teeth jpg090[1].jpg
[2011/02/09 10:06:53 | 011,818,506 | ---- | M] () -- C:\Users\Home\Desktop\Teeth jpg091[1].jpg
[2011/02/05 20:56:28 | 000,002,305 | ---- | M] () -- C:\Users\Home\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2011/02/04 09:27:28 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/02/04 09:04:47 | 004,263,406 | R--- | M] () -- C:\Users\Home\Desktop\ComboFix.exe1.exe
[2011/02/04 08:56:25 | 004,263,406 | R--- | M] () -- C:\Users\Home\Desktop\ComboFix.exe
[2011/02/02 10:56:33 | 000,000,195 | ---- | M] () -- C:\Users\Home\Desktop\Comcast Email.url
[2011/02/02 10:56:33 | 000,000,189 | ---- | M] () -- C:\Users\Home\Desktop\Comcast Security.url
[2011/02/02 10:55:10 | 000,002,154 | ---- | M] () -- C:\Users\Public\Desktop\Comcast Desktop Software.lnk
[2011/01/24 16:53:14 | 000,023,040 | ---- | M] () -- C:\Users\Home\Documents\Christmas trip.xls
[2011/01/20 11:08:16 | 000,478,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll
[2011/01/20 11:08:06 | 001,029,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2011/01/20 11:08:06 | 000,219,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2011/01/20 11:08:06 | 000,189,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2011/01/20 11:08:06 | 000,160,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2011/01/20 11:07:58 | 000,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2011/01/20 11:06:38 | 002,873,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mf.dll
[2011/01/20 11:06:35 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2011/01/20 11:04:54 | 000,209,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfplat.dll
[2011/01/20 11:04:54 | 000,098,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfps.dll
[2011/01/20 09:28:38 | 001,554,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xpsservices.dll
[2011/01/20 09:27:50 | 000,876,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/01/20 09:26:30 | 000,667,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2011/01/20 09:25:25 | 000,847,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\OpcServices.dll
[2011/01/20 09:24:32 | 000,288,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/01/20 09:24:26 | 000,135,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\XpsRasterService.dll
[2011/01/20 09:15:10 | 000,979,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MFH264Dec.dll
[2011/01/20 09:14:39 | 000,357,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MFHEAACdec.dll
[2011/01/20 09:14:03 | 000,302,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfmp4src.dll
[2011/01/20 09:14:03 | 000,261,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfreadwrite.dll
[2011/01/20 09:12:46 | 001,172,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2011/01/20 09:11:34 | 000,486,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2011/01/20 08:47:51 | 000,683,008 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2011/01/20 08:44:05 | 001,068,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/01/20 08:44:03 | 000,797,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll
[2011/01/19 12:04:00 | 001,725,015 | ---- | M] () -- C:\Users\Home\Desktop\Moving List[1].pdf
[11 C:\Users\Home\Documents\*.tmp files -> C:\Users\Home\Documents\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/09 10:13:51 | 010,091,339 | ---- | C] () -- C:\Users\Home\Desktop\Teeth jpg090[1].jpg
[2011/02/09 10:06:26 | 011,818,506 | ---- | C] () -- C:\Users\Home\Desktop\Teeth jpg091[1].jpg
[2011/02/04 09:04:17 | 004,263,406 | R--- | C] () -- C:\Users\Home\Desktop\ComboFix.exe1.exe
[2011/02/04 09:00:38 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/02/04 09:00:38 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/02/04 09:00:38 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/02/04 09:00:38 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/02/04 09:00:38 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/02/04 08:56:02 | 004,263,406 | R--- | C] () -- C:\Users\Home\Desktop\ComboFix.exe
[2011/02/02 10:56:33 | 000,000,195 | ---- | C] () -- C:\Users\Home\Desktop\Comcast Email.url
[2011/02/02 10:56:33 | 000,000,189 | ---- | C] () -- C:\Users\Home\Desktop\Comcast Security.url
[2011/02/02 10:55:10 | 000,002,154 | ---- | C] () -- C:\Users\Public\Desktop\Comcast Desktop Software.lnk
[2011/01/24 16:55:43 | 005,440,439 | ---- | C] () -- C:\Users\Home\Documents\Lease Agreement (2).pdf
[2011/01/24 16:54:55 | 000,023,040 | ---- | C] () -- C:\Users\Home\Documents\Christmas trip.xls
[2011/01/24 16:54:31 | 005,440,439 | ---- | C] () -- C:\Users\Home\Documents\Lease Agreement.pdf
[2011/01/24 16:54:31 | 000,026,112 | ---- | C] () -- C:\Users\Home\Documents\Utilities bills.xls
[2011/01/19 12:04:00 | 001,725,015 | ---- | C] () -- C:\Users\Home\Desktop\Moving List[1].pdf
[2010/08/31 09:53:20 | 000,042,664 | ---- | C] () -- C:\Windows\System32\drivers\fsbts.sys
[2010/01/03 04:46:32 | 000,023,580 | ---- | C] () -- C:\Users\Home\AppData\Roaming\UserTile.png
[2009/10/20 00:18:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/14 03:16:01 | 000,000,376 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008/06/14 18:24:18 | 000,000,000 | ---- | C] () -- C:\Users\Home\AppData\Roaming\wklnhst.dat
[2008/03/21 08:48:49 | 000,002,950 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/03/09 14:51:05 | 001,124,864 | ---- | C] () -- C:\Program Files\Common Files\SAPActiveXL_nosig.xlt
[2007/03/09 14:51:04 | 001,129,984 | ---- | C] () -- C:\Program Files\Common Files\SAPActiveXL.xlt
[2007/03/09 14:47:35 | 001,064,960 | ---- | C] () -- C:\Windows\System32\h5krnl32.dll
[2007/03/09 14:47:35 | 000,188,928 | ---- | C] () -- C:\Windows\System32\h5icon32.dll
[2007/03/09 14:47:35 | 000,175,616 | ---- | C] () -- C:\Windows\System32\h5menu32.dll
[2007/03/09 14:47:35 | 000,095,744 | ---- | C] () -- C:\Windows\System32\h5rtf32.dll
[2007/03/09 14:47:35 | 000,051,200 | ---- | C] () -- C:\Windows\System32\h5tool32.dll
[2007/03/09 14:47:26 | 000,015,872 | ---- | C] () -- C:\Windows\System32\vtssm32.dll
[2007/03/03 21:37:36 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/03/03 17:14:17 | 000,034,816 | ---- | C] () -- C:\Users\Home\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/05 18:35:18 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007/01/05 17:59:02 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007/01/05 17:59:02 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007/01/05 17:59:02 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007/01/05 17:59:02 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007/01/05 17:59:02 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007/01/05 17:59:02 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/01/05 17:35:11 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007/01/05 17:35:11 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007/01/05 17:35:11 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007/01/05 17:35:11 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2006/11/29 01:12:18 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1132.dll
[2006/11/24 10:48:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/10/31 20:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/08/10 18:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll
[2006/03/09 13:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/11/23 17:55:42 | 000,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005/07/23 00:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== Files - Unicode (All) ==========
[2011/02/04 23:15:39 | 000,000,000 | ---D | M](C:\Users\Home\Documents\?..???????) -- C:\Users\Home\Documents\Я..яяяяяяя
[2009/04/02 00:24:27 | 000,000,000 | ---D | C](C:\Users\Home\Documents\?..???????) -- C:\Users\Home\Documents\Я..яяяяяяя
[2009/03/28 03:05:24 | 000,000,162 | -H-- | M] ()(C:\Users\Home\Documents\~$?????.doc) -- C:\Users\Home\Documents\~$Книга.doc
[2009/03/28 03:05:24 | 000,000,162 | -H-- | C] ()(C:\Users\Home\Documents\~$?????.doc) -- C:\Users\Home\Documents\~$Книга.doc
[2009/02/16 13:26:01 | 000,024,064 | ---- | M] ()(C:\Users\Home\Documents\???? nwfcu.doc) -- C:\Users\Home\Documents\банк nwfcu.doc
[2009/02/16 13:26:01 | 000,024,064 | ---- | C] ()(C:\Users\Home\Documents\???? nwfcu.doc) -- C:\Users\Home\Documents\банк nwfcu.doc
[2008/10/17 20:13:20 | 000,000,162 | -H-- | M] ()(C:\Users\Home\Documents\~$????.doc) -- C:\Users\Home\Documents\~$Губы.doc
[2008/10/17 20:13:20 | 000,000,162 | -H-- | C] ()(C:\Users\Home\Documents\~$????.doc) -- C:\Users\Home\Documents\~$Губы.doc

< End of report >

#5 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 15 February 2011 - 11:00 AM

This is my HijackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:26:25 AM, on 2/15/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Home\Desktop\explorer.exe
C:\Program Files\F-Secure\Common\FSLAUNCHER0.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: ??????.??? - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files\Yandex\YandexBarIE\yndbar.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\Toshiba\SmoothView\SmoothView.exe"
O4 - HKLM\..\Run: [00TCrdMain] "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] "C:\Program Files\TOSHIBA\Utilities\KeNotify.exe"
O4 - HKLM\..\Run: [PINGER] "C:\TOSHIBA\IVP\ISM\pinger.exe" /run
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Home\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O18 - Protocol: soloresinternetrusengnum - {1B7043A7-84E1-443A-804F-20A75728892C} - C:\Users\Home\Desktop\SOLO9R~1\SoloRes.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7851 bytes

#6 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 15 February 2011 - 02:34 PM

I really need your help, guys - as soon as possible.
I'm just not sure if it is harmles to run fix-it.
Please help
Thank you

#7 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 12:20 PM

Do you still need help?


Yes I really need one. Please.
Thank you

#8 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 12:51 PM

One more thing
when I was running HijackThis, I got the mesage after I have pushed RUN -

For some reason your system denied a write access to the host file. If any hijacked domains are in this file, HijackThis might not be able to fix it
I have runned it as an admin, but it didn't help anyhow.

When check items to fix-it it does nothing. When I run it agian the items I have selected are there.
Please help.

Edited by Rimma, 16 February 2011 - 12:52 PM.


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 16 February 2011 - 07:00 PM

Hello, Rimma.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!






Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578



Ask Toolbar Warning"

I see you have the Ask.Com toolbar installed. This often comes bundled with spyware and is recommended you remove.

Please see here for more information:
http://www.bleepingcomputer.com/uninstall/94/Ask-Toolbar.html

If you would like to remove it, please go to add/Remove Programs and uninstall it.





I would also advise you to remove the Yandex.ru toolbar. It is generally listed as "optional" in various databases, although the domain is cleared on SiteAdvisor, so this is optional.



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 3

Scan With RKUnHooker


Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



Step 4

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\users\Home\Desktop\SOLO9R~1\SoloRes.dll
C:\Users\Home\Desktop\explorer.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 5


These are likely legitimate, but I want to confirm that you know what these files are. Malware often uses unicode characters (symbols, Chinese characters, Cyrillic, etc.) to hide and appear to be something else.
[2011/02/04 23:15:39 | 000,000,000 | ---D | M](C:\Users\Home\Documents\?..???????) -- C:\Users\Home\Documents\Я..яяяяяяя
[2009/04/02 00:24:27 | 000,000,000 | ---D | C](C:\Users\Home\Documents\?..???????) -- C:\Users\Home\Documents\Я..яяяяяяя
[2009/03/28 03:05:24 | 000,000,162 | -H-- | M] ()(C:\Users\Home\Documents\~$?????.doc) -- C:\Users\Home\Documents\~$Книга.doc
[2009/03/28 03:05:24 | 000,000,162 | -H-- | C] ()(C:\Users\Home\Documents\~$?????.doc) -- C:\Users\Home\Documents\~$Книга.doc
[2009/02/16 13:26:01 | 000,024,064 | ---- | M] ()(C:\Users\Home\Documents\???? nwfcu.doc) -- C:\Users\Home\Documents\банк nwfcu.doc
[2009/02/16 13:26:01 | 000,024,064 | ---- | C] ()(C:\Users\Home\Documents\???? nwfcu.doc) -- C:\Users\Home\Documents\банк nwfcu.doc
[2008/10/17 20:13:20 | 000,000,162 | -H-- | M] ()(C:\Users\Home\Documents\~$????.doc) -- C:\Users\Home\Documents\~$Губы.doc
[2008/10/17 20:13:20 | 000,000,162 | -H-- | C] ()(C:\Users\Home\Documents\~$????.doc) -- C:\Users\Home\Documents\~$Губы.doc



Step 6


Do you edit documents in Word that are saved on your desktop? Those TMP files on your desktop are likely hidden files that are temporary files that contain the auto-saved documents. E.g., when Word crashes,when you open it is has recovered documents. Those TMP files are those documents. You can safely delete them if you have recovered all your work that you may have lost.



Step 7


At this point, please don't fix anything unless instructed otherwise we'll work against each other. But, what are you trying to fix in HJT besides the HOST file? We'll reset the HOSTS file in a bit.

etavares

Edited by etavares, 16 February 2011 - 07:01 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 10:21 PM

Hey guys,
thank you for the instruction.
I have done the only one step by now as it took so long to scan for malware
Here is log file. Seems like it had not found anything except recomended previousely antivirus system, which we had successfully removed.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

2/16/2011 9:43:51 PM
mbam-log-2011-02-16 (21-42-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 241818
Time elapsed: 1 hour(s), 29 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Home\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

#11 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 10:26 PM

Here is a next log

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: TOSHIBA
BIOS Manufacturer: TOSHIBA
System Manufacturer: TOSHIBA
System Product Name: Satellite A135
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 147):
0x82442000 \SystemRoot\system32\ntoskrnl.exe
0x8240F000 \SystemRoot\system32\hal.dll
0x8640B000 \SystemRoot\system32\kdcom.dll
0x86412000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x86482000 \SystemRoot\system32\PSHED.dll
0x86493000 \SystemRoot\system32\BOOTVID.dll
0x8649B000 \SystemRoot\system32\CLFS.SYS
0x864DC000 \SystemRoot\system32\CI.dll
0x865BC000 \SystemRoot\system32\drivers\uanqmg.sys
0x865CB000 \SystemRoot\system32\drivers\Wdf01000.sys
0x86647000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x86654000 \SystemRoot\system32\drivers\acpi.sys
0x8669A000 \SystemRoot\system32\drivers\WMILIB.SYS
0x866A3000 \SystemRoot\system32\drivers\msisadrv.sys
0x866AB000 \SystemRoot\system32\drivers\pci.sys
0x866D2000 \SystemRoot\system32\DRIVERS\LPCFilter.sys
0x866DC000 \SystemRoot\System32\drivers\partmgr.sys
0x866EB000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x866EE000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x866F8000 \SystemRoot\system32\drivers\volmgr.sys
0x86707000 \SystemRoot\System32\drivers\volmgrx.sys
0x86751000 \SystemRoot\system32\drivers\intelide.sys
0x86758000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x86766000 \SystemRoot\system32\DRIVERS\pcmcia.sys
0x86793000 \SystemRoot\System32\drivers\mountmgr.sys
0x867A3000 \SystemRoot\system32\drivers\atapi.sys
0x867AB000 \SystemRoot\system32\drivers\ataport.SYS
0x867C9000 \SystemRoot\system32\drivers\fltmgr.sys
0x8680A000 \SystemRoot\system32\drivers\fileinfo.sys
0x8681A000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8688B000 \SystemRoot\system32\drivers\ndis.sys
0x86996000 \SystemRoot\system32\drivers\msrpc.sys
0x869C1000 \SystemRoot\system32\drivers\NETIO.SYS
0x869FC000 \SystemRoot\System32\drivers\tcpip.sys
0x86AE6000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x86C03000 \SystemRoot\System32\Drivers\Ntfs.sys
0x86D13000 \SystemRoot\system32\drivers\volsnap.sys
0x86D4C000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x86D51000 \SystemRoot\System32\Drivers\spldr.sys
0x86D59000 \SystemRoot\System32\Drivers\mup.sys
0x86D68000 \SystemRoot\system32\Drivers\fsbts.sys
0x86D71000 \SystemRoot\System32\drivers\ecache.sys
0x86D98000 \SystemRoot\system32\drivers\disk.sys
0x86DA9000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x86DCA000 \SystemRoot\system32\drivers\crcdisk.sys
0x86DF3000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x86DFE000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x86E07000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C401000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8CABC000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8CB5C000 \SystemRoot\System32\drivers\watchdog.sys
0x8CB68000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8CC09000 \SystemRoot\system32\DRIVERS\NETw4v32.sys
0x8CE38000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8CE4B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8CE56000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8CE94000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8CEA3000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8CEB3000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8CEC1000 \SystemRoot\system32\drivers\tifm21.sys
0x8CEEF000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8CF09000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8CF0D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8CF20000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8CF2B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8CF56000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8CF58000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8CF63000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0x8CF67000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8CF7F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8CF85000 \SystemRoot\system32\DRIVERS\serscan.sys
0x8CF8D000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8CFBC000 \SystemRoot\system32\DRIVERS\storport.sys
0x8CBF5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x86E16000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x86E2D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x86E38000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x86E5B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x86E6A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x86E7E000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x86E93000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8CFFD000 \SystemRoot\system32\DRIVERS\swenum.sys
0x86EA3000 \SystemRoot\system32\DRIVERS\ks.sys
0x86ECD000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x86ED7000 \SystemRoot\system32\DRIVERS\umbus.sys
0x86EE4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x86F19000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8E403000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8E594000 \SystemRoot\system32\drivers\portcls.sys
0x8E5C1000 \SystemRoot\system32\drivers\drmk.sys
0x8E5E6000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8E702000 \SystemRoot\system32\drivers\modem.sys
0x8E70F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8E718000 \SystemRoot\System32\Drivers\Null.SYS
0x8E71F000 \SystemRoot\System32\Drivers\Beep.SYS
0x8E72F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8E736000 \SystemRoot\System32\drivers\vga.sys
0x8E742000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8E763000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8E76B000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E773000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8E77E000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8E78C000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8E795000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8E7AB000 \SystemRoot\system32\DRIVERS\smb.sys
0x86F2A000 \SystemRoot\system32\drivers\afd.sys
0x8E7BF000 \SystemRoot\System32\DRIVERS\netbt.sys
0x86F72000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E7F1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x86F88000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x86FAB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x86FE7000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E726000 \??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsvista.sys
0x86F9B000 \SystemRoot\System32\drivers\fsdfw.sys
0x8CC00000 \SystemRoot\System32\drivers\fses.sys
0x86B01000 \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys
0x86B11000 \SystemRoot\System32\Drivers\dfsc.sys
0x86FF1000 \SystemRoot\System32\Drivers\crashdmp.sys
0x86DD3000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x86DDE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x96890000 \SystemRoot\System32\win32k.sys
0x86DE6000 \SystemRoot\System32\drivers\Dxapi.sys
0x86B28000 \SystemRoot\system32\DRIVERS\monitor.sys
0x96AB0000 \SystemRoot\System32\TSDDD.dll
0x96AD0000 \SystemRoot\System32\cdd.dll
0x86B37000 \SystemRoot\system32\drivers\luafv.sys
0xA900F000 \SystemRoot\system32\drivers\spsys.sys
0xA90BF000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA90CF000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xA90F9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9103000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA9116000 \SystemRoot\system32\drivers\HTTP.sys
0xA9183000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA91A0000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA91B9000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA91CE000 \SystemRoot\system32\drivers\mrxdav.sys
0xA91EF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA920E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA9247000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA925F000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA9287000 \SystemRoot\System32\DRIVERS\srv.sys
0xA92D5000 \SystemRoot\system32\drivers\peauth.sys
0xA93B3000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA93BD000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA93C9000 \??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys
0x86B5A000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77D00000 \Windows\System32\ntdll.dll

Processes (total 77):
0 System Idle Process
4 System
496 C:\Windows\System32\smss.exe
636 csrss.exe
680 C:\Windows\System32\wininit.exe
692 csrss.exe
724 C:\Windows\System32\services.exe
736 C:\Windows\System32\lsass.exe
744 C:\Windows\System32\lsm.exe
824 C:\Windows\System32\winlogon.exe
928 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\svchost.exe
1032 C:\Windows\System32\svchost.exe
1124 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\svchost.exe
1176 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\audiodg.exe
1320 C:\Windows\System32\svchost.exe
1336 C:\Windows\System32\SLsvc.exe
1364 C:\Windows\System32\svchost.exe
1548 C:\Windows\System32\svchost.exe
1716 C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
1912 C:\Windows\System32\dwm.exe
520 C:\Windows\System32\spoolsv.exe
616 C:\Windows\System32\svchost.exe
672 C:\Windows\System32\taskeng.exe
1784 C:\Windows\System32\agrsmsvc.exe
1948 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1772 C:\Windows\System32\atashost.exe
1848 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
1856 C:\Program Files\Bonjour\mDNSResponder.exe
1516 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
1988 C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
1344 C:\Program Files\F-Secure\Common\FSMA32.EXE
1408 C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
2060 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
2076 C:\Program Files\F-Secure\Common\FSHDLL32.EXE
2236 C:\Windows\System32\svchost.exe
2264 C:\Windows\System32\svchost.exe
2284 C:\Toshiba\IVP\swupdate\swupdtmr.exe
2320 C:\Windows\System32\TODDSrv.exe
2356 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
2452 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
2472 C:\Windows\System32\UI0Detect.exe
2492 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2520 C:\Windows\System32\svchost.exe
2556 C:\Windows\System32\SearchIndexer.exe
2956 iashost.exe
2984 C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
3000 C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
3080 C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
3656 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
4032 C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
3208 C:\Program Files\Toshiba\Utilities\KeNotify.exe
3524 C:\Toshiba\IVP\ISM\pinger.exe
3580 C:\Windows\System32\wbem\unsecapp.exe
3604 C:\Program Files\iTunes\iTunesHelper.exe
1576 C:\Program Files\F-Secure\Common\FSM32.EXE
2972 WmiPrvSE.exe
3732 C:\Windows\System32\hkcmd.exe
3880 C:\Windows\System32\igfxpers.exe
4016 C:\Windows\System32\igfxsrvc.exe
3800 C:\Windows\System32\mobsync.exe
3568 C:\Windows\System32\svchost.exe
2312 C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
3184 C:\Program Files\iPod\bin\iPodService.exe
2252 C:\Program Files\Windows Media Player\wmpnscfg.exe
2716 C:\Program Files\Windows Media Player\wmpnetwk.exe
3552 C:\Program Files\Internet Explorer\iexplore.exe
2804 C:\Program Files\Internet Explorer\iexplore.exe
5364 C:\Windows\System32\Macromed\Flash\FlashUtil10b.exe
1404 C:\Users\Home\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
2668 C:\Program Files\Internet Explorer\iexplore.exe
3336 C:\Windows\explorer.exe
3364 C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4PAPATE8\MBRCheck[1].exe
4476 C:\Windows\System32\osk.exe
4888 C:\Windows\System32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS541616J9SA00, Rev: SB4OC7DP

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61


Done!

#12 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 10:32 PM

another report - step 3

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x826CAC1C-->86B03014 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x825A63A6-->86B03340 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtMapViewOfSection, Type: Address change 0x8264BD29-->86B02D3C [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x826655DA-->86B03776 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtRenameKey, Type: Address change 0x8268D469-->86B04A0E [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x825F6340-->86B035C8 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x826CC4F7-->86B02BBE [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x826838D6-->86B03048 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address change 0x825E5917-->86B031C8 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x8265B4DF-->86B02B1A [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8260A3FD-->86B02C76 [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x826406A2-->86B0310E [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]
ntoskrnl.exe-->NtCreateThreadEx, Type: Address change 0x82609DF6-->86B0302E [C:\Program Files\F-Secure\HIPS\drivers\fshs.sys]

#13 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 10:55 PM

Step 4 I didn't understand.
explorer.exe has been removed before with Malwarebites.

I have scanned Solo - Found nothing by Jotty. I have this on my desktop for maybe 2 years, but the problems appeared recently and getting wors.

Step 5 - these are my documents, I have created them by myself, and they are all right, in spite of the cyrillic.

Step 6 - Word docts on Desctop...yes I had some to have them handy...but because I have this powerful spyware those docts has transpormed, here is Jotti scan result of one of them

~$CM ConfigGuide_EN_DE.doc
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 17 Feb 2011 04:51:49 (CET) Permalink

Found nothing.

#14 Rimma

Rimma
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 16 February 2011 - 10:59 PM

Seems like I have done everythin you have asked for but things don't get better.
I know I have a virus-spyware. I remember the moment I got it.

My F-SECURE puped-up with quick message like
YOU GOT A VIRUS BUT WE DON'T KNOW WHAT IT IS.

since then things are getting wors. I need my life back.

THANK YOU FOR YOUR HELP, GUYS

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 19 February 2011 - 11:21 AM

Hello, Rimma.

First, sorry for the delay. For some reason, this wasn't showing in my subscribed topics. I have re-subscribed.





Step 1



C:\Users\Home\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.


MBAM did not remove that file. If it did it would have said deleted-quarantined. Do you know what the file is?





Step 2


Next time you get a pop-up from F-Secure, please write down exactly what it tells you and post it here.



Step 3



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users